-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcomplete-secrets-workflow.stack.js
More file actions
73 lines (65 loc) · 2.29 KB
/
complete-secrets-workflow.stack.js
File metadata and controls
73 lines (65 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// Example: Complete secrets workflow
//
// This demonstrates the difference between:
// 1. Bootstrap secrets (one-time setup) - SOPS_AGE_KEY, provider credentials
// 2. Stack-level secrets - loaded DURING parsing, used by Terraform
//
// NOTE: This is a syntax example only. To run it, you would need:
// - Actual SOPS-encrypted secrets/prod.yaml file
// - 1Password CLI configured
// - Bootstrap secrets set up
// ============================================================
// Bootstrap Setup (run once):
// ============================================================
// comet bootstrap add SOPS_AGE_KEY op://ci-cd/sops-age-key/private
// comet bootstrap add DIGITALOCEAN_TOKEN op://production/digitalocean/token
//
// These are cached in .comet/bootstrap.state and auto-loaded
// ============================================================
const settings = {
org: 'acme',
app: 'myapp',
env: 'production'
}
stack('complete-secrets', { settings })
metadata({
description: 'Complete secrets workflow example (syntax only)',
tags: ['example', 'secrets', 'sops', '1password']
})
backend('gcs', {
bucket: 'my-terraform-state',
prefix: `${settings.org}/${settings.app}/{{ .stack }}/{{ .component }}`
})
// Configure secrets defaults
// secretsConfig({
// defaultProvider: 'sops',
// defaultPath: 'secrets/prod.yaml'
// })
// Example components showing secret syntax
// Uncomment when you have actual secret files set up
//
// component('database', 'modules/database', {
// // SOPS secret (requires SOPS_AGE_KEY from bootstrap)
// admin_password: secrets('sops://secrets/prod.yaml#admin_password'),
//
// // 1Password secret (loaded on-demand during stack parsing)
// backup_credentials: secrets('op://production/database/backup-key'),
//
// // Plain values work too
// database_name: `${settings.app}_${settings.env}`
// })
//
// component('app', 'modules/app', {
// // Mix and match secret sources
// api_key: secrets('sops://secrets/prod.yaml#api_key'),
// oauth_client_secret: secrets('op://production/oauth/client-secret'),
//
// // Reference outputs from other components
// database_host: state('database', 'host'),
// database_port: state('database', 'port')
// })
// Bulk environment variables for Terraform
envs({
TF_VAR_region: 'us-west-2',
TF_VAR_environment: settings.env
})