From b095e459b8e4e75bdfdd16e7f624a94f165eef9d Mon Sep 17 00:00:00 2001 From: Karl Egly Date: Thu, 3 Jun 2021 21:23:09 +0000 Subject: [PATCH] Add encryption at rest of terraform plan cache with age This is part two of https://gitlab.com/gitlab-org/terraform-images/-/merge_requests/67 --- doc/user/infrastructure/index.md | 4 ++++ lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md index 0dc8c58c8f6372..0ce49b4dc36e55 100644 --- a/doc/user/infrastructure/index.md +++ b/doc/user/infrastructure/index.md @@ -74,6 +74,10 @@ Neither Terraform nor GitLab encrypts the plan file by default. If your Terrafor includes sensitive data such as passwords, access tokens, or certificates, GitLab strongly recommends encrypting plan output or modifying the project visibility settings. +You can enable encryption with age by running age-keygen, setting +TF_PLAN_RECIPIENTS to the public key and TF_PLAN_IDENTITY to the private +key (mask and protect it!). + ## Terraform module registry GitLab can be used as a [Terraform module registry](../packages/terraform_module_registry/index.md) diff --git a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml index 200388a274c605..380046d0739906 100644 --- a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml @@ -39,6 +39,7 @@ cache: - cd ${TF_ROOT} - gitlab-terraform plan - gitlab-terraform plan-json + - gitlab-terraform encrypt artifacts: paths: - ${TF_ROOT}/plan.cache @@ -49,6 +50,7 @@ cache: stage: deploy script: - cd ${TF_ROOT} + - gitlab-terraform decrypt - gitlab-terraform apply when: manual only: -- GitLab