terraform-sops

A Terraform plugin for using files encrypted with Mozilla sops.

NOTE: To prevent plaintext secrets from being written to disk, you must set up a secure remote state backend. See the official docs on Sensitive Data in State for more information.

Example

NOTE: All examples assume Terraform 0.13 or newer. For information about usage on older versions, see the legacy usage docs.

Encrypt a file using Sops: sops demo-secret.enc.json

{
  "password": "foo",
  "db": {"password": "bar"}
}

sops_file

terraform {
  required_providers {
    sops = {
      source = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

data "sops_file" "demo-secret" {
  source_file = "demo-secret.enc.json"
}

output "root-value-password" {
  # Access the password variable from the map
  value = data.sops_file.demo-secret.data["password"]
}

output "mapped-nested-value" {
  # Access the password variable that is under db via the terraform map of data
  value = data.sops_file.demo-secret.data["db.password"]
}

output "nested-json-value" {
  # Access the password variable that is under db via the terraform object
  value = jsondecode(data.sops_file.demo-secret.raw).db.password
}

Sops also supports encrypting the entire file when in other formats. Such files can also be used by specifying input_type = "raw":

data "sops_file" "some-file" {
  source_file = "secret-data.txt"
  input_type = "raw"
}

output "do-something" {
  value = data.sops_file.some-file.raw
}

sops_external

For use with reading files that might not be local.

input_type is required with this data source.

terraform {
  required_providers {
    sops = {
      source = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

# using sops/test-fixtures/basic.yaml as an example
data "local_file" "yaml" {
  filename = "basic.yaml"
}

data "sops_external" "demo-secret" {
  source     = data.local_file.yaml.content
  input_type = "yaml"
}

output "root-value-hello" {
  value = data.sops_external.demo-secret.data.hello
}

output "nested-yaml-value" {
  # Access the password variable that is under db via the terraform object
  value = yamldecode(data.sops_file.demo-secret.raw).db.password
}

Install

For Terraform 0.13 and later, specify the source and version in a required_providers block:

terraform {
  required_providers {
    sops = {
      source = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

CI usage

For CI, the same variables or context that SOPS uses locally must be provided in the runtime. The provider does not manage the required values.

Development

Building and testing is most easily performed with make build and make test respectively.

The PGP key used for encrypting the test cases is found in test/testing-key.pgp. You can import it with gpg --import test/testing-key.pgp.

Transitioning to Terraform 0.13 provider required blocks.

With Terraform 0.13, providers are available/downloaded via the terraform registry via a required_providers block.

terraform {
  required_providers {
    sops = {
      source = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

A prerequisite when converting is that you must remove the data source block from the previous SOPS provider in your terraform.state file. This can be done via:

terraform state replace-provider registry.terraform.io/-/sops registry.terraform.io/carlpett/sops

If not you will be greeted with:

- Finding latest version of -/sops...

Error: Failed to query available provider packages

Could not retrieve the list of available versions for provider -/sops:
provider registry registry.terraform.io does not have a provider named
registry.terraform.io/-/sops