🔐 Secure Secret Management with SOPS in Terraform & Terragrunt

When managing infrastructure as code (IaC), keeping secrets safe while still making them accessible to Terraform/Terragrunt is a challenge. Storing secrets in plaintext is a security risk 🚨—and that’s where SOPS (Secrets OPerationS) comes in!

In this guide, we’ll cover:

• ✅ How to use SOPS with age and GPG
• ✅ How to configure SOPS with sops.yaml for better management
• ✅ How to use Terragrunt’s built-in SOPS decryption (without run_cmd)
• ✅ A GitHub Actions workflow to securely use secrets in CI/CD

📌 Why Use SOPS?

SOPS is an open-source tool from Mozilla that lets you encrypt and decrypt secrets easily. It supports multiple encryption methods, including GPG, AWS KMS, Azure Key Vault, Google Cloud KMS, and age.

Here’s why it’s awesome:

• ✅ Keeps secrets encrypted in Git repositories
• ✅ Works with YAML, JSON, ENV files
• ✅ Has built-in support in Terragrunt (no extra scripting needed!)
• ✅ Integrates with GitHub Actions, Kubernetes, and CI/CD pipelines

Now, let’s see how to use SOPS with age and GPG, then configure it properly for Terragrunt and GitHub Actions.

🔑 Using SOPS with age

Age is a modern, simple, and secure encryption tool. If you’re new to encryption, age is a great alternative to GPG.

✨ Step 1: Install age and sops

First, install age and sops:

sudo apt install age # Ubuntu/Debian 

✨ Step 2: Generate an age Key

Run:

age-keygen -o ~/.config/sops/age/keys.txt 

This will generate a key similar to:

# public key: age1xxxxxxx AGE-SECRET-KEY-1XXXXXXYYYYYYYYZZZZZZ 

Copy the public key (age1xxxxxxx)—this will be used for encryption.

✨ Step 3: Encrypt a YAML File with SOPS

Create a file called secrets.yaml:

db_user: "admin" db_password: "supersecret" 

Now, encrypt it using SOPS:

sops --encrypt --age age1xxxxxxx -i secrets.yaml 

If you open secrets.yaml, you'll see it's fully encrypted! 🛡️

To decrypt:

sops --decrypt secrets.yaml 

🔧 Configuring sops.yaml for Better Management

Instead of specifying the encryption method manually every time, SOPS supports a configuration file (.sops.yaml). This makes it easier to manage secrets across teams.

Create .sops.yaml in your repository:

creation_rules: - path_regex: secrets/.*\.yaml$ age: - age1xxxxxxx # Replace with your public key - path_regex: secrets/.*\.json$ pgp: - ABC12345 # Replace with your GPG key ID 

Now, when encrypting secrets inside the secrets/ folder, SOPS will automatically use the right encryption method! 🎉

Encrypt a new secret:

sops --encrypt -i secrets/app.yaml 

⚙️ Using SOPS with Terragrunt’s Built-in Decryption

Terragrunt has native support for SOPS, meaning you don’t need to use run_cmd(). Instead, you can directly reference encrypted files in your terragrunt.hcl.

✨ Step 1: Encrypt the Secrets

Create secrets.yaml:

aws_access_key: "AKIAxxxxxxxxxxxx" aws_secret_key: "abcdefghijklmno1234567890" 

Encrypt it:

sops --encrypt -i secrets.yaml 

✨ Step 2: Use Terragrunt's Built-in SOPS Decryption

Modify terragrunt.hcl:

locals { secrets = yamldecode(sops_decrypt_file("secrets.yaml")) } inputs = { aws_access_key = local.secrets.aws_access_key aws_secret_key = local.secrets.aws_secret_key } 

Now, when you run:

terragrunt apply 

Terragrunt automatically decrypts secrets.yaml without requiring external scripts! 🚀

🤖 Using SOPS in GitHub Actions

When using GitHub Actions, we need to decrypt secrets safely without exposing them.

✨ Step 1: Store the age Private Key in GitHub Secrets

Go to GitHub → Your Repo → Settings → Secrets and variables → Actions, and add:

• SOPS_AGE_KEY: The private key from ~/.config/sops/age/keys.txt

✨ Step 2: Use SOPS in a GitHub Workflow

Create .github/workflows/deploy.yml:

name: Deploy with Terraform & SOPS on: push: branches: - main jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y sops age - name: Set up SOPS run: | mkdir -p ~/.config/sops/age/ echo "${{ secrets.SOPS_AGE_KEY }}" > ~/.config/sops/age/keys.txt chmod 600 ~/.config/sops/age/keys.txt - name: Decrypt Secrets run: sops --decrypt secrets.yaml > secrets.decrypted.yaml - name: Deploy with Terraform run: | terragrunt run-all apply --auto-approve 

🔥 What Happens in This Workflow?

1. Checks out the code ✅
2. Installs SOPS & age ✅
3. Loads the age private key from GitHub Secrets ✅
4. Decrypts secrets into a temporary file ✅
5. Runs Terraform/Terragrunt with the decrypted secrets ✅

Security Tip:
Make sure secrets.decrypted.yaml is ignored in .gitignore and is never committed to Git!

🎯 Wrapping Up

SOPS is a powerful and secure way to manage secrets for Terraform, Terragrunt, and GitHub Actions. With age encryption, .sops.yaml for better configuration, and Terragrunt's built-in decryption, managing secrets has never been easier! 💪

By integrating SOPS into your workflow, you get:

• ✅ Encrypted secrets in Git repositories
• ✅ Easy decryption in Terraform/Terragrunt
• ✅ Safe usage of secrets in CI/CD

Want to take it a step further? Try using AWS KMS, GCP KMS, or Azure Key Vault instead of age/GPG for even tighter security! 🔐🚀

Have questions or suggestions? Drop them in the comments! 💬

Happy clustering and stay safe ! 🔐