osterman
commented
6 months ago We've recently extended atmos to support all types of datasources, although most are from gomplate. Unfortunately gomplate doesn't provide native SOPS.
It's a really interesting idea if stack configs could reference a datasource for SOPS encrypted secrets, guarded by cloud-specific keys like KMS.
See how we configure data sources today: https://atmos.tools/cli/configuration#templates
All we would need to do is add a datasource for a sops-encrypted file, then we could support key/value lookups using all the normal mechanisms.
Gowiem
zadm
Describe the Feature
It would be great if Atmos had some interface for retrieving secrets from SOPS to be passed into terraform configuration.
Because we do our terraform configuration in Atmos' YAML, our TF configuration remains the same across environments/deployments. This is usually a good thing, but when something like a secret would change across environments, now we either need our terraform configuration to have some dynamic portion where it will grab the correct secret, or we would need to put the secret in raw YAML which isn't gonna happen.
I'm not sure about the extensibility of YAML
Expected Behavior
Some function in Atmos YAML to decode a SOPS secret from a given path.
Or some function in Atmos to read our SOPS files based on which stack/environment we are currently in and make those secrets available to reference in the YAML somehow.
Use Case
Secrets management can be better integrated with Atmos.
Describe Ideal Solution
See expected behavior
Alternatives Considered
No response
Additional Context
Terraform has a SOPS provider that we can use to do this work in our modules, and Terragrunt has native SOPS functions that can be used to do this in orchestration. Their implementation can be a reference.