eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
homelab/terraform/proxmox-examples/docker-host/scripts/tf-encrypt
Claude 9109712b59
feat: Add SOPS state management and fix Terraform deployment issues 
SOPS State Management:
- Implemented Git + SOPS + age encryption for Terraform state files
- Added .gitignore files to prevent committing unencrypted secrets
- Created .sops.yaml.example template for age encryption configuration
- Created helper scripts for automated encryption/decryption workflow:
  - scripts/tf: Wrapper script with auto-encrypt/decrypt
  - scripts/tf-encrypt: Manual encryption of state files
  - scripts/tf-decrypt: Manual decryption of state files
- Added comprehensive STATE_MANAGEMENT.md documentation covering:
  - Installation of age and SOPS
  - Initial setup and key generation
  - Daily workflow examples
  - Security best practices
  - Troubleshooting common issues
  - Multi-user key management
  - Backup strategies

Terraform Deployment Fixes:
- Added snippets_storage variable for cloud-init snippet storage
- Fixed datastore error: "local" does not support snippets
- Updated README with solutions for datastore and SSH issues
- Added troubleshooting for:
  - Enabling snippets on existing storage (pvesm set)
  - Creating dedicated directory storage for snippets
  - SSH authentication setup with ssh-agent
  - Manual cloud-init snippet creation workaround

Files modified:
- terraform/proxmox-examples/docker-host/main.tf
- terraform/proxmox-examples/docker-host/variables.tf
- terraform/proxmox-examples/docker-host/terraform.tfvars.example
- terraform/proxmox-examples/docker-host/README.md

Files added:
- .gitignore (root level)
- terraform/proxmox-examples/docker-host/.gitignore
- terraform/proxmox-examples/docker-host/.sops.yaml.example
- terraform/proxmox-examples/docker-host/STATE_MANAGEMENT.md
- terraform/proxmox-examples/docker-host/scripts/tf
- terraform/proxmox-examples/docker-host/scripts/tf-encrypt
- terraform/proxmox-examples/docker-host/scripts/tf-decrypt
2025-11-11 05:55:07 +00:00

94 lines
2.5 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#
# tf-encrypt - Encrypt Terraform state and tfvars files with SOPS
#
# Usage: ./scripts/tf-encrypt
#
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TF_DIR="$(dirname "$SCRIPT_DIR")"
cd "$TF_DIR"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
error() {
echo -e "${RED}ERROR: $1${NC}" >&2
exit 1
}
success() {
echo -e "${GREEN}$1${NC}"
}
warn() {
echo -e "${YELLOW}$1${NC}"
}
# Check if SOPS is installed
if ! command -v sops &> /dev/null; then
error "sops is not installed. Install it from: https://github.com/getsops/sops/releases"
fi
# Check if .sops.yaml exists
if [[ ! -f .sops.yaml ]]; then
error ".sops.yaml not found. Copy .sops.yaml.example and configure your age key."
fi
# Check if age key placeholder is still present
if grep -q "YOUR_AGE_PUBLIC_KEY_HERE" .sops.yaml; then
error ".sops.yaml contains placeholder. Replace YOUR_AGE_PUBLIC_KEY_HERE with your actual age public key."
fi
echo "🔐 Encrypting Terraform files..."
echo
# Encrypt terraform.tfstate if it exists
if [[ -f terraform.tfstate ]]; then
echo "Encrypting terraform.tfstate..."
sops -e terraform.tfstate > terraform.tfstate.enc
success "terraform.tfstate → terraform.tfstate.enc"
# Securely delete unencrypted state
shred -u terraform.tfstate 2>/dev/null || rm -f terraform.tfstate
success "Deleted unencrypted terraform.tfstate"
else
warn "terraform.tfstate not found (this is normal if you haven't run 'tofu apply' yet)"
fi
# Encrypt terraform.tfvars if it exists
if [[ -f terraform.tfvars ]]; then
echo "Encrypting terraform.tfvars..."
sops -e terraform.tfvars > terraform.tfvars.enc
success "terraform.tfvars → terraform.tfvars.enc"
# Keep original tfvars (don't delete, just warn)
warn "Remember to not commit unencrypted terraform.tfvars to Git"
else
warn "terraform.tfvars not found"
fi
# Encrypt backup state files if they exist
for backup in terraform.tfstate.backup terraform.tfstate.*.backup; do
if [[ -f "$backup" ]]; then
echo "Encrypting $backup..."
sops -e "$backup" > "${backup}.enc"
success "$backup${backup}.enc"
shred -u "$backup" 2>/dev/null || rm -f "$backup"
success "Deleted unencrypted $backup"
fi
done
echo
success "All Terraform files encrypted successfully!"
echo
echo "Next steps:"
echo " 1. git add *.enc"
echo " 2. git commit -m 'Update encrypted Terraform state'"
echo " 3. git push"
Reference in a new issue View git blame Copy permalink