-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add encryption to remote_state #3586
Conversation
First: Great job, @norman-zon ! This is looking good! If we're going to have another attribute on the Given all that, would you be willing to adjust the implementation so that it's either a configuration block or an attribute that's a part of |
@yhakbar thanks for the kind words. I did not nest remote_state {
backend = "xxx"
config = {
bucket {
name = mybucket
prefix = ....
}
encryption {
key_provider = ....
}
} Otherwise mixing up attributes for the bucket ( Does this make sense to you? |
Can you confirm that the configuration has to create two
I would expect that I would prefer for them to be configured together, but I haven't used this feature, so I'm speaking out of ignorance. |
Sorry, I think I was not clear enough. We don't need to have two different
This is valid OpentTofu config. For me it would be counter-intuitive, to have the For example we would have something like: remote_state {
backend = "xxx"
config = {
bucket = "my-bucket"
key_provider = "pbkdf2"
} So one Does this clear up my rationale? |
41e4fc1
to
b9c07cd
Compare
@yhakbar , could you take a look at this again? I would love to wrap it up. |
Hey @norman-zon , Sorry I haven't had a ton of time to devote to reviewing this. I'll try my best to install this version locally and play with it sometime soon to be able to speak to whether it provides a good experience for a Terragrunt user. My delay is partially due to the fact that I'm inexperienced with the OpenTofu feature. |
Hey @norman-zon , First, I'm taking a deeper look at this PR, and I want to say great work! This is really nice. It definitely looks like you're on the right path, and I'm gonna be trying it out locally to make sure it does work in a fixture I create. Here are there the main issues that I'm seeing that would prevent this from being merged:
I know that's a lot of feedback, and I hope that's not intimidating. Tag me again if you encounter any issue you can't overcome or want another look, and I'm happy to help. Feel free to reach out in Discord too if you need a quick question answered on Golang development, etc. You might also be able to get more eyes on this from other members of the community to help you out. |
f0c0e4e
to
0334462
Compare
@yhakbar For the integration tests to work, you would have to create a GCP and AWS KMS key and add them here. As for how to test the encryption, checking for the The documentation is a bit scarce, I know. But it felt like everything is explained in the Tofu docs already. Again on the topic of this being a OpenTofu only feature, I was not sure how to indicate this best. |
Hey @norman-zon , This is looking really good! Well done, adding all of this. Do you mind having the AWS key depend on this?
We already setup a test key to support integrations with AWS KMS. I'm syncing up with the team on the GCP side of things. We have a GCP project we put aside for Terragrunt integration tests that is used for testing remote state storage, but I don't think we leave around a test key for GCP KMS testing. To get this moving along, I would actually ask that you just skip the GCP tests for now ( As for how to test it properly, I think you're doing the right thing. As long as you verify that the state file does indeed have base64 encoded values, and OpenTofu is continuing to work, we should be fine. I'm gonna read through things more carefully, so you might get more feedback soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly nits on the docs. Once you update the AWS KMS key and add the skip for GCP tests, I'll run the tests locally, then approve.
|
||
encryption = { | ||
key_provider = "pbkdf2" | ||
passphrase = "SUPERSECRETPASSPHRASE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend documenting this with get_env here, as even if you were going for passphrase based authentication, you have no need to store the secret in plain text.
Make sure the HCL is formatted too (put some space after passphrase
)!
} | ||
encryption { | ||
key_provider "pbkdf2" "default" { | ||
passphrase = "SUPERSECRETPASSPHRASE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can leave this in plain text just to demonstrate the point.
Thanks again for the feedback. I updated the PR. Unfortunately I cannot get AWS KMS to work. I added the key you mentioned but get this error:
Maybe someone with more AWS experience can chip in here? EDIT: Of course this was just me not having permissions on the AWS KMS key. I tested with a key I created in my own org and it worked. So it should work like it is in your CI |
36caf96
to
0558538
Compare
Hey @norman-zon , great work! I feel like we're almost there! I see failing unit tests here:
If you can fix them soon, feel free to do so, otherwise, I'll see if I can chain a PR into this before the end of the day ET to fix the tests so that we can merge your PR in. We are on company holiday starting next week, so we might not be able to merge this until next year otherwise. |
I was on holiday myself, so no worries. The last 3 tests are fixed now. Thanks for your ongoing support and patience! |
I owe you a re-review on this. Will look to get to this soon, @norman-zon ! |
Seeing failures that do seem related to the changes you were trying to effect earlier:
|
add strict typing to enforce usage of attributes for the encryption config that are recongnized by tofu to avoid defering error handling to them
f9192c7
to
5eb9619
Compare
@@ -231,9 +236,10 @@ func fileWasGeneratedByTerragrunt(path string) (bool, error) { | |||
} | |||
|
|||
// RemoteStateConfigToTerraformCode converts the arbitrary map that represents a remote state config into HCL code to configure that remote state. | |||
func RemoteStateConfigToTerraformCode(backend string, config map[string]interface{}) ([]byte, error) { | |||
func RemoteStateConfigToTerraformCode(backend string, config map[string]interface{}, encryption map[string]interface{}) ([]byte, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func RemoteStateConfigToTerraformCode(backend string, config map[string]interface{}, encryption map[string]interface{}) ([]byte, error) { | |
func RemoteStateConfigToTerraformCode(backend string, config map[string]interface{}, encryption map[string]any) ([]byte, error) { |
terraformBlock := f.Body().AppendNewBlock("terraform", nil).Body() | ||
backendBlock := terraformBlock.AppendNewBlock("backend", []string{backend}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const (
TerraformBlockName = "terraform"
BackendBlockName = "backend"
)
terraformBlock := f.Body().AppendNewBlock("terraform", nil).Body() | |
backendBlock := terraformBlock.AppendNewBlock("backend", []string{backend}) | |
terraformBlock := f.Body().AppendNewBlock(TerraformBlockName, nil).Body() | |
backendBlock := terraformBlock.AppendNewBlock(BackendBlockName, []string{backend}) |
} | ||
|
||
methodTraversal := hcl.Traversal{ | ||
hcl.TraverseRoot{Name: "method"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"method" should be a constant.
} | ||
|
||
// encryption block | ||
encryptionBlock := terraformBlock.AppendNewBlock("encryption", nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"encryption" should be a constant.
keyProviderBlockBody := encryptionBlockBody.AppendNewBlock(encryptionKeyProviderKey, []string{keyProvider, encryptionResourceName}).Body() | ||
|
||
// Append method block | ||
methodBlock := encryptionBlockBody.AppendNewBlock("method", []string{encryptionDefaultMethod, encryptionResourceName}).Body() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"method" should be a constant.
decoder, err := mapstructure.NewDecoder(decoderConfig) | ||
|
||
if err != nil { | ||
return fmt.Errorf("failed to create decoder: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("failed to create decoder: %w", err) | |
return errors.Errorf("failed to create decoder: %w", err) |
} | ||
|
||
if err := decoder.Decode(encryptionConfig); err != nil { | ||
return fmt.Errorf("failed to decode key provider properties: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("failed to decode key provider properties: %w", err) | |
return errors.Errorf("failed to decode key provider properties: %w", err) |
func (b *GenericRemoteEncryptionKeyProvider[T]) UnmarshalConfig(encryptionConfig map[string]interface{}) error { | ||
// Decode the key provider type using the default decoder config | ||
if err := mapstructure.Decode(encryptionConfig, &b); err != nil { | ||
return fmt.Errorf("failed to decode key provider: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("failed to decode key provider: %w", err) | |
return errors.Errorf("failed to decode key provider: %w", err) |
T T `mapstructure:",squash"` | ||
} | ||
|
||
func (b *GenericRemoteEncryptionKeyProvider[T]) UnmarshalConfig(encryptionConfig map[string]interface{}) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (b *GenericRemoteEncryptionKeyProvider[T]) UnmarshalConfig(encryptionConfig map[string]interface{}) error { | |
func (b *GenericRemoteEncryptionKeyProvider[T]) UnmarshalConfig(encryptionConfig map[string]any) error { |
|
||
func NewRemoteEncryptionKeyProvider(providerType string) (RemoteEncryptionConfig, error) { | ||
switch providerType { | ||
case "pbkdf2": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend something like this:
func (*RemoteEncryptionKeyProviderPBKDF2) Name() string {
return "pbkdf2"
}
case "pbkdf2": | |
case new(RemoteEncryptionKeyProviderPBKDF2).Name(): |
return &GenericRemoteEncryptionKeyProvider[RemoteEncryptionKeyProviderGCPKMS]{}, nil | ||
case "aws_kms": | ||
return &GenericRemoteEncryptionKeyProvider[RemoteEncryptionKeyProviderAWSKMS]{}, nil | ||
default: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think should be added test to cover this case too
|
||
func (b *GenericRemoteEncryptionKeyProvider[T]) UnmarshalConfig(encryptionConfig map[string]interface{}) error { | ||
// Decode the key provider type using the default decoder config | ||
if err := mapstructure.Decode(encryptionConfig, &b); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
encryptionConfig
- can be null?
Makes sense to add a check
if encryptionConfig == nil {
return errors....
}
@@ -284,6 +290,80 @@ func RemoteStateConfigToTerraformCode(backend string, config map[string]interfac | |||
backendBlockBody.SetAttributeValue(key, ctyVal.Value) | |||
} | |||
|
|||
// encryption can be empty | |||
if len(encryption) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can changed flow to return if encryption is 0 to not have nested blocks?
* fix: Addressing Levko's feedback in #3586 * fix: Adding test for unknown provider * fix: Adding nil check for UnmarshalConfig on encryptionConfig * fix: Inverting check for early return on missing encryption
Released in v0.72.2. |
add the most basic and naive implementation of an encryption attribute to the remote_state block, to generate encryption config for the backend
Description
Fixes #3495.
This PR adds an attribute
encryption
to theremote_state
block that generates aencryption
block in the backend config. This allow to use the OpenTofu state encryption directly from within terragrunt, thus keeping encryption config DRY.TODOs
Read the Gruntwork contribution guidelines.
Release Notes (draft)
Added / Removed / Updated [X].
Migration Guide