eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
homelab/terraform/proxmox-examples/docker-host/scripts/tf-decrypt
Claude 9109712b59
feat: Add SOPS state management and fix Terraform deployment issues 
SOPS State Management:
- Implemented Git + SOPS + age encryption for Terraform state files
- Added .gitignore files to prevent committing unencrypted secrets
- Created .sops.yaml.example template for age encryption configuration
- Created helper scripts for automated encryption/decryption workflow:
  - scripts/tf: Wrapper script with auto-encrypt/decrypt
  - scripts/tf-encrypt: Manual encryption of state files
  - scripts/tf-decrypt: Manual decryption of state files
- Added comprehensive STATE_MANAGEMENT.md documentation covering:
  - Installation of age and SOPS
  - Initial setup and key generation
  - Daily workflow examples
  - Security best practices
  - Troubleshooting common issues
  - Multi-user key management
  - Backup strategies

Terraform Deployment Fixes:
- Added snippets_storage variable for cloud-init snippet storage
- Fixed datastore error: "local" does not support snippets
- Updated README with solutions for datastore and SSH issues
- Added troubleshooting for:
  - Enabling snippets on existing storage (pvesm set)
  - Creating dedicated directory storage for snippets
  - SSH authentication setup with ssh-agent
  - Manual cloud-init snippet creation workaround

Files modified:
- terraform/proxmox-examples/docker-host/main.tf
- terraform/proxmox-examples/docker-host/variables.tf
- terraform/proxmox-examples/docker-host/terraform.tfvars.example
- terraform/proxmox-examples/docker-host/README.md

Files added:
- .gitignore (root level)
- terraform/proxmox-examples/docker-host/.gitignore
- terraform/proxmox-examples/docker-host/.sops.yaml.example
- terraform/proxmox-examples/docker-host/STATE_MANAGEMENT.md
- terraform/proxmox-examples/docker-host/scripts/tf
- terraform/proxmox-examples/docker-host/scripts/tf-encrypt
- terraform/proxmox-examples/docker-host/scripts/tf-decrypt
2025-11-11 05:55:07 +00:00

87 lines
2.2 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#
# tf-decrypt - Decrypt Terraform state and tfvars files with SOPS
#
# Usage: ./scripts/tf-decrypt
#
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TF_DIR="$(dirname "$SCRIPT_DIR")"
cd "$TF_DIR"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
error() {
echo -e "${RED}ERROR: $1${NC}" >&2
exit 1
}
success() {
echo -e "${GREEN}$1${NC}"
}
warn() {
echo -e "${YELLOW}$1${NC}"
}
# Check if SOPS is installed
if ! command -v sops &> /dev/null; then
error "sops is not installed. Install it from: https://github.com/getsops/sops/releases"
fi
# Check if .sops.yaml exists
if [[ ! -f .sops.yaml ]]; then
error ".sops.yaml not found. Copy .sops.yaml.example and configure your age key."
fi
# Check if SOPS_AGE_KEY_FILE is set or exists in default location
if [[ -z "${SOPS_AGE_KEY_FILE:-}" ]]; then
if [[ -f ~/.sops/homelab-terraform.txt ]]; then
export SOPS_AGE_KEY_FILE=~/.sops/homelab-terraform.txt
else
warn "SOPS_AGE_KEY_FILE not set. Trying default age identities..."
fi
fi
echo "🔓 Decrypting Terraform files..."
echo
# Decrypt terraform.tfstate.enc if it exists
if [[ -f terraform.tfstate.enc ]]; then
echo "Decrypting terraform.tfstate.enc..."
sops -d terraform.tfstate.enc > terraform.tfstate
success "terraform.tfstate.enc → terraform.tfstate"
else
warn "terraform.tfstate.enc not found (this is normal for first-time setup)"
fi
# Decrypt terraform.tfvars.enc if it exists
if [[ -f terraform.tfvars.enc ]]; then
echo "Decrypting terraform.tfvars.enc..."
sops -d terraform.tfvars.enc > terraform.tfvars
success "terraform.tfvars.enc → terraform.tfvars"
else
warn "terraform.tfvars.enc not found"
fi
# Decrypt backup state files if they exist
for backup_enc in terraform.tfstate.backup.enc terraform.tfstate.*.backup.enc; do
if [[ -f "$backup_enc" ]]; then
backup="${backup_enc%.enc}"
echo "Decrypting $backup_enc..."
sops -d "$backup_enc" > "$backup"
success "$backup_enc$backup"
fi
done
echo
success "All Terraform files decrypted successfully!"
echo
warn "Remember to encrypt files after making changes: ./scripts/tf-encrypt"
Reference in a new issue View git blame Copy permalink