As part of the covid-19 extra free time, I'm learning google cloud and terraform.
My first experiment was to deploy a simple docker file to cloud run service and to set up a custom domain.
When I got the results needed, I wanted to commit the files to Github, but I've found out that the terraform files can expose secrets. To avoid using a third party solution, I decided to use a tool to encrypt the files before committing. I looked for a simple solution, self-contained and portable, so I decided to create my own solution.
git-secrets - simple npm package that can be used with husky (git hooks), to transparent encrypt and decrypt files in your repo.
Setup:
npm i -S git-secrets husky
"scripts": {
"start": "node src/server.js",
"infra:init": "terraform init",
"infra:plan": "terraform plan",
"infra:deploy": "terraform apply",
"infra:destroy": "terraform destroy",
"secret:init": "./node_modules/.bin/git-secrets init",
"secret:hide": "./node_modules/.bin/git-secrets hide",
"secret:reveal": "./node_modules/.bin/git-secrets reveal"
},
"husky": {
"hooks": {
"pre-commit": "npm run secret:hide && git add .",
"post-commit": "npm run secret:reveal"
}
},
npm run secret:init
Now, add files you would like to encrypt before committing them to the config file.
.git-secrets (can be any other file by setting env variable GIT_SECRETS_CONFIG)
terraform.tfstate
variables.tf
secrets.json
The next step is to choose your secret password and pass it to git-secrets. You can pass the key by cli param (--key=secret), env variable (GIT_SECRETS_KEY), and by creating the key file (make sure you add this file to .gitignore, filename=.git-secrets.key)
The final step is to test all our configurations, commit the changes we just added and check the files on GitHub to see the result.
- disclaimer: this is a work in progress and not safe for production or enterprise projects, but can do the trick for self-projects when the risk is low.
Top comments (0)