diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md index 0dc8c58c8f63722c691556f1876f6e0afb005177..0ce49b4dc36e55852a6a18f832b42dded2310b6d 100644 --- a/doc/user/infrastructure/index.md +++ b/doc/user/infrastructure/index.md @@ -74,6 +74,10 @@ Neither Terraform nor GitLab encrypts the plan file by default. If your Terrafor includes sensitive data such as passwords, access tokens, or certificates, GitLab strongly recommends encrypting plan output or modifying the project visibility settings. +You can enable encryption with age by running age-keygen, setting +TF_PLAN_RECIPIENTS to the public key and TF_PLAN_IDENTITY to the private +key (mask and protect it!). + ## Terraform module registry GitLab can be used as a [Terraform module registry](../packages/terraform_module_registry/index.md) diff --git a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml index 200388a274c60599c4d74d0fcc665f44b35a6a3e..380046d0739906f285b61dbc4ff5dc820bd39d1f 100644 --- a/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml @@ -39,6 +39,7 @@ cache: - cd ${TF_ROOT} - gitlab-terraform plan - gitlab-terraform plan-json + - gitlab-terraform encrypt artifacts: paths: - ${TF_ROOT}/plan.cache @@ -49,6 +50,7 @@ cache: stage: deploy script: - cd ${TF_ROOT} + - gitlab-terraform decrypt - gitlab-terraform apply when: manual only: