rudimentary support for secrets

schollii · Mar 26, 2021 · 7bc5c3b · 7bc5c3b
1 parent 324efda
commit 7bc5c3b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -111,3 +111,17 @@ resource "local_file" "config_roots_no_tmpl_found" {
     config_roots_no_override_tmpl  = keys(local.config_roots_no_tmpl_overrides)
   })
 }
+
+resource "null_resource" "sops_encrypt_secrets" {
+  for_each = {for k,v in local.all_tmpl_files: k => v if length(regexall(var.encrypt_fileset_re, v)) > 0}
+  depends_on = [local_file.config_values]
+
+  triggers = {
+    # Only re-encrypt if the content has changed since last
+    environment_infra_yaml_updated = local_file.config_values[each.key].id
+  }
+
+  provisioner "local-exec" {
+    command = "${var.encrypt_command} ${each.value}"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -60,6 +60,18 @@ variable "output_config_roots_no_tmpl_found" {
   default     = false
 }
 
+variable "encrypt_fileset_re" {
+  type = string
+  description = "Regular expression to identify rendered files which need to be encrypted"
+  default = "/secrets-*.yaml$"
+}
+
+variable "encrypt_command" {
+  type = string
+  description = "Command to encrypt a rendered file (the file will be appended as last arg)"
+  default = "sops -e -i"
+}
+
 variable "save_config_roots_no_tmpl_found" {
   type        = bool
   description = "If true, will create file in path.root, containing config_roots that did not have any filesets"