This example demonstrates how to use terraform's external data provider to automatically encrypt and save sops secrets files.
This implementation makes every effort to avoid exposing secrets in
stdout, or by writing unencrypted data to temporary files on disk.
The example includes:
gen-sops.shscript (generates and returns sops-encrypted file contents to terraform)
test_gen-sops.shscript which provides an easy way to continuously test your script
- terraform example implementation (
- marks sensitive data (vars) as
- avoids exposing secrets in stdout or log output (in tf + in the shell script)
- avoids writing unencrypted data to any temporary filesystem locations
- writes the sops file to disk using the