Open ZIJ opened 1 month ago
Thanks for this RFC, encryption of the state file is indeed much needed. Regarding tooling I've heard a lot of folk use sops to manage secrets in gitops:
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
https://github.com/getsops/sops
I'm not sure if they expose some kinds of library which we can wrap around though, it seems to be built to be used cli tool in a client flow
Currently plan files persisted in workplace artifacts in GitHub are not encrypted (see #817). This is a security concern because plan artifacts contain a snapshot of state, which can contain sensitive data like private keys.
Proposed solution: encrypt plan artifacts at rest
DIGGER_PLAN_ARTIFACT_ENCRYPTION_KEY
secret in Github Secretsgpg --cipher-algo AES256 --symmetric filename.tar.gz
. Using zip password is not a good idea because it uses a weak cipher.Open questions
Other solutions considered
Remove state representation from the plan artifact
Suggested by one of the users; unfortunately it doesn't look feasible because a snapshot of existing state is an integral part of the plan. The purpose of the plan artifact is to capture the state at the time of plan artifact creation, plus the diff on top. This way if the state has moved on since the plan artifact was created and now contains changes that are not compatible with the plan artifact, Terraform is able to compare actual state with the plan time state. See state representation in the Terraform internals docs.
Relevant existing issues