Skip to content

Latest commit

 

History

History
162 lines (124 loc) · 4.19 KB

SOPS.md

File metadata and controls

162 lines (124 loc) · 4.19 KB

Encrypting sensitive information in Terraform state files with SOPS is a great way to add a layer of security, especially when storing the state in a local Git repository. Below are steps to integrate SOPS into your Terraform workflow.

What is SOPS?

SOPS is a tool for encrypting and decrypting files. It supports encryption with:

  • GPG
  • AWS KMS
  • Azure Key Vault
  • Google Cloud KMS

SOPS allows partial encryption of files, making it a powerful tool for protecting sensitive information like Terraform state files.

Steps to Encrypt Terraform State with SOPS

1. Install SOPS

Install SOPS on your system using the package manager of your choice:

  • Linux: 
    sudo apt-get install sops
  • macOS: 
    brew install sops
  • Windows: Use the precompiled binaries available on the SOPS GitHub releases page.

2. Configure SOPS Encryption Keys

Choose a key management system to handle encryption/decryption keys:

Option 1: GPG (Recommended for Local Use)
  • Generate a GPG key: 
    gpg --full-generate-key
  • List your GPG keys: 
    gpg --list-keys
  • Note the GPG key ID (e.g., ABC12345).
Option 2: Cloud KMS (For Team Use)
  • Use Azure Key Vault, AWS KMS, or Google Cloud KMS to store encryption keys.
  • Set up appropriate IAM permissions for SOPS to access these keys.

3. Encrypt the Terraform State File

Navigate to the directory containing your Terraform state file and encrypt it using SOPS.

Example Command:
sops --encrypt --gpg <YOUR-GPG-KEY-ID> terraform.tfstate > terraform.tfstate.enc
  • terraform.tfstate: The unencrypted state file.
  • terraform.tfstate.enc: The encrypted version of the state file.

The original file (terraform.tfstate) can now be removed:

rm terraform.tfstate

4. Decrypt the State File When Needed

When running Terraform commands, decrypt the state file to a temporary location.

Example Command:
sops --decrypt terraform.tfstate.enc > terraform.tfstate

Run Terraform commands (e.g., terraform apply), and then securely delete the unencrypted file:

rm terraform.tfstate

5. Automate Encryption/Decryption in Workflow

To simplify your workflow, use a script or Makefile to handle encryption and decryption. Here's an example script:

terraform-wrapper.sh
#!/bin/bash

STATE_FILE="terraform.tfstate"
ENCRYPTED_FILE="terraform.tfstate.enc"

if [ "$1" == "apply" ] || [ "$1" == "plan" ]; then
  echo "Decrypting state file..."
  sops --decrypt $ENCRYPTED_FILE > $STATE_FILE
fi

terraform "$@"

if [ "$1" == "apply" ]; then
  echo "Encrypting state file..."
  sops --encrypt --in-place $STATE_FILE
  mv $STATE_FILE $ENCRYPTED_FILE
fi

Make it executable:

chmod +x terraform-wrapper.sh

Run Terraform commands using this wrapper:

./terraform-wrapper.sh apply

6. Update .gitignore

Ensure unencrypted state files are ignored by Git:

# Ignore unencrypted state files
*.tfstate
*.tfstate.backup

Best Practices

  1. Use Secure Key Management:

    • For teams, prefer cloud KMS solutions (e.g., Azure Key Vault, AWS KMS) over GPG for better scalability and key rotation.

  2. Automate Encryption/Decryption:

    • Use pre-commit hooks or CI/CD pipelines to enforce encryption before committing state files.

  3. Restrict Access to Keys:

    • Ensure only authorized users can access the encryption keys.

  4. Version Control Encrypted Files:

    • Only the encrypted state file (terraform.tfstate.enc) should be added to Git.

Example Workflow with SOPS and Git

  1. Encrypt the state file: 
    sops --encrypt --gpg <YOUR-GPG-KEY-ID> terraform.tfstate > terraform.tfstate.enc
  2. Add the encrypted file to Git: 
    git add terraform.tfstate.enc
git commit -m "Add encrypted state file"
  3. Decrypt when needed: 
    sops --decrypt terraform.tfstate.enc > terraform.tfstate

Using SOPS ensures your sensitive data is secure, even if the repository is accidentally exposed.