Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS support #592

Open
kevcube opened this issue Apr 30, 2024 · 4 comments
Open

SOPS support #592

kevcube opened this issue Apr 30, 2024 · 4 comments

Comments

@kevcube
Copy link
Contributor

kevcube commented Apr 30, 2024

Describe the Feature

It would be great if Atmos had some interface for retrieving secrets from SOPS to be passed into terraform configuration.

Because we do our terraform configuration in Atmos' YAML, our TF configuration remains the same across environments/deployments. This is usually a good thing, but when something like a secret would change across environments, now we either need our terraform configuration to have some dynamic portion where it will grab the correct secret, or we would need to put the secret in raw YAML which isn't gonna happen.

I'm not sure about the extensibility of YAML

Expected Behavior

Some function in Atmos YAML to decode a SOPS secret from a given path.

Or some function in Atmos to read our SOPS files based on which stack/environment we are currently in and make those secrets available to reference in the YAML somehow.

Use Case

Secrets management can be better integrated with Atmos.

Describe Ideal Solution

See expected behavior

Alternatives Considered

No response

Additional Context

Terraform has a SOPS provider that we can use to do this work in our modules, and Terragrunt has native SOPS functions that can be used to do this in orchestration. Their implementation can be a reference.
@osterman
Copy link
Member

We've recently extended atmos to support all types of datasources, although most are from gomplate. Unfortunately gomplate doesn't provide native SOPS.

It's a really interesting idea if stack configs could reference a datasource for SOPS encrypted secrets, guarded by cloud-specific keys like KMS.

See how we configure data sources today: https://atmos.tools/cli/configuration#templates

All we would need to do is add a datasource for a sops-encrypted file, then we could support key/value lookups using all the normal mechanisms.

https://github.com/getsops/sops

@Gowiem Gowiem mentioned this issue May 8, 2024
Open
@Gowiem
Copy link
Member

Gowiem commented May 8, 2024

Love this idea -- Good issue @kevcube as this would definitely help us since we love SOPS so much.

@osterman is it possible to create datasources that are just for atmos? Or do they need to come from the upstream gomplate project?

@osterman
Copy link
Member

osterman commented May 8, 2024

We can include them simply in the Atmos core, without requiring them in the upstream dependencies. Also, if any of your team would be interested in getting more involved hands-on, let me know and we can coordinate.

@zadm
Copy link

zadm commented May 26, 2024

This will be a very interesting feature to add to atmos

Currently, I am using terragrunt which has a natif support if sops datasource and this block me to move into atmos

@osterman osterman mentioned this issue Nov 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@osterman @kevcube @Gowiem @zadm