Skip to content

Age

Uses age file encryption.

Note

You don't need to have age binary installed in your PATH - terraflex plugin will automatically download a compatible plugin.

Age encryption type works with the Encryption state transformer.
The encryption plugin was designed to work with any type storage provider (basically any storage provider).
The recommended storage providers are: EnvVar or 1Password if owned, but you can always use Local storage provider or even a custom built storage provider.

Warning

Do not lose your private key - if you already started using Terraflex with the encryption key - and you lost your encryption key -
there is no way to recover the state file.

Tip

Use 1Password storage provider if possible to make it much more less probable for you to lose your encryption key.

Usage

Configuration for the Age encryption provider.

Attributes:

Name Type Description
import_from_storage StorageProviderUsageConfig

usage reference to the storage provider where the private key is stored.
Source code in terraflex/plugins/encryption_transformation/age/provider.py 
13
14
15
16
17
18
19
20
class AgeKeyConfig(BaseModel):
    """Configuration for the Age encryption provider.

    Attributes:
        import_from_storage: usage reference to the storage provider where the private key is stored.
    """

    import_from_storage: StorageProviderUsageConfig

Example

Here is an example for a config file that uses age encryption:

terraflex.yaml
storage_providers:
  git-storage: # Initialize new storage provider - name can be anything
    type: git # In this case we use `git` storage provider
    origin_url: git@github.com:IamShobe/tf-state.git

  envvar-example: # Initialize new storage provider - name can be anything
    type: envvar # In this case we use `envvar` storage provider

transformers:
  encryption: # Initialize new transformer - Name can be anything, we use `encryption` for semantics.
    type: encryption # In this case we use `encryption` transformer
    key_type: age # We use `age` as the encryption provider
    import_from_storage:
      provider: envvar-example # Make sure name is matching your storage provider
      params:
        key: AGE_KEY # The environment variable name to use for the encryption key

stacks:
  my-stack: # Initialize new stack - Name can be anything
    transformers: # List of transformers to use in this specific stack
      - encryption # Make sure name is matching your transformer
    state_storage: # Terraform state storage configuration
      provider: git-storage # In this case we use our git storage provider
      params:
        path: terraform.tfstate # The path to the state file inside our repository