From b88933d38daf54714611c2d849236049092ad5d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 15 May 2022 16:49:04 +0200
Subject: [PATCH] move more secrets to sops and closer to terraform
---
.sops.yaml | 7 ++++++
secrets/cloudflare-api-token | Bin 63 -> 0 bytes
secrets/hydra-password | Bin 48 -> 0 bytes
secrets/terraformrc | Bin 160 -> 0 bytes
shell.nix | 9 -------
terraform/.envrc | 5 ++++
terraform/secrets.yaml | 47 +++++++++++++++++++++++++++++++++++
7 files changed, 59 insertions(+), 9 deletions(-)
delete mode 100644 secrets/cloudflare-api-token
delete mode 100644 secrets/hydra-password
delete mode 100644 secrets/terraformrc
create mode 100644 terraform/.envrc
create mode 100644 terraform/secrets.yaml
diff --git a/.sops.yaml b/.sops.yaml
index 0622b71..142169d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,6 +9,13 @@ keys:
# scan new hosts like this:
# $ nix-shell -p ssh-to-age --run 'ssh-keyscan buildXX.nix-community.org | ssh-to-age'
creation_rules:
+ - path_regex: terraform/secrets.yaml$
+ key_groups:
+ - age:
+ - *mic92
+ - *ryantm
+ pgp:
+ - *zimbatm
- path_regex: build01/[^/]+\.yaml$
key_groups:
- age:
diff --git a/secrets/cloudflare-api-token b/secrets/cloudflare-api-token
deleted file mode 100644
index 08e732f4bc0e26910e3d9bbb0451b7600fc47427..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 63
zcmV-F0KoqMM@dveQdv+`02TBB<2O9<cA^8DM@Q|Eb*L35n&1~jb(Z>;NCx2iCHiu8
V_9URcAwH*>*>8M}KqXD(%+o;l9U}k$
diff --git a/secrets/hydra-password b/secrets/hydra-password
deleted file mode 100644
index affd737ff22cfff9e11c8a5fba96fe43cc39cad6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 48
zcmV-00MGvbM@dveQdv+`0NG*B^K%+9Y5SA(m#<YP7im;#Rl84RlZeu#Zr(AEODI><
G=&3314i(k_
diff --git a/secrets/terraformrc b/secrets/terraformrc
deleted file mode 100644
index 42216ea0ede61b3188c8cc6ca26a79a4025860c1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 160
zcmV;R0AK$AM@dveQdv+`0B8t<?d`mO^=wzyosTaQv6@{2bhgb??qqw;g^mbLDf*ME
zr0$k-!dj~&$-l(8!ck@QL+%EY%~EacIRM;?hKb+==basS%4>sg#L*f5)4ky0Kwa=T
zkdC4vz~_%AbRJ=A1Coa|{D(fvk6(WD(TtOXry-@19CT;kzYY>QiyGxBA_rhE$|GSE
O3qPBTmqPKwnIQ-;TTXTW
diff --git a/shell.nix b/shell.nix
index 9fb2ee2..f7f05d4 100644
--- a/shell.nix
+++ b/shell.nix
@@ -25,13 +25,4 @@ mkShell {
sops-import-keys-hook
];
-
- # terraform cloud without the remote execution part
- TF_FORCE_LOCAL_BACKEND = "1";
- TF_CLI_CONFIG_FILE = toString ./secrets/terraformrc;
-
- shellHook = ''
- export CLOUDFLARE_API_TOKEN=$(< ./secrets/cloudflare-api-token)
- export HYDRA_PASSWORD=$(< ./secrets/hydra-password)
- '';
}
diff --git a/terraform/.envrc b/terraform/.envrc
new file mode 100644
index 0000000..074a87c
--- /dev/null
+++ b/terraform/.envrc
@@ -0,0 +1,5 @@
+source_up
+
+# terraform cloud without the remote execution part
+export TF_FORCE_LOCAL_BACKEND="1";
+eval "$("$direnv" dotenv bash <(sops -d --output-type dotenv secrets.yaml))"
diff --git a/terraform/secrets.yaml b/terraform/secrets.yaml
new file mode 100644
index 0000000..97a8fc5
--- /dev/null
+++ b/terraform/secrets.yaml
@@ -0,0 +1,47 @@
+CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:YDe1kQGBXn1DxIAInQkZociCuZhfVMQq7KaUeI4bkZDQhXlc38E67A==,iv:z/7VchAdz6zFMOmf67801V+yAU7vk4MyITVpvzIH4U8=,tag:krlU7ogI3E7UYxKdBuLO9w==,type:str]
+HYDRA_PASSWORD: ENC[AES256_GCM,data:7o8RuTWxYY7HNbMDgl9ur0j+ehI1bf0JSA==,iv:oZ6iHGGL4xbCC54kQ+mjpYYrm3Kn2PAlhDOyX8K6VCY=,tag:hXSlJSgjQymbsriHBiMy4w==,type:str]
+TF_TOKEN_app_terraform_io: ENC[AES256_GCM,data:htOyHZEIKxwPHzgpao+m3YIhLBM6ihZdq54YVlIw9bNHup7qrwgjJbT4nX6SIrFQvGQmqbVvhoFN6+UYyfcPlOWfdiIMUgZfa2F4zMceIsArNAcXMtv7Efzy,iv:RmDIHFfPJ5hHNDwvjdb7vxTnpE6JIlbLmbFzfGo+YAc=,tag:gzFY4HOGmuT5BrrFhzBtxw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5blVRbEU4YXNtaWRZM0ll
+ YWNacFNCZ0xUdGRzY05LaTllTnd1WWN3YVVNCmw0L09uclI3QUxiNmFBZnlEUnZs
+ VnRFWnFNRmd4UTNlWnh4QmtDWU1LZG8KLS0tIG8zQ0lFK2dHTHBhRVBibloxKzZS
+ OHZHaWY2WnZrU3Z2eUVlOVZWWTRqclUKvCRIA85XJ72u6Q+yc8mcloBPj1lIbri0
+ kXQH/X1rvwaKNhSzNzoUH64PlNQdjelgcl2eUrlDiqfvnXcVLTyfQg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU3hNODVQMnJ4d0JDeEpQ
+ Qk1nMHd2M2IvQmplNDRnZy84VHZSb1hFV2hFCm8xRTlBRUlhMEllWUhZNHh3aVVH
+ d1BpZFFSN3BDWEVSeDE1Rk01cnVtZTgKLS0tIEF4ajVVbG1xalBqRmt2cTVRZVhJ
+ cDhJajhSUWNHcXhqMW1Gcnp5c2tlS2sKsoavYL6DTdjGHg74uPow54PdY/F2rROc
+ aEtMsirY3CgbsroyjWfaHd+LszUOrY2jaN7UcNiqE1cJo6pJLyXa9g==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2022-05-15T15:01:13Z"
+ mac: ENC[AES256_GCM,data:R0A/XaigE7nSDfthabJ6TCUTxI28qeopF4GiAuwA21bgIFcEVWfR76w02alMYIp0gjWjL87KlNk+XiijeM054pDESMGGtbdVaYiQL0nqB8jH6Z8rreVt8pqnzC7I90EP0bWjQUPflCsDgMKrSOGdaLJRHGAOHnMLy8pvwaE+OXc=,iv:5Nr1OAHoTrbrQgXNg+4rVGQDdIsyGxc74TlYjsVPEBw=,tag:3LIWD8IGPY9dCdIk9BLZQg==,type:str]
+ pgp:
+ - created_at: "2022-05-15T14:38:07Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA3tEuTsG48KkAQf/eIw45c+1Y0hRehsO/irm0zHcEtN+VFb1/n7yORw/cgl6
+ PByxkbHLtrKxOeMwAWS80DW+xPdigqDdZz7v+VPivDZJfBnvH9BVEgtljPd3JtR4
+ 3b/IKgKvFQ9rSDpwAcfJJYP8zlWR7wIcpw/Eu+nt08/94guvsDzda7OUUo+5G2Fj
+ IyaLejv0bXJm4Kz48zk9dsLIGLJwOok/eyHsisTSmfKBuLC/axVEgIJqyRxte3LI
+ OqKo3HMqUqdVZ1Fcarr2A8WtCtHT5hEoxDh00uGULa7OQuAYerYoKFvet1C7BrLq
+ ioPAgI2F5Ggt3c60femP0eIENzPXQLarYh0ZPmwOudJeAQiLRC4xvCvVGnH/KO/k
+ cViuRUDKHrn3vyDzumAcdFHw8civlceSuln4LI/TCM7LkfQ4JFXLl6SpznUpUDC8
+ 6iHtN1hg7DVefCJT4qj64o2qwtXIZ1JB7Y+ch4l7IA==
+ =kUzQ
+ -----END PGP MESSAGE-----
+ fp: 260353B993F8CE16752EF48C71BAF6D40C1D63D7
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3