Skip to content

feat: add encryption of terraform plan cache with age

Karl Egly requested to merge dekarl/gitlab:feature-encrypt-terraform-plan into master

What does this MR do?

The intended use case is to allow working on Infrastructure-as-Code projects using Terraform in public, without revealing secrets, by simply using the template for .gitlab-ci.yaml and setting two variables with keys.

To achieve this I extended the terraform image over in MR terraform-images!67 (closed) This MR extends the template and adds documentation.

En-/Decryption is tested over in the project of the terraform-image.

Age is the recommended encryption of Mozilla sOps, uses the X25519 function which is mandatory for TLS 1.3 and is easy to use.

Just run age-keygen and set two CI variables with the output.

The helper script has been extended to do nothing (just warn about spilling secrets) when the variables are left unset.

Screenshots (strongly suggested)

Find encrypted artifacts in the pipelines over at my pet project https://gitlab.com/dekarl/homelab/-/pipelines

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

/cc @gitlab-com/gl-security/appsec

Merge request reports