### sops_file Ephemeral Resource Example Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/ephemeral-resources/file.md Demonstrates how to use the sops_file ephemeral resource to decrypt a file and access its data. Ensure the 'sops' provider is configured. ```terraform provider "sops" {} ephemeral "sops_file" "demo_secret" { source_file = "demo_secret.enc.json" } output "root_value_password" { # Access the password variable from the map value = data.sops_file.demo_secret.data["password"] } output "mapped_nested_value" { # Access the password variable that is under db via the terraform map of data value = data.sops_file.demo_secret.data["db.password"] } output "nested_json_value" { # Access the password variable that is under db via the terraform object value = jsondecode(data.sops_file.demo_secret.raw).db.password } ``` -------------------------------- ### Install Terraform SOPS Provider Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md Specify the SOPS provider source and version in a required_providers block for Terraform 0.13 and later. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = ">= 0.5" } } } ``` -------------------------------- ### Example Usage of sops Provider Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/index.md This snippet shows how to configure the sops provider and use the sops_file data source to decrypt a file. Ensure you have a secure remote state backend to prevent plaintext secrets from being written to disk. ```terraform provider "sops" {} data "sops_file" "demo_secret" { source_file = "demo-secret.enc.json" } output "db_password" { # Access the password variable that is under db via the terraform map of data value = data.sops_file.demo_secret.data["db.password"] } ``` -------------------------------- ### Example Usage of sops_external Resource Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/ephemeral-resources/external.md Demonstrates how to use the sops_external resource to read encrypted data from a remote source and access its decrypted content. Ensure the 'http' data source is configured correctly to fetch the encrypted data. ```terraform data "http" "remote_sops_data" { url = "https://sops.example/my-data" } ephemeral "sops_external" "demo_secret" { source = data.http.remote_sops_data.body input_type = "yaml" } output "root_value_hello" { value = ephemeral.sops_external.demo_secret.data.hello } ``` -------------------------------- ### Terraform 0.11 and Older SOPS File Usage Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/guides/legacy_usage.md Example of how to use the sops_file data source in Terraform 0.11 and older to access nested fields within a decrypted SOPS file using string interpolation. ```hcl provider "sops" {} data "sops_file" "demo-secret" { source_file = "demo-secret.enc.json" } output "do-something" { value = "${data.sops_file.demo-secret.data.password}" } output "do-something2" { value = "${data.sops_file.demo-secret.data.db.password}" } ``` -------------------------------- ### Read Remote SOPS Data Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/data-sources/external.md This example demonstrates how to fetch sops-encrypted data from a remote URL using the http data source and then decrypt it using the sops_external data source. Specify the input_type based on the unencrypted data's format. ```terraform data "http" "remote_sops_data" { url = "https://sops.example/my-data" } data "sops_external" "demo_secret" { source = data.http.remote_sops_data.body input_type = "yaml" } output "root-value-hello" { value = data.sops_external.demo_secret.data.hello } ``` -------------------------------- ### Terraform 0.12 SOPS File Usage Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/guides/legacy_usage.md Example of how to use the sops_file data source in Terraform 0.12 to access nested fields within a decrypted SOPS file. ```hcl provider "sops" {} data "sops_file" "demo-secret" { source_file = "demo-secret.enc.json" } output "root-value-password" { # Access the password variable from the map value = data.sops_file.demo-secret.data["password"] } output "mapped-nested-value" { # Access the password variable that is under db via the terraform map of data value = data.sops_file.demo-secret.data["db.password"] } output "nested-json-value" { # Access the password variable that is under db via the terraform object value = jsondecode(data.sops_file.demo-secret.raw).db.password } ``` -------------------------------- ### Configure sops Provider and Use Ephemeral Resource Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt Configure the sops provider and use the `sops_external` ephemeral resource to decrypt data from a remote HTTP source without persisting it to state. Ensure the provider version is specified. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = "~> 1.3.0" } } } # Fetch encrypted data from remote source data "http" "remote_sops_data" { url = "https://sops.example/my-data" } # Ephemeral external resource - decrypt without state persistence ephemeral "sops_external" "demo_secret" { source = data.http.remote_sops_data.body input_type = "yaml" } output "root_value_hello" { value = ephemeral.sops_external.demo_secret.data.hello sensitive = true } ``` -------------------------------- ### Migrate Terraform State for SOPS Provider Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt Migrate your Terraform state file to use the official registry source for the SOPS provider. This is necessary when transitioning from older Terraform versions. Run `terraform init` and `terraform plan` after migration. ```shell # Migrate state from legacy provider reference to official registry terraform state replace-provider registry.terraform.io/-/sops registry.terraform.io/carlpett/sops # Verify the migration terraform init terraform plan ``` -------------------------------- ### Transitioning to Terraform 0.13 provider required blocks Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md When converting to Terraform 0.13, ensure you remove the old data source block from your terraform.state file and use the new required_providers block. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = "~> 0.5" } } } ``` -------------------------------- ### Replace Terraform SOPS Provider Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/guides/legacy_usage.md Use this command to migrate your state from older Terraform versions to the new provider. ```shell terraform state replace-provider registry.terraform.io/-/sops registry.terraform.io/carlpett/sops ``` -------------------------------- ### Configure Terraform SOPS Provider Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt Declare the SOPS provider and specify its version in your Terraform configuration. No explicit provider configuration block is needed as it relies on environment variables. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = ">= 1.3.0" } } } provider "sops" {} ``` -------------------------------- ### Read SOPS Encrypted File with sops_file Data Source Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt Use the sops_file data source to read and decrypt SOPS-encrypted files from the local filesystem. Decrypted data is available in the 'data' map (supporting dot notation for nested keys) or as 'raw' content. The file format is auto-detected, but 'input_type' can be specified. ```hcl # Encrypt a file first using SOPS CLI: # sops demo-secret.enc.json # { # "password": "foo", # "db": {"password": "bar"} # } provider "sops" {} data "sops_file" "demo-secret" { source_file = "demo-secret.enc.json" } # Access root-level value from the flattened data map output "root-value-password" { value = data.sops_file.demo-secret.data["password"] sensitive = true } # Access nested value using dot notation in the data map output "mapped-nested-value" { value = data.sops_file.demo-secret.data["db.password"] sensitive = true } # Access nested value by parsing the raw JSON output output "nested-json-value" { value = jsondecode(data.sops_file.demo-secret.raw).db.password sensitive = true } # For raw/binary encrypted files, specify input_type explicitly data "sops_file" "raw-secret" { source_file = "secret-data.txt" input_type = "raw" } output "raw-content" { value = data.sops_file.raw-secret.raw sensitive = true } ``` -------------------------------- ### sops_file Data Source Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/data-sources/file.md The `sops_file` data source reads data from a sops-encrypted file on disk. It can unmarshal the data into a map or provide the raw string content. ```APIDOC ## sops_file Data Source ### Description Read data from a sops-encrypted file on disk. ### Method DATA SOURCE ### Endpoint N/A (Data Source) ### Parameters #### Required - **source_file** (String) - Path to the encrypted file. #### Optional - **input_type** (String) - The provider will use the file extension to determine how to unmarshal the data. If your file does not have the usual extension, set this argument to `yaml`, `json`, `dotenv` (`.env`), `ini` accordingly, or `raw` if the encrypted data is encoded differently. ### Read-Only - **data** (Map of String, Sensitive) - The unmarshalled data as a dictionary. Use dot-separated keys to access nested data. - **id** (String) - Unique identifier for this data source. - **raw** (String, Sensitive) - The entire unencrypted file as a string. ### Request Example ```terraform provider "sops" {} data "sops_file" "demo-secret" { source_file = "demo-secret.enc.json" } ``` ### Response #### Success Response (200) - **data** (Map of String, Sensitive) - The unmarshalled data as a dictionary. Use dot-separated keys to access nested data. - **id** (String) - Unique identifier for this data source. - **raw** (String, Sensitive) - The entire unencrypted file as a string. #### Response Example ```json { "data": { "password": "example_password", "db.password": "example_db_password" }, "id": "some-unique-id", "raw": "{\"password\": \"example_password\", \"db\": { \"password\": \"example_db_password\" }}" } ``` ``` -------------------------------- ### Decrypt SOPS Encrypted Files with Different Input Types Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt Use the `sops_file` data source to decrypt SOPS-encrypted files. The `input_type` parameter can be explicitly set or inferred from the file extension for formats like JSON, YAML, dotenv, INI, and raw. ```hcl # JSON format (auto-detected from .json extension) data "sops_file" "json_secrets" { source_file = "secrets.enc.json" } # YAML format (auto-detected from .yaml/.yml extension) data "sops_file" "yaml_secrets" { source_file = "secrets.enc.yaml" } # dotenv format (auto-detected from .env extension) data "sops_file" "env_secrets" { source_file = "secrets.enc.env" # or explicitly: input_type = "dotenv" } # INI format data "sops_file" "ini_secrets" { source_file = "secrets.enc.ini" input_type = "ini" } # Raw format - entire file is encrypted as a single value data "sops_file" "raw_secrets" { source_file = "certificate.enc.pem" input_type = "raw" } output "certificate" { value = data.sops_file.raw_secrets.raw sensitive = true } ``` -------------------------------- ### Decrypt raw file with sops_file data source Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md Decrypt a file with input_type set to "raw" when the file is not in a standard format like JSON or YAML. ```hcl data "sops_file" "some-file" { source_file = "secret-data.txt" input_type = "raw" } output "do-something" { value = data.sops_file.some-file.raw } ``` -------------------------------- ### Decrypt external file content with sops_external data source Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md Use the sops_external data source to decrypt content from a non-local source, such as a file read by the local_file data source. input_type is required. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = "~> 0.5" } } } # using sops/test-fixtures/basic.yaml as an example data "local_file" "yaml" { filename = "basic.yaml" } data "sops_external" "demo-secret" { source = data.local_file.yaml.content input_type = "yaml" } output "root-value-hello" { value = data.sops_external.demo-secret.data.hello } output "nested-yaml-value" { # Access the password variable that is under db via the terraform object value = yamldecode(data.sops_file.demo-secret.raw).db.password } ``` -------------------------------- ### Terraform SOPS Provider with Ephemeral Block Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md Configure the SOPS provider and use an ephemeral resource to read secrets from an encrypted file. This prevents the secret content from being saved in Terraform state. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = "~> 1.3.0" } } } ephemeral "sops_file" "secrets" { source_file = "demo-secret.enc.json" } resource "aws_ssm_parameter" "sops_secrets" { name = "my-secrets" type = "SecureString" value_wo = jsonencode(ephemeral.sops_file.secrets.raw) value_wo_version = 1 } ``` -------------------------------- ### Decrypt SOPS Data from String with sops_external Data Source Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt The sops_external data source decrypts SOPS-encrypted data provided as a string, useful for secrets fetched from remote sources. 'input_type' is mandatory as there's no file extension for inference. Decrypted data is accessible via the 'data' map or 'raw' attribute. ```hcl # Fetch encrypted data from a remote HTTP endpoint data "http" "remote_sops_data" { url = "https://sops.example/my-data" } data "sops_external" "demo_secret" { source = data.http.remote_sops_data.body input_type = "yaml" } output "root-value-hello" { value = data.sops_external.demo_secret.data.hello sensitive = true } # Parse the raw YAML output for complex nested access output "nested-yaml-value" { value = yamldecode(data.sops_external.demo_secret.raw).db.password sensitive = true } # Example with local_file data source (for testing or when file path is dynamic) data "local_file" "yaml_secrets" { filename = "basic.yaml" } data "sops_external" "from_local" { source = data.local_file.yaml_secrets.content input_type = "yaml" } ``` -------------------------------- ### sops_external Data Source Source: https://github.com/carlpett/terraform-provider-sops/blob/master/docs/data-sources/external.md This data source reads and decrypts data from a sops-encrypted string. It supports various input types like YAML, JSON, dotenv, INI, or raw strings. ```APIDOC ## sops_external Data Source ### Description Reads data from a sops-encrypted string. Useful if the data does not reside on disk locally (otherwise use `sops_file`). ### Method DATA SOURCE ### Endpoint N/A (Data Source) ### Parameters #### Required - **source** (String) - A string with sops-encrypted data #### Optional - **input_type** (String) - `yaml`, `json` `dotenv` (`.env`), `ini` or `raw`, depending on the structure of the un-encrypted data. ### Read-Only Attributes - **data** (Map of String, Sensitive) - Decrypted data - **id** (String) - Unique identifier for this data source - **raw** (String, Sensitive) - Raw decrypted content ### Example Usage ```terraform data "http" "remote_sops_data" { url = "https://sops.example/my-data" } data "sops_external" "demo_secret" { source = data.http.remote_sops_data.body input_type = "yaml" } output "root-value-hello" { value = data.sops_external.demo_secret.data.hello } ``` ``` -------------------------------- ### Decrypt JSON file with sops_file data source Source: https://github.com/carlpett/terraform-provider-sops/blob/master/README.md Use the sops_file data source to decrypt a JSON file. Access nested values using dot notation or by decoding the raw JSON. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = "~> 0.5" } } } data "sops_file" "demo-secret" { source_file = "demo-secret.enc.json" } output "root-value-password" { # Access the password variable from the map value = data.sops_file.demo-secret.data["password"] } output "mapped-nested-value" { # Access the password variable that is under db via the terraform map of data value = data.sops_file.demo-secret.data["db.password"] } output "nested-json-value" { # Access the password variable that is under db via the terraform object value = jsondecode(data.sops_file.demo-secret.raw).db.password } ``` -------------------------------- ### Decrypt SOPS Files Ephemerally with sops_file Resource Source: https://context7.com/carlpett/terraform-provider-sops/llms.txt The ephemeral sops_file resource decrypts SOPS-encrypted files without persisting the decrypted content to Terraform state. Available in Terraform v1.11+ with provider v1.3.0+, it can only be used in write-only arguments for enhanced security. ```hcl terraform { required_providers { sops = { source = "carlpett/sops" version = ">= 1.3.0" } } } provider "sops" {} # Ephemeral resource - decrypted content never stored in state ephemeral "sops_file" "secrets" { source_file = "demo-secret.enc.json" } # Use with AWS SSM Parameter Store write-only argument resource "aws_ssm_parameter" "sops_secrets" { name = "my-secrets" type = "SecureString" value_wo = jsonencode(ephemeral.sops_file.secrets.raw) value_wo_version = 1 } # Access data map values (ephemeral resource syntax) resource "aws_ssm_parameter" "db_password" { name = "db-password" type = "SecureString" value_wo = ephemeral.sops_file.secrets.data["db.password"] value_wo_version = 1 } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.