feat: add encryption of terraform plan cache with age
Compare changes
The intended use case is to allow working on Infrastructure-as-Code projects using Terraform in public, without revealing secrets, by simply using the template for .gitlab-ci.yaml and setting two variables with keys.
To achieve this I extended the terraform image over in MR terraform-images!67 (closed) This MR extends the template and adds documentation.
En-/Decryption is tested over in the project of the terraform-image.
Age is the recommended encryption of Mozilla sOps, uses the X25519 function which is mandatory for TLS 1.3 and is easy to use.
Just run age-keygen and set two CI variables with the output.
The helper script has been extended to do nothing (just warn about spilling secrets) when the variables are left unset.
Find encrypted artifacts in the pipelines over at my pet project https://gitlab.com/dekarl/homelab/-/pipelines
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
@gitlab-com/gl-security/appsec