Documentation ¶
Index ¶
Constants ¶
const ( TfstateFilename = "terraform.tfstate" TfstateBkpFilename = "terraform.tfstate.backup" TfvarsFilename = "terraform.tfvars" ThBkpExtension = ".terrahelpbkp" // ThNamedEncryptionKey is default Vault named encryption key ThNamedEncryptionKey = "terrahelp" )
Default file related values
const ( ThEncryptProviderSimple = "simple" ThEncryptProviderVault = "vault" )
Valid encryption providers
const ( ThEncryptModeInline = "inline" ThEncryptModeFull = "full" )
Valid encryption modes
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CryptoWrapError ¶ added in v0.2.1
type CryptoWrapError struct {
// contains filtered or unexported fields
}
A CryptoWrapError describes an error where a missing or invalid use of the terrahelp wrapper value (i.e. @terrahelp-encrypted() ) prevents the encryption or decryption being performed
func (*CryptoWrapError) Error ¶ added in v0.2.1
func (e *CryptoWrapError) Error() string
type DefaultVaultClient ¶
DefaultVaultClient provides a wrapper around the core Vault client and uses it to provide the required functionality
func NewDefaultVaultClient ¶
func NewDefaultVaultClient() (*DefaultVaultClient, error)
NewDefaultVaultClient creates a new DefaultVaultClient
func (*DefaultVaultClient) Decrypt ¶
func (v *DefaultVaultClient) Decrypt(key, ciphertext string) (string, error)
Decrypt uses the named encryption key to decrypt the supplied content
func (*DefaultVaultClient) Encrypt ¶
func (v *DefaultVaultClient) Encrypt(key, b64text string) (string, error)
Encrypt uses the named encryption key to encrypt the supplied content
func (*DefaultVaultClient) MountTransitBackend ¶
func (v *DefaultVaultClient) MountTransitBackend() error
MountTransitBackend ensures the transit backend is mounted
func (*DefaultVaultClient) RegisterNamedEncryptionKey ¶
func (v *DefaultVaultClient) RegisterNamedEncryptionKey(key string) error
RegisterNamedEncryptionKey registers the named encryption key within Vault's transit backend
type Encrypter ¶
type Encrypter interface { Init(key string) error Decrypt(key string, b []byte) ([]byte, error) Encrypt(key string, b []byte) ([]byte, error) }
Encrypter defines the functionality required to be supported by crypto backends which are to be used for encrypting and decrypting tfstate files
type MockVaultClient ¶
type MockVaultClient struct {
// contains filtered or unexported fields
}
MockVaultClient provides a mock implementation of the VaultClient interface for testing purposes
func NewMockVaultClient ¶
func NewMockVaultClient() *MockVaultClient
NewMockVaultClient creates a new MockVaultClient
func (*MockVaultClient) Decrypt ¶
func (m *MockVaultClient) Decrypt(key, s string) (string, error)
Decrypt uses the named encryption key to mock decrypt the supplied content
func (*MockVaultClient) Encrypt ¶
func (m *MockVaultClient) Encrypt(key, s string) (string, error)
Encrypt uses the named encryption key to mock encrypt the supplied content
func (*MockVaultClient) MountTransitBackend ¶
func (m *MockVaultClient) MountTransitBackend() error
MountTransitBackend mocks the mounting of the transit backend
func (*MockVaultClient) RegisterNamedEncryptionKey ¶
func (m *MockVaultClient) RegisterNamedEncryptionKey(key string) error
RegisterNamedEncryptionKey registers the named encryption key within the mock Vault service
type SimpleEncrypter ¶
type SimpleEncrypter struct{}
SimpleEncrypter provides basic AES based encryption
func NewSimpleEncrypter ¶
func NewSimpleEncrypter() *SimpleEncrypter
NewSimpleEncrypter creates a new SimpleEncrypter with default configuration
func (*SimpleEncrypter) Decrypt ¶
func (s *SimpleEncrypter) Decrypt(key string, b []byte) ([]byte, error)
Decrypt will use the supplied AES key to decrypt the byte content provided.
func (*SimpleEncrypter) Encrypt ¶
func (s *SimpleEncrypter) Encrypt(key string, b []byte) ([]byte, error)
Encrypt will perform AES based encryption on the byte content provided. The key should be an AES key, of either either 16 or 32 characters which then informs whether AES-128 or AES-256 encryption is applied.
func (*SimpleEncrypter) Init ¶
func (s *SimpleEncrypter) Init(key string) error
Init is used to initialise Vault for the purposes of using its encryption as a service functionality
type Tfstate ¶
type Tfstate struct {
Encrypter Encrypter
}
Tfstate holds the details about and exposes actions which can be performed on terraform tfstate files
func (*Tfstate) Decrypt ¶
func (t *Tfstate) Decrypt(ctx *TfstateOpts) error
Decrypt will ensure appropriate aspects of the tfstate files are decrypted as per the configured options supplied
func (*Tfstate) Encrypt ¶
func (t *Tfstate) Encrypt(ctx *TfstateOpts) error
Encrypt will ensure appropriate aspects of the tfstate files are encrypted as per the configured options supplied
func (*Tfstate) Init ¶
func (t *Tfstate) Init(ctx *TfstateOpts) error
Init provides the opportunity for the Encrypter provider to perform any additional config or initialisation which may be required before use
type TfstateOpts ¶
type TfstateOpts struct { TfstateFile string TfStateBkpFile string TfvarsFilename string EncProvider string EncMode string NamedEncKey string SimpleKey string BkpExt string NoBackup bool AllowDoubleEncrypt bool }
TfstateOpts holds the options detailing how and on what state files to perform the vault based encryption and decryption.
func NewDefaultTfstateOpts ¶
func NewDefaultTfstateOpts() *TfstateOpts
NewDefaultTfstateOpts creates TfstateOpts with all the default values set
func (*TfstateOpts) InlineMode ¶
func (o *TfstateOpts) InlineMode() bool
InlineMode returns true if the Encryption mode is 'inline'
func (*TfstateOpts) ValidateForEncryptDecrypt ¶
func (o *TfstateOpts) ValidateForEncryptDecrypt() error
ValidateForEncryptDecrypt ensures valid options have been set for the encryption / decruption process
type Tfvars ¶
type Tfvars struct{}
Tfvars provides utility functions pertaining to the terraform.tfvars file
type VaultClient ¶
type VaultClient interface { // RegisterNamedEncryptionKey registers the named encryption key // within Vault's transit backend RegisterNamedEncryptionKey(key string) error // MountTransitBackend ensures the transit backend is mounted MountTransitBackend() error // Encrypt uses the named encryption key to encrypt the supplied content Encrypt(key, text string) (string, error) // Decrypt uses the named encryption key to decrypt the supplied content Decrypt(key, ciphertext string) (string, error) // contains filtered or unexported methods }
VaultClient defines the basic functionality required by terrahelp when interacting with Vault
type VaultEncrypter ¶
type VaultEncrypter struct {
// contains filtered or unexported fields
}
VaultEncrypter wraps the real core Vault client exposing convenient methods required to interact with Vault in order to perform encrypting and decrypting of tfstate files
func NewVaultEncrypter ¶
func NewVaultEncrypter() (*VaultEncrypter, error)
NewVaultEncrypter creates a new VaultEncrypter
func (*VaultEncrypter) Decrypt ¶
func (cu *VaultEncrypter) Decrypt(key string, ciphertext []byte) ([]byte, error)
Decrypt uses the named encryption key to decrypt the provided ciphertext
func (*VaultEncrypter) Encrypt ¶
func (cu *VaultEncrypter) Encrypt(key string, plaintext []byte) ([]byte, error)
Encrypt uses the named encryption key to encrypt the provided plaintext
func (*VaultEncrypter) Init ¶
func (cu *VaultEncrypter) Init(key string) error
Init is used to initialise the VaultEncrypter for the purposes of using its encryption as a service functionality