From 9a27d5a7dc8b93b78e5fbf6bd7e0cdfe326b069b Mon Sep 17 00:00:00 2001 From: Daniel Salazar Date: Thu, 19 Dec 2024 08:56:33 -0500 Subject: [PATCH] refac(back): #1378 deprecate secrets for gpg - Deprecate builtin - Deprecate tests - Remove secretsForEnvFromSops tests as it will be removed in the future Signed-off-by: Daniel Salazar --- .github/workflows/dev.yml | 64 -------------- .github/workflows/prod.yml | 80 ------------------ docs/src/api/builtins/secrets.md | 84 ------------------- docs/src/security/threat-model.md | 3 +- src/args/agnostic.nix | 2 - .../make-secret-for-gpg-from-env/default.nix | 11 --- .../make-secret-for-gpg-from-env/template.sh | 18 ---- src/evaluator/modules/default.nix | 1 - .../secrets-for-gpg-from-env/default.nix | 22 ----- tests/makes.nix | 2 - tests/secretsForEnvFromSops/makes.nix | 8 -- tests/secretsForGpgFromEnv/makes.nix | 20 ----- tests/secretsForGpgFromEnv/pgp | 81 ------------------ tests/secretsForGpgFromEnv/pgp.pub | 41 --------- tests/secretsForGpgFromEnv/secrets.yaml | 30 ------- tests/terraform/makes.nix | 36 ++------ 16 files changed, 10 insertions(+), 493 deletions(-) delete mode 100644 src/args/make-secret-for-gpg-from-env/default.nix delete mode 100644 src/args/make-secret-for-gpg-from-env/template.sh delete mode 100644 src/evaluator/modules/secrets-for-gpg-from-env/default.nix delete mode 100644 tests/secretsForEnvFromSops/makes.nix delete mode 100644 tests/secretsForGpgFromEnv/makes.nix delete mode 100644 tests/secretsForGpgFromEnv/pgp delete mode 100644 tests/secretsForGpgFromEnv/pgp.pub delete mode 100644 tests/secretsForGpgFromEnv/secrets.yaml diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 8bacd111..338b1357 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -55,22 +55,6 @@ jobs: env: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_envVars_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /envVars/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example" - macos_envVars_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /envVars/example - run: nix-env -if . && m . /envVars/example - linux_formatBash: runs-on: ubuntu-latest steps: @@ -244,38 +228,6 @@ jobs: with: args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /lintWithAjv/test" - linux_secretsForEnvFromSops_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /secretsForEnvFromSops/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example" - macos_secretsForEnvFromSops_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /secretsForEnvFromSops/example - run: nix-env -if . && m . /secretsForEnvFromSops/example - - linux_secretsForGpgFromEnv_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /secretsForGpgFromEnv/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example" - macos_secretsForGpgFromEnv_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /secretsForGpgFromEnv/example - run: nix-env -if . && m . /secretsForGpgFromEnv/example - linux_testLicense: runs-on: ubuntu-latest steps: @@ -340,22 +292,6 @@ jobs: - name: /tests/makeScript run: nix-env -if . && m . /tests/makeScript - linux_tests_secretsForGpgFromEnv: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /tests/secretsForGpgFromEnv - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv" - macos_tests_secretsForGpgFromEnv: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /tests/secretsForGpgFromEnv - run: nix-env -if . && m . /tests/secretsForGpgFromEnv - linux_testTerraform_module: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml index 88e30da3..949246e1 100644 --- a/.github/workflows/prod.yml +++ b/.github/workflows/prod.yml @@ -133,26 +133,6 @@ jobs: env: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_envVars_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /envVars/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example" - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - macos_envVars_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /envVars/example - run: nix-env -if . && m . /envVars/example - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_formatBash: runs-on: ubuntu-latest steps: @@ -368,46 +348,6 @@ jobs: env: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_secretsForEnvFromSops_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /secretsForEnvFromSops/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example" - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - macos_secretsForEnvFromSops_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /secretsForEnvFromSops/example - run: nix-env -if . && m . /secretsForEnvFromSops/example - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - - linux_secretsForGpgFromEnv_example: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /secretsForGpgFromEnv/example - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example" - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - macos_secretsForGpgFromEnv_example: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /secretsForGpgFromEnv/example - run: nix-env -if . && m . /secretsForGpgFromEnv/example - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_testLicense: runs-on: ubuntu-latest steps: @@ -484,26 +424,6 @@ jobs: env: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_tests_secretsForGpgFromEnv: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /tests/secretsForGpgFromEnv - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv" - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - macos_tests_secretsForGpgFromEnv: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /tests/secretsForGpgFromEnv - run: nix-env -if . && m . /tests/secretsForGpgFromEnv - env: - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_testTerraform_module: runs-on: ubuntu-latest steps: diff --git a/docs/src/api/builtins/secrets.md b/docs/src/api/builtins/secrets.md index b2d19909..6a5ad6bb 100644 --- a/docs/src/api/builtins/secrets.md +++ b/docs/src/api/builtins/secrets.md @@ -192,90 +192,6 @@ Example: } ``` -## secretsForGpgFromEnv - -Load GPG public or private keys -from environment variables -into an ephemeral key-ring. - -Each key content must be stored -in a environment variable -in [ASCII Armor](https://www.techopedia.com/definition/23150/ascii-armor) format. - -Types: - -- secretsForGpgFromEnv (`attrsOf (listOf str)`): Optional. - Mapping of name - to a list of environment variable names - where the GPG key contents are stored. - Defaults to `{ }`. - -Example: - -=== "secrets.yaml" - - ```yaml - # /path/to/my/project/secrets.yaml - password: ENC[AES256_GCM,data:cLbgzNHgBN5drfsDAS+RTV5fL6I=,iv:2YHhHxKg+lbGqdB5nhhG2YemeKB6XWvthGfNNkVgytQ=,tag:cj/el3taq1w7UOp/JQSNwA==,type:str] - # ... - ``` - -=== "makes.nix" - - ```nix - # /path/to/my/project/makes.nix - { - outputs, - ... - }: { - # Load keys into an ephemeral GPG keyring - secretsForGpgFromEnv = { - example = [ - "ENV_VAR_FOR_PRIVATE_KEY_CONTENT" - "ENV_VAR_FOR_PUB_KEY_CONTENT" - ]; - }; - # Use sops to decrypt an encrypted file - secretsForEnvFromSops = { - example = { - manifest = "/secrets.yaml"; - vars = [ "password" ]; - }; - }; - } - ``` - -=== "main.nix" - - ```nix - # /path/to/my/project/makes/example/main.nix - { - makeScript, - outputs, - ... - }: - makeScript { - name = "example"; - searchPaths.source = [ - # First setup an ephemeral GPG keyring - outputs."/secretsForGpgFromEnv/example" - # Now sops will decrypt secrets using the GPG keys in the ring - outputs."/secretsForEnvFromSops/example" - ]; - entrypoint = '' - echo Decrypted password: $password - ''; - } - ``` - -=== "Invocation" - - ```bash - $ m . /example - - Decrypted password: 123 - ``` - ## secretsForTerraformFromEnv Export secrets in a format suitable for Terraform diff --git a/docs/src/security/threat-model.md b/docs/src/security/threat-model.md index 229f7902..82a30f71 100644 --- a/docs/src/security/threat-model.md +++ b/docs/src/security/threat-model.md @@ -118,8 +118,7 @@ For example: `secretsForAwsFromEnv`, `secretsForAwsFromGitlab`, - `secretsForEnvFromSops`, - `secretsForGpgFromEnv`, and + `secretsForEnvFromSops`, and `secretsForTerraformFromEnv`. However, we don't currently have a way to protect the user diff --git a/src/args/agnostic.nix b/src/args/agnostic.nix index 81e8cd6f..ef457592 100644 --- a/src/args/agnostic.nix +++ b/src/args/agnostic.nix @@ -80,8 +80,6 @@ let import ./make-secret-for-aws-from-gitlab/default.nix self; makeSecretForEnvFromSops = import ./make-secret-for-env-from-sops/default.nix self; - makeSecretForGpgFromEnv = - import ./make-secret-for-gpg-from-env/default.nix self; makeSecretForKubernetesConfigFromAws = import ./make-secret-for-kubernetes-config-from-aws/default.nix self; makeSecretForNomadFromEnv = diff --git a/src/args/make-secret-for-gpg-from-env/default.nix b/src/args/make-secret-for-gpg-from-env/default.nix deleted file mode 100644 index 67a6f132..00000000 --- a/src/args/make-secret-for-gpg-from-env/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ __nixpkgs__, toBashArray, makeTemplate, toDerivationName, ... }: -{ asciiArmorBlocks, name, }: -makeTemplate { - replace = { - __argAsciiArmorBlocks__ = toBashArray asciiArmorBlocks; - __argName__ = toDerivationName name; - }; - name = "make-secret-for-gpg-from-env-for-${name}"; - searchPaths.bin = [ __nixpkgs__.gnupg1orig ]; - template = ./template.sh; -} diff --git a/src/args/make-secret-for-gpg-from-env/template.sh b/src/args/make-secret-for-gpg-from-env/template.sh deleted file mode 100644 index 8683c602..00000000 --- a/src/args/make-secret-for-gpg-from-env/template.sh +++ /dev/null @@ -1,18 +0,0 @@ -# shellcheck shell=bash - -function main { - source __argAsciiArmorBlocks__/template local ascii_armor_blocks - - info Making secret for GPG from environment variables for __argName__: \ - && export GNUPGHOME \ - && GNUPGHOME="$(mktemp -d)" \ - && info - GNUPGHOME="${GNUPGHOME}" \ - && for ascii_armor_block in "${ascii_armor_blocks[@]}"; do - require_env_var "${ascii_armor_block}" \ - && info - "${ascii_armor_block}" \ - && echo "${!ascii_armor_block}" | gpg --import \ - || return 1 - done -} - -main "${@}" diff --git a/src/evaluator/modules/default.nix b/src/evaluator/modules/default.nix index 2d17c909..4fd14d5d 100644 --- a/src/evaluator/modules/default.nix +++ b/src/evaluator/modules/default.nix @@ -27,7 +27,6 @@ (import ./secrets-for-aws-from-env/default.nix args) (import ./secrets-for-aws-from-gitlab/default.nix args) (import ./secrets-for-env-from-sops/default.nix args) - (import ./secrets-for-gpg-from-env/default.nix args) (import ./secrets-for-terraform-from-env/default.nix args) (import ./test-license/default.nix args) (import ./test-terraform/default.nix args) diff --git a/src/evaluator/modules/secrets-for-gpg-from-env/default.nix b/src/evaluator/modules/secrets-for-gpg-from-env/default.nix deleted file mode 100644 index ee262be6..00000000 --- a/src/evaluator/modules/secrets-for-gpg-from-env/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ __toModuleOutputs__, makeSecretForGpgFromEnv, ... }: -{ config, lib, ... }: -let - makeSecretForGpgFromEnvOutput = name: asciiArmorBlocks: { - name = "/secretsForGpgFromEnv/${name}"; - value = makeSecretForGpgFromEnv { - inherit name; - inherit asciiArmorBlocks; - }; - }; -in { - options = { - secretsForGpgFromEnv = lib.mkOption { - default = { }; - type = lib.types.attrsOf (lib.types.listOf lib.types.str); - }; - }; - config = { - outputs = __toModuleOutputs__ makeSecretForGpgFromEnvOutput - config.secretsForGpgFromEnv; - }; -} diff --git a/tests/makes.nix b/tests/makes.nix index 0a9cc929..98efa6e0 100644 --- a/tests/makes.nix +++ b/tests/makes.nix @@ -8,8 +8,6 @@ ./makeSearchPaths/makes.nix ./makeTemplate/makes.nix ./pipelines/makes.nix - ./secretsForEnvFromSops/makes.nix - ./secretsForGpgFromEnv/makes.nix ./terraform/makes.nix ]; } diff --git a/tests/secretsForEnvFromSops/makes.nix b/tests/secretsForEnvFromSops/makes.nix deleted file mode 100644 index a0d1959e..00000000 --- a/tests/secretsForEnvFromSops/makes.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - secretsForEnvFromSops = { - example = { - manifest = "/tests/secretsForGpgFromEnv/secrets.yaml"; - vars = [ "secret" ]; - }; - }; -} diff --git a/tests/secretsForGpgFromEnv/makes.nix b/tests/secretsForGpgFromEnv/makes.nix deleted file mode 100644 index 4eed1981..00000000 --- a/tests/secretsForGpgFromEnv/makes.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ makeScript, outputs, ... }: { - envVars = { - example = { - # Don't do this in production, it's unsafe. We do this for testing purposes. - PGP_PRIVATE = builtins.readFile ./pgp; - PGP_PUBLIC = builtins.readFile ./pgp.pub; - VAR_NAME = "test"; - }; - }; - jobs."/tests/secretsForGpgFromEnv" = makeScript { - entrypoint = "echo $secret"; - name = "tests-secrets-for-gpg-from-env"; - searchPaths.source = [ - outputs."/envVars/example" - outputs."/secretsForGpgFromEnv/example" - outputs."/secretsForEnvFromSops/example" - ]; - }; - secretsForGpgFromEnv.example = [ "PGP_PUBLIC" "PGP_PRIVATE" ]; -} diff --git a/tests/secretsForGpgFromEnv/pgp b/tests/secretsForGpgFromEnv/pgp deleted file mode 100644 index 52f80cdb..00000000 --- a/tests/secretsForGpgFromEnv/pgp +++ /dev/null @@ -1,81 +0,0 @@ ------BEGIN PGP PRIVATE KEY BLOCK----- - -lQVYBGFAziYBDADGcsJM0s39MHO42vm9MfX6bVeG3FKBhrjwBeC91C1g5scou+tC -ayO9PUiaFB6Hj/75qDPsw4m78Rop0qaGUPCZwGfDI8iQFH+GwAF4kmXAcup7hpxQ -8WNcxDvSrkuJDIrxM5w9hWsqxV8XUntG5vGIe2m2OyAY9ZhBWgYasEfBOjzDY1+F -NSpFcJOq9bcwRxkn5JgMPrN5SyB2ou1zPNe5Q4BoxO1E6st4p1q23Ocy+9oR81j1 -mSSrMbXtRXHbkF1iCoKgtNTp09ATZ+lZ+Qtbbs9CrOduw83Zbm34Fm5RG3rYcPW3 -mmhsFfw6OM8OXyM1qaiQXrdplU+st/IgfAnThxhd4RRDhA0UVyyIjewKBVcIR96e -5q3P6pFo562LhEiqLx99GrdzVaric29JAG+goCkX8neC/ng10Kmx3wawEaLrJdrW -UpJ87UflNPftWPsKhyLnvHDJhJRtfPjI5tfY9jtFi8wKsYdWL6lt3yrvn3CQKr5k -5T9D08CAU6jYHv0AEQEAAQAL/ApVCEPACASM2hbqTm1o0AHxYR4UPjbLNmQc0juK -nrA4Y8R9qufi3ydSV64vVPrsPDNwa/+sRfFjQgr3vOl/sP84Us6zVWpsVCAbwsKD -Jh6+fPHggNFVYr3TjmUk46mSMxu60FbYVEuTn3n94ThAUZwFskElfpbTa/wfEp6f -cKT2rMTkLswnMqO56Ej9kRjyOAo+hHdtaPfBjxejhPxmfbmCHQnsvYkZ4RfPktFe -2qoUuHZjIU3BjZ9c2mLXpkVvFINwcSF0K/DzaEE8rmjI1z9xraDJXLdWYj/vYrZe -Ybu9a0NMdfQA7Myl/T59rFYCwZa558tUJewJp4QtktDc9rXg6mYYuM578M82I8v2 -F9RUkp99NDq5KLxSJ5uvdJyczYRnLk3tswDnl27QJJUTOx0z9wlsC3+Y3n5s3zDq -vWmJ1IBAx0xwGKKdfvU/4RwV9Q8jlSgWDLltV2/9Kper4DLUcWyMpxFSC+8NlPLX -yjibSRg/zgtA8vJ35lIcInE3cQYA12euLV4ipAtm8IFMIeWRXOzEb0d5m8FHTUiU -bMUldsAJ82d9sdj4/T7t7ZuQI0riYMDNOPDQ8fS+L95qj8PnSmPLoziZ/3ttdtuA -5zqk2kcxZ2BHSTUfqiPojP8uBshr+3XtkhNx97Sxr6YbCOnSIQav+t6jO62UoPMg -xMgyjpXtzABmhFYWBrkwVe5HAK+g9JKB9eLYFgaA3S0l4QU4LO0N4sGB6g4OxCgG -qEWtmTttQ0nYUOSMJXqYSA6Kw2lJBgDr2P4/ZfJsPq+JfZ4FmkH3VgjKSzhHSsf+ -87JTAPMQg6ePPar0fxCbiJ/miRoUUuRmwoeYZ+RT3yxUBDtrRePtFmytOC8ZgCej -Q4z2TNQ9jgi2yaCEsWiGETC+EXb/e3Fa+t1H7CE2deVZTAryScsk3NDNUa5q4CTE -6rfYcyXjSzaFrEJTDplxesK8vcrZMynDFEE8opRTjgRb1gnjAc6Vyul2l1nShz4E -l8KNBlwIqeJZU+qDRCuQ37gLEgVonBUGAIVNehh9WdZN5kNozLlMHM4RlkGv8IYu -QqcDVMn+NlU11FYn6Fuijeh1D+SE8B6NRaFOeDpiIcthZ2a+uZuwbBkQH34fTWAK -9859SQajXRQ/zuLVmc5en2JP0F7WC4umMgoa4rmcZd+XkFUQKMmixSVPXOy0PpRG -yVZt/pvkUcFX7tIvOiGp9y3svCczfKY8drKEvT9WgFVo05lgmxFmOf4CamNxyAvg -G45Dca4YRyiq1RvZdkNf5ORuzB7Rk9jfxOEPtB5NYWtlcyA8bWFrZXNAZmx1aWRh -dHRhY2tzLmNvbT6JAc4EEwEIADgWIQR7EckmiapQvhVWMWW3YPoEQON2nAUCYUDO -JgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC3YPoEQON2nDgpDACu2Aoj -jdxtoA3Vh5obulw0bEDuOLBqFCoPLMIRjTzv88rWnU0XZ2C5EQ+e+3aJ2TckRRV8 -eySmLEo2F5N6BsDqUIa+bv9sqykeGPGZsju9CwuePWM9HDdH9aHOpHxckbpl5ZWO -Jbaynvl5yZWW624h3M6+ikRydze5POLM7iqvdaLZj+Ue+pArx46A+PEOhholZMEA -/pPDPfSg5v9exokOlE/oMZn2nt4COG9mZC8meyCQ9O4Qf4f2IGX6gR+4wNg4kxHs -joJ/tj6gkf2p3nbMx9ByzjdcPVT6GjbjStIvdcC2yrKjKrir8iYJujwNlqhdDqXA -IlMbXrLceEaD0Mo2UJNU7EnhjkBZ7wsnUTrW1whdmfUMfIXAGYoTP6Hpx6ZlKL/d -70uA0obDICvjy6kSFiUtLbVkVN5pzIWyauz8adLeIpwJNRoDRco5hCkV4J9vjjCp -boQrM8wnbzMVF/mACNzrvzPv5gGCvbuRCmMJTaEZdeU7veIrkXQFkMND7e+dBVgE -YUDOJgEMAMSBELTMoA6YA72A0MBsxLWHrxI9nRKQBFqxhvIVB+XicuRGUrMxatKs -FfV/lBVgc/V1nFd68BEkXn2lUjM3FoyzZMvzesmAKkJgh9SGxJLU51+p8SHGMkUj -vFSgX2fn3NiZJW8Xw7C/81GxDSKQg3g5sCphSPuZo/nhWm9U/VOeOA9gSPQjePQT -AzxJkfNM4acQkcOOnCQF5mRLzBYYGnAsKQx5IjFqGSfohzp82at+qXF+wXBEDCUr -LYemnlQzpwmxBX13dlpqlMEcMcIKbJehKaoiBxEQ8RlADU5ShOXRQ2lVAdZq+UEd -QpgBsgm9GBv7B/6QzLgW6ze7ulemU2FHxD1b373kObsb4Gpg+QJuk5t0y0UXiHDH -bR+zk28JfW85DdKmCC6bztIUzAs1xeUYNGwQ0k+Tldyn/f2cYKgfF5GmA62MLEBc -hcLX0RJ8UF9eNaFG7fLC7MLlhS8dWQoK+YhHc0uhBsydXLpm4nCsO8n30WPS5rRs -ztxsRNZ0DwARAQABAAv6AqN5BfR5cbi41CKWqv7K5WUdBLGvGkC0zkLz/OwrXvrb -cBVBpwZS2OFWqiU8Z80TwYgCwWn1L0W9vxIpOGbU9q6x+8sZKvt9lcaWDFSC7zXM -pYwyoLF4m1UPglNk9JA4dvAXgJZhGk55he9Krdwi58pegzMrN7WobgKIpFYP0L+f -IRW55Q1U4nIe6QBT5WBy5zthua6AijtKDK633tQUBs2Q/4ng26kBDXgh2Lc0dQkO -XWfGUSuYvicGRXwHRDotTfQHyu4OL7ZEp340dvJvOROFo84ZjNEmtzIGdzC0bsmv -b/r4pK28SYDItaA509PNhX9We/1OGhuM9j1UggJGCVvH0kDGxc9SqI2gUrrlmkij -3cjVPcjX1RjoriNQlOZUl9D1zsIEFFlRh0/sz00Gj8WG8e04IjGOD97uP5FOQBXB -jJEDPSjHQKeOkCBUVXONcGyT/2FpkTVnyYaaKT50rQAzDmEL9cZEiOZvfQhpYru3 -7Q/4jCKr0N0HGf0deoaBBgDIKEPtWrrZFv/BEr7IQb04WJtFg+I7TOq1PyBZFRsA -z8mvo7OnddoSBGe8cGp2yCgUwhjXWqKqtiyDkaPD/fRNR2CAwcQfjLT2Ij1lNL7L -tnFM0c/74W8nSs361vUv/+nDuw5Ea1FILBK0vSsMl45Icss9TiqGGgbuzVN49V75 -m2AvlzHb01hMaPBzxvcsJw6u2DQSjQBhBwoF5cagXEtQH4ZvRAG1aesHzshBfAuV -FN9gFNOPnzDDArG1vGFtGRsGAPtT4nJ7021plabEzpFgfXppgvPSHQEytNXTD4Nx -4w9xs2wxH71kjMmMkyy/++wVIIXPDHCU+VmyeF1jeIO4piq+4ftDs01w+38S+1pY -WUnZQQUfxikvz2naW+4sHi8QH9hsEkF7DXwjjWK81Gt3RoHbT73XAGTpMWxm2YAg -qNc9bDwTh+DYIFYLFWapJ1hnCK2b/hQiYSuh/vn6BGuqYtRtwqN0zLF+lQdvDHtG -EB/sskupgUn043XS2fJCqVWUHQX/S53AZSr4DrzCVVoVwksxYpVRbo5/goIqkW7N -jzvVXYJqZD0IrXyJBF27RlDHkAMWhO0ffdjjhYnzVYMQJ+2nKAlueEZSQsjt3OHm -Ta6RdVQVbehi9vHvhe0d7SPxnAeqA4Tv6dJn3cT3gJr3BnBxbZbRLJGO6CLGW4OI -pWJnbOKjymzSJaec5f/JCezS8T92aGp4MNo26nwhIMBVlZBuuKownrg2gOLY1cfJ -njWVqQ61N6ecs2Y0xluC6cSQDieO3ySJAbYEGAEIACAWIQR7EckmiapQvhVWMWW3 -YPoEQON2nAUCYUDOJgIbDAAKCRC3YPoEQON2nOlJDADCgKG5ubt0E/R60Q5+NBst -0A0KJXCyhjHD5t5cKlogTfuGdELsDmC+2ro3dRrBxmijtMvcuKLIQrF3jKMaWIbh -fyd6btsKjhUJN3l54o/GIsKCHNDReT+gmfGVrOejWnk8qCCATpqwCrLEy5uOspKw -mMEo8TNIF3Osd7n5H03GRVOJYnHmUhR8xO04UU5i+c78HRVTVRV90x7u1CMWz3yi -zKCtLyZhPGGEpGiSkmR8t4g5jG5wJVrp5yQdm1fC387eoWNnSSYJngIo6z3Cxf0h -KSjkIoxvWuzXmN76WK+rIMhh+oDRj32U+OhddZv3CtxTUhC1l60k8w55OyPV+KWf -i/kEy2NbkKmOUpF9yEnl5ehHJq+EWHwgu2aYfzvZKKvtvPZngW8QejvvhxKnu6r5 -FqJl8x8MEavjKRjq+IUGbgvIoKaouBzZBm5wcbCSb904UDrVpSAkyBqzkTZRoLS+ -b5xuEYtFc6XzLjfhA7njcX1Znl9Y0b1pkroAX0AbjaU= -=cdp0 ------END PGP PRIVATE KEY BLOCK----- diff --git a/tests/secretsForGpgFromEnv/pgp.pub b/tests/secretsForGpgFromEnv/pgp.pub deleted file mode 100644 index d45df4b3..00000000 --- a/tests/secretsForGpgFromEnv/pgp.pub +++ /dev/null @@ -1,41 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGFAziYBDADGcsJM0s39MHO42vm9MfX6bVeG3FKBhrjwBeC91C1g5scou+tC -ayO9PUiaFB6Hj/75qDPsw4m78Rop0qaGUPCZwGfDI8iQFH+GwAF4kmXAcup7hpxQ -8WNcxDvSrkuJDIrxM5w9hWsqxV8XUntG5vGIe2m2OyAY9ZhBWgYasEfBOjzDY1+F -NSpFcJOq9bcwRxkn5JgMPrN5SyB2ou1zPNe5Q4BoxO1E6st4p1q23Ocy+9oR81j1 -mSSrMbXtRXHbkF1iCoKgtNTp09ATZ+lZ+Qtbbs9CrOduw83Zbm34Fm5RG3rYcPW3 -mmhsFfw6OM8OXyM1qaiQXrdplU+st/IgfAnThxhd4RRDhA0UVyyIjewKBVcIR96e -5q3P6pFo562LhEiqLx99GrdzVaric29JAG+goCkX8neC/ng10Kmx3wawEaLrJdrW -UpJ87UflNPftWPsKhyLnvHDJhJRtfPjI5tfY9jtFi8wKsYdWL6lt3yrvn3CQKr5k -5T9D08CAU6jYHv0AEQEAAbQeTWFrZXMgPG1ha2VzQGZsdWlkYXR0YWNrcy5jb20+ -iQHOBBMBCAA4FiEEexHJJomqUL4VVjFlt2D6BEDjdpwFAmFAziYCGwMFCwkIBwIG -FQoJCAsCBBYCAwECHgECF4AACgkQt2D6BEDjdpw4KQwArtgKI43cbaAN1YeaG7pc -NGxA7jiwahQqDyzCEY087/PK1p1NF2dguREPnvt2idk3JEUVfHskpixKNheTegbA -6lCGvm7/bKspHhjxmbI7vQsLnj1jPRw3R/WhzqR8XJG6ZeWVjiW2sp75ecmVlutu -IdzOvopEcnc3uTzizO4qr3Wi2Y/lHvqQK8eOgPjxDoYaJWTBAP6Twz30oOb/XsaJ -DpRP6DGZ9p7eAjhvZmQvJnsgkPTuEH+H9iBl+oEfuMDYOJMR7I6Cf7Y+oJH9qd52 -zMfQcs43XD1U+ho240rSL3XAtsqyoyq4q/ImCbo8DZaoXQ6lwCJTG16y3HhGg9DK -NlCTVOxJ4Y5AWe8LJ1E61tcIXZn1DHyFwBmKEz+h6cemZSi/3e9LgNKGwyAr48up -EhYlLS21ZFTeacyFsmrs/GnS3iKcCTUaA0XKOYQpFeCfb44wqW6EKzPMJ28zFRf5 -gAjc678z7+YBgr27kQpjCU2hGXXlO73iK5F0BZDDQ+3vuQGNBGFAziYBDADEgRC0 -zKAOmAO9gNDAbMS1h68SPZ0SkARasYbyFQfl4nLkRlKzMWrSrBX1f5QVYHP1dZxX -evARJF59pVIzNxaMs2TL83rJgCpCYIfUhsSS1OdfqfEhxjJFI7xUoF9n59zYmSVv -F8Owv/NRsQ0ikIN4ObAqYUj7maP54VpvVP1TnjgPYEj0I3j0EwM8SZHzTOGnEJHD -jpwkBeZkS8wWGBpwLCkMeSIxahkn6Ic6fNmrfqlxfsFwRAwlKy2Hpp5UM6cJsQV9 -d3ZaapTBHDHCCmyXoSmqIgcREPEZQA1OUoTl0UNpVQHWavlBHUKYAbIJvRgb+wf+ -kMy4Fus3u7pXplNhR8Q9W9+95Dm7G+BqYPkCbpObdMtFF4hwx20fs5NvCX1vOQ3S -pggum87SFMwLNcXlGDRsENJPk5Xcp/39nGCoHxeRpgOtjCxAXIXC19ESfFBfXjWh -Ru3ywuzC5YUvHVkKCvmIR3NLoQbMnVy6ZuJwrDvJ99Fj0ua0bM7cbETWdA8AEQEA -AYkBtgQYAQgAIBYhBHsRySaJqlC+FVYxZbdg+gRA43acBQJhQM4mAhsMAAoJELdg -+gRA43ac6UkMAMKAobm5u3QT9HrRDn40Gy3QDQolcLKGMcPm3lwqWiBN+4Z0QuwO -YL7aujd1GsHGaKO0y9y4oshCsXeMoxpYhuF/J3pu2wqOFQk3eXnij8YiwoIc0NF5 -P6CZ8ZWs56NaeTyoIIBOmrAKssTLm46ykrCYwSjxM0gXc6x3ufkfTcZFU4liceZS -FHzE7ThRTmL5zvwdFVNVFX3THu7UIxbPfKLMoK0vJmE8YYSkaJKSZHy3iDmMbnAl -WunnJB2bV8Lfzt6hY2dJJgmeAijrPcLF/SEpKOQijG9a7NeY3vpYr6sgyGH6gNGP -fZT46F11m/cK3FNSELWXrSTzDnk7I9X4pZ+L+QTLY1uQqY5SkX3ISeXl6Ecmr4RY -fCC7Zph/O9koq+289meBbxB6O++HEqe7qvkWomXzHwwRq+MpGOr4hQZuC8igpqi4 -HNkGbnBxsJJv3ThQOtWlICTIGrORNlGgtL5vnG4Ri0VzpfMuN+EDueNxfVmeX1jR -vWmSugBfQBuNpQ== -=hIji ------END PGP PUBLIC KEY BLOCK----- diff --git a/tests/secretsForGpgFromEnv/secrets.yaml b/tests/secretsForGpgFromEnv/secrets.yaml deleted file mode 100644 index f6a981d1..00000000 --- a/tests/secretsForGpgFromEnv/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -secret: ENC[AES256_GCM,data:KOuR,iv:Z1uEWs6+N4O10CpUOregxx6ejQidoAIHuFeJA+3RwE4=,tag:eKkb91u4ueSYd4cXZ4uFJg==,type:int] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-09-14T16:31:32Z" - mac: ENC[AES256_GCM,data:hSG3DPDaWM5iFpGI9hgjWCwWLDeiM9ZffvMq1sOn6HTiEhnECv5o3+lxWTD08kf2yq9zSAuuraSI7KUbQSLgJrrgD9lrDGeMYakp8Cg1z0Wukyc0aNWzPijOinFUx+RMZ3Thwu+x6vYDW+Q2OTZBwaAhUmsFES/oin86u/4PELw=,iv:LxdZIkXjIQXVOPSpkhQDUajXTAK5cyyA1tgdEtBKbPA=,tag:gZsKboxuEQh4XjTu9Ub6uQ==,type:str] - pgp: - - created_at: "2021-09-14T16:31:31Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQGMA6RUVClfXUEDAQv9EyAANqoGd0/V6YP+B0cj7dwNEjYu9TSx+u5OZJ+a+ykc - ossITW0baHO777yTP0xrdVjkt3lWKlQ8JtRxGYBqM2uCkofLJHCDz7OA6vC8Seaz - cDdNXw518r2rl61Sw18ZdIUdjCGFlpICQhF/3V4tAiD9eP9wzGnoSxP3d5s81xJI - 5/e651dgofGrAXU+zkyqa6dt+yPRga6styQOE/kvW1mDGn7XKxrSZWUQ1JN3QNZA - bxIxN4Nkq6USHcnCzpmPQ+LPKo4jFqV2/A2fN0UTZUldV8rJaLj7xUKxJKDaQmsP - ZNLBk93vlxOe1/ZjF10bfjcKY/5Equ2+Jvm+gWJBp2Zgchtpkyyqt8RFct7hlDRP - cmOSSjW3ysXZy/LQqydm4p/TvnzcWB/2Lz7OHsYbWLI/5FnTpIrYAoWlqYVzvbPt - wfF4Jy1iT51DoGzd75PqInLLXRX7K3XZxSDmBvvc3Am45Zt7RXoDbfpke/BdAFnL - xhIxfcxVfr1d3xrQou1y0l4BtfqXqH6wQAaaVneHIB4CDTQfr2CMhKxhsv53FGWY - 3Nc46VLvhx13aHik1EvtUpQY2SssCpEjaAXbbfa/WMcnfktjLKERZmrI5aNpOaby - SOSXfwAnTkyexmADhogh - =ljLg - -----END PGP MESSAGE----- - fp: 7B11C92689AA50BE15563165B760FA0440E3769C - unencrypted_suffix: _unencrypted - version: 3.7.1 diff --git a/tests/terraform/makes.nix b/tests/terraform/makes.nix index 01b85507..ea0ba0c8 100644 --- a/tests/terraform/makes.nix +++ b/tests/terraform/makes.nix @@ -1,32 +1,14 @@ { outputs, ... }: { - deployTerraform = { - modules = { - module = { - src = "/tests/terraform/module"; - version = "1.0"; - }; - }; + deployTerraform.modules.module = { + src = "/tests/terraform/module"; + version = "1.0"; }; - envVarsForTerraform.example.VAR_NAME = "test"; - lintTerraform = { - modules = { - module = { - src = "/tests/terraform/module"; - version = "1.0"; - }; - }; + lintTerraform.modules.module = { + src = "/tests/terraform/module"; + version = "1.0"; }; - secretsForTerraformFromEnv = { example = { test = "VAR_NAME"; }; }; - testTerraform = { - modules = { - module = { - setup = [ - outputs."/envVars/example" - outputs."/secretsForTerraformFromEnv/example" - ]; - src = "/tests/terraform/module"; - version = "1.0"; - }; - }; + testTerraform.modules.module = { + src = "/tests/terraform/module"; + version = "1.0"; }; }