feat: add encryption of terraform plan cache with age
What does this MR do?
The intended use case is to allow working on Infrastructure-as-Code projects using Terraform in public, without revealing secrets, by simply using the template for .gitlab-ci.yaml and setting two variables with keys.
To achieve this I extended the terraform image over in MR terraform-images!67 (closed) This MR extends the template and adds documentation.
En-/Decryption is tested over in the project of the terraform-image.
Age is the recommended encryption of Mozilla sOps, uses the X25519 function which is mandatory for TLS 1.3 and is easy to use.
Just run age-keygen and set two CI variables with the output.
The helper script has been extended to do nothing (just warn about spilling secrets) when the variables are left unset.
Screenshots (strongly suggested)
Find encrypted artifacts in the pipelines over at my pet project https://gitlab.com/dekarl/homelab/-/pipelines
Does this MR meet the acceptance criteria?
Conformity
-
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team