Member-only story
Store Secrets in Repositories (Safely), and Deploy Them With Terraform
Store sensitive values even in public repositories
The title sounds promising, right?
Store secrets in repositories it’s challenging, and it should be. Mostly because secret values are the most sensitive stuff in every organization. You’re managing the keys of the kingdom, and they should be treated with the importance they deserve.
Like Peter’s uncle used to say:
With great power comes a great responsibility
I’m supposing that most people have seen SpiderMan movie, but for those who have not, don’t worry, here is the scene.
What the hell is SOPS?
SOPS it’s a tool developed and maintained by Mozilla, and it let us encrypt JSON and YAML files using different types of keys, like AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
The tool was designed with simplicity in mind, and it comes with a CLI that you can use to encrypt and decrypt files.
As you appreciated in the example above, SOPS just encrypts the values of the YAML/JSON files, and the keys remain unencrypted. If you run sops example.yaml it will open the text editor configured in your environment, with a default YAML template. You can modify it, and when you’re done and save the file, the tool will create the file with the key’s values encrypted, and the metadata that it needs to decrypt the file.
SOPS configuration
As I’ve mentioned, you need to provide a key to encrypt the values. The configuration file for the tool it’s called.sops.yaml and you can store it in the repository as well.
In the example below, I’m using a KMS to encrypt all files created under secrets/ directory. You can have more than one creation_rules and different encryption keys for each one.
When you execute SOPS, it’ll look for the configuration file to encrypt secrets. For the decryption, it doesn’t need it, because SOPS stores metadata in the…
