Support substitution of key parameters from path_regex captures

[kshpytsya]

I would like to be able to write something like this:

creation_rules:
- path_regex: 'secrets\.(.*)\.(.*).yaml'
  key_groups:
  - kms:
    - arn: arn:aws:kms:eu-central-1:999999:alias/sops-\2-\1
  - kms:
    - arn: arn:aws:kms:us-west-1:9999999:alias/sops-\2-\1
      role: something-\1-more
      context:
        a: \1
        b: xxx-\2

[jvehent]

Can I ask why?

[kshpytsya]

We have a configuration management system (terraform is involved) that among other things manages a set of keys (and respective aliases) for environments (e.g. "prod", "qa"). Adding another environment (e.g. "staging") and executing apply action will create new keys and aliases for new environment. With the functionality I have suggested, no changes to .sops.yaml file (or files, as there could be possibly many repositories) would be required. It would just work.

[jvehent]

While not fundamentally against it, it is adding complexity to a configuration file that I already find confusing to manage. I generally prefer to recommend creating separate .sops.yaml per application and locate them in subdirectories.

With that said, if you can provide an proof of concept that is not overly complex, I don't have a strong opinion against it.

[kshpytsya]

Regretfully I am a Python/C++ person and my Go-fu is mostly at the read-only level. In my case, since wrapper scripts are involved, I can manage to work around the issue. However, it seems that having this functionality in sops itself would be a cleaner solution possibly preventing others from reinventing the wheel.

[ajvb]

Yeah, I'm more partial to think that this should be done outside of the sops config file. There are many templating tools (YAML-specific or not) that can do this with ease and a lot better than we could do it.