Added GCP KMS option for sops encryption (#38)

plumber-cd · Jul 19, 2023 · 34be55f · 34be55f
1 parent 1c0b237
commit 34be55f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ Git as Terraform backend? Seriously? I know, might sound like a stupid idea at f
       - [`sops`](#sops)
         - [PGP](#pgp)
         - [AWS KMS](#aws-kms)
+        - [GCP KMS](#gcp-kms)
         - [Hashicorp Vault](#hashicorp-vault)
       - [AES256](#aes256)
     - [Running backend remotely](#running-backend-remotely)
@@ -221,6 +222,7 @@ We are using [`sops`](https://github.com/mozilla/sops) as encryption abstraction
 
 - PGP
 - AWS KMS
+- GCP KMS
 - Hashicorp Vault
 
 Before we integrated with `sops` - we had a basic AES256 encryption via static passphrase. It is no longer recommended, although might be useful in some limited scenarios. Basic AES256 encryption is using one shared key, and it encrypts entire JSON state file that it can no longer be read as JSON. `sops` supports various encryption-as-service providers such as AWS KMS and Hashicorp Vault Transit - meaning encryption can be safely performed without revealing private key to the encryption clients. That means keys can be easily rotated, access can be easily revoked and generally it dramatically reduces chances of the key leaks.
@@ -237,6 +239,10 @@ Use `TF_BACKEND_HTTP_SOPS_PGP_FP` to provide a comma separated PGP key fingerpri
 
 Use `TF_BACKEND_HTTP_SOPS_AWS_KMS_ARNS` to provide a comma separated list of KMS ARNs. AWS SDK will use standard [credentials provider chain](https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/) in order to automatically discover local credentials in standard `AWS_*` environment variables or `~/.aws`. You can optionally use `TF_BACKEND_HTTP_SOPS_AWS_PROFILE` to point it to a specific shared profile. You can also provide additional KMS encryption context using `TF_BACKEND_HTTP_SOPS_AWS_KMS_CONTEXT` - it is a comma separated list of `key=value` pairs.
 
+##### GCP KMS
+
+Use `TF_BACKEND_HTTP_SOPS_GCP_KMS_KEYS` to provide a comma separated list of GCP KMS IDs. Read [Encrypting using GCP KMS](https://github.com/getsops/sops#encrypting-using-gcp-kms) for further details.
+
 ##### Hashicorp Vault
 
 Use `TF_BACKEND_HTTP_SOPS_HC_VAULT_URIS` to point it to the Vault Transit keys. It is a comma separated list of URLs in a form of `${VAULT_ADDR}/v1/transit/keys/key`, where `transit` is a name of Vault Transit mount and `key` is the name of the key in that mount. Under the hood Vault SDK is using standard credentials resolver to automatically discover Vault credentials in the environment, meaning you can either use `vault login` or set `VAULT_TOKEN` environment variable.

diff --git a/crypt/sops/gcp_kms.go b/crypt/sops/gcp_kms.go
@@ -0,0 +1,31 @@
+package sops
+
+import (
+	"os"
+
+	sops "go.mozilla.org/sops/v3"
+	"go.mozilla.org/sops/v3/gcpkms"
+)
+
+func init() {
+	Configs["gcp-kms"] = &GcpKmsConfig{}
+}
+
+type GcpKmsConfig struct{}
+
+func (c *GcpKmsConfig) IsActivated() bool {
+	_, ok := os.LookupEnv("TF_BACKEND_HTTP_SOPS_GCP_KMS_KEYS")
+	return ok
+}
+
+func (c *GcpKmsConfig) KeyGroup() (sops.KeyGroup, error) {
+	keys := os.Getenv("TF_BACKEND_HTTP_SOPS_GCP_KMS_KEYS")
+
+	var keyGroup sops.KeyGroup
+
+	for _, k := range gcpkms.MasterKeysFromResourceIDString(keys) {
+		keyGroup = append(keyGroup, k)
+	}
+
+	return keyGroup, nil
+}