Open js-timbirkett opened 3 years ago
It's a bit hard for me to see the benefits of adding support for another external encryption tool like vals
in place of sops
. It feels like a slippery slope in terms of the number of functions we'd have to support. Having first class support for Sops made sense given it's popularity and relative mindshare, but it's a bit hard for me to justify adding another function to maintain based on something that appears to have a smaller community.
What if instead we introduce variants of run_cmd
that are more optimized for this use case? I'm thinking something like run_cmd_json
and run_cmd_yaml
, which runs the command and then decodes the stdout as json/yaml. Then you could do something like the following in your terragrunt config:
run_cmd_yaml("sops", "-d", "secrets.yaml")
run_cmd_yaml("vals", "exec", "-f", "secrets.yaml")
Hello 👋
This is a placeholder issue, I intend to follow up with a PR (tests and docs).
Currently, Terragrunt has the
sops_decrypt_file
which, whilst it is amazing (if I say so myself), is overly simplistic and limited in its approach. Only sops is supported, the whole file is decrypted and passed in as an object.I intend to take a good look at the overall design of secrets support and will update this PR as I have ideas. I'm thinking that making use of: https://github.com/variantdev/vals would give a very good experience, and open up more options for secrets in Terragrunt (vals support Sops under the hood too).
Any objections, concerns or ideas from others?
Thanks!