juxt

martinklepsch 2018-02-02T17:46:46.000538Z

I’m trying to get some terraform output into an edn file (for aero) but am struggling to see how to do it best. Planck or similar seems obvious but the issue is that I also need to decrypt a secret and I’m not sure how to do that with planck’s sh function — seems that piping doesn’t quite work. Does any one have experiences/advice to share in this regard? (Figured I’d ask here because you seem to be using terraform and aero in combination)

martinklepsch 2018-02-02T17:55:07.000491Z

Do you use terraform template files? If you do, how do you handle the decrypting? Or do you decrypt on the server?

dominicm 2018-02-02T17:56:35.000372Z

We use lumo.

dominicm 2018-02-02T17:57:00.000156Z

We generate terraform json. What do you mean by decrypting? The answer is probably "it depends"

martinklepsch 2018-02-02T17:57:47.000414Z

That’s your favorite answer @dominicm isn’t it? 😛

dominicm 2018-02-02T17:58:29.000238Z

I'm afraid so :D

martinklepsch 2018-02-02T17:58:54.000116Z

So my secret key is encrypted using a PGP key — I could just not do that but the docs recommended it so I did 😛

martinklepsch 2018-02-02T17:59:21.000078Z

Do you read terraform JSON in your aero configs using a custom literal?

martinklepsch 2018-02-02T18:00:11.000087Z

If so, what are you using Lumo for? @dominicm :thinking_face:

dominicm 2018-02-02T18:02:09.000284Z

We go the other way. We run a script in lumo, that reads aero, and generates terraform JSON.

dominicm 2018-02-02T18:03:48.000258Z

So, the PGP thing is down to your security profile for the value. Fact is that you need to get your private key somewhere. Is it okay if the server stores it in plaintext? We use AWS KMS which means that the ec2 server is the only thing with permission, and it reads some start-up data to find the encrypted payload. If you're using PGP, you might be better off using clj and java's bouncycastle.

martinklepsch 2018-02-02T18:07:57.000069Z

I guess I’m fine with it being on the server in plaintext

martinklepsch 2018-02-02T18:08:17.000048Z

I think I might have an idea how to proceed