This example demonstrates how to use terraform's external data provider to automatically encrypt and save sops secrets files.
This implementation makes every effort to avoid exposing secrets in stdout
, or by writing unencrypted data to temporary files on disk.
The example includes:
gen-sops.sh
script (generates and returns sops-encrypted file contents to terraform)test_gen-sops.sh
script which provides an easy way to continuously test your script- terraform example implementation (
vars.tf
,sops_secrets.tf
)
Best-practices:
- marks sensitive data (vars) as
sensitive
- avoids exposing secrets in stdout or log output (in tf + in the shell script)
- avoids writing unencrypted data to any temporary filesystem locations
- writes the sops file to disk using the
local_sensitive_file
terraform resource