Wrapper for Mozilla's sops tool to work with encrypted configs and render them into a classic `.env` format
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Adam Pippin 946c289934 allow specifying file permissions when using env's file: helper 2 years ago
configs allow specifying file permissions when using env's file: helper 2 years ago
.gitignore initial commit 2 years ago
LICENSE.txt Update license + readme 2 years ago
README.md Update license + readme 2 years ago

README.md

Configs

Toolset to manage encrypted application configs and vaults. Or something.

Usage

Transform

Usage:
configs transform [options] <input> <format> <output>

Render a config file into a target format.

  • input: input file name, or - to use stdin
  • format: format to render
  • output: output file name, or - to use stdout

Options:

  • -v, --vault: specify a vault for resolving secrets; can be specified multiple times to allow for adding fallbacks

Provision

Usage:
configs provision <input> <source-vault> <target-vault>

Resolve all secrets using one vault, and store them all in a target vault.

  • input: input file name, or - to use stdin
  • source-vault: vault to use to resolve all secrets
  • target-vault: vault to store all secrets in

Supported Formats

env

env:
  fields:
    <field-name>: <config-path>
    <field-name>: <config-path>

Fetch values from the config or vaults and output them into a flat list of key-value variables surrounded by double quotes. No effort is made to escape the values right now.

Supported Vaults

sops

sops:

Use mozilla's sops command line tool to decrypt the input config. Further config should be done using the sops tool itself.

Encrypting a new file with a local pgp key:

sops --encrypted-suffix _encrypted -i --pgp ABCD1234ABCD1234ABCD1234 --encrypt myfile.yaml

Encrypting a new file with AWS:

sops --encrypted-suffix _encrypted -i --kms arn:aws:kms:us-west-2:123412341234:key/11111111-2222-3333-4444-555555555555 --encrypt myfile.yaml

aws

aws:
  base_path: base/path/name/

Fetch values from Amazon's Secret Manager service.

Values with the same prefix will be combined into values on a single secret.

E.g., with:

  • database.connection.username and
  • database.connection.password

A single secret will be created at database/connection with the username and password properties.

Optionally, specify a base path that will be prepended to all secret names.

Example Configuration

# Required -- currently only version 0 is supported
meta:
    version: 0

# Unencrypted configuration values.
# You can use any arbitrary structure here.
config:
    database:
        connection:
            host: rds.url.amazonaws.com
            name: testdatabase
            asdf:
                test: 1

# Encrypted configuration values for sops.
# Edit these by running `sops my-config.yaml`.
secrets_encrypted:
    database:
        credentials:
            username: ENC[AES256_GCM,data:aWjCNsOBkPM=,iv:mZCd3CCdVu8Sfltb8wrzG32dk1+HlZkPO1FvqIdQ2BM=,tag:qtdcyuIBU6oQ/nwpN2OCzA==,type:str]
            password: ENC[AES256_GCM,data:YeNzC8nLVJ8=,iv:AFDV/Y5/c3002ToSMNFVZYj/nfzJp7oRZ83H/LizADc=,tag:6Gr77eepzFvfXmejKi23PA==,type:str]

# Configurations for the various target formats.
transform:
    env:
        fields:
            DB_HOST: database.connection.host
            DB_USER: database.credentials.username
            DB_PASS: database.credentials.password
            DB_NAME: database.connection.database
            DB_PORT: database.connection.port

# Configurations for the various vault services.
vault:
    aws:
        base_path: staging/my-app/
    sops:

# Auto-generated by the sops tool. Do not edit.
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    lastmodified: '2019-12-27T07:38:07Z'
    mac: ENC[AES256_GCM,data:ldCTC83ANEzs3COJQbsmO5bJqweCBe6pWqVy4NjSs00sybnO4L7TAQ5nuzxItQSj586uI2TwE3hU4olWaquFxoEf4+rLkvlIjawwZ3yfYT9pUGOYUH3gEFSYn5JcYmt5yujf8/QxI6GU18i6l9MJj/KDvyOigcgxVV7Mhd/7xJ0=,iv:ARpM/Zbour/1n2Vje3LvKFKmtBPiZ1xolKUhHJ4hUeQ=,tag:/XsFeupDr72o6foW6nHeFg==,type:str]
    pgp:
    -   created_at: '2019-12-27T07:38:05Z'
        enc: |-
            -----BEGIN PGP MESSAGE-----

            wcBMAyUpShfNkFB/AQgAAdocsGAUFAYb1kMFRVprKC/mLbh/yfrcFcsOgux8dXNr
            JsHY9U3qVx2N9h4IKx0yiOGY7I0soc6701BtiJugjTJwuPS9FzEE9lY7QcEsGXxk
            gKCPgNj47AyiJO8447xgmS9BEMwFZRZs+xtKttDh36tlLuaybugAUFBvDxcsJXPL
            1EhdzkexFMnGNXa1qATD7LVZHd96E5kt0VRou17ZtTH4QNWgEhYOlcr6juSmIlmO
            qyQXd4vKdGJXAfcwrJ6kDkLIpC96dtw966NtTC1mM2WzpwC0/Y/wPo3UfEvsLx1e
            LaC4T5eBHShpherJTwDxKTyvCaGAOseT0Ew1YVwGJ9LgAeTyrBRVFKGl1426NWAY
            U/lG4buk4MXgBuHeTODM4qakw8Pgc+WAdZyS3ihQpXHpD1pYMmtk8NZv5w3zviml
            cJX1RVHyl+BE5ICCNHcDXndVQgsZS5AbJ+7itPZaBOG9SwA=
            =Jfgz
            -----END PGP MESSAGE-----
        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
    encrypted_suffix: _encrypted
    version: 3.5.0