Skip to content

Encryption

Encryption transformer is meant to be used to encyrpt and decrypt the terraform state file.
It's built in a modular way to allow adding encryption providers easily.

Note

See entrypoint for additional information about the entrypoint.

Usage

Transformer that encrypts and decrypts the content of the files using the specified encryption provider.

Attributes:

Name Type Description
key_type str

The type of the encryption key.
**kwargs str

Additional configuration for the encryption provider.
Example

Encryption transformer with age encryption provider: 

type: encryption
key_type: age
import_from_storage:
    provider: envvar
    params:
        key: AGE_PRIVATE_KEY

Source code in terraflex/plugins/encryption_transformation/encryption_transformation_provider.py 
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
class EncryptionTransformerConfig(BaseModel):
    """Transformer that encrypts and decrypts the content of the files using the specified encryption provider.

    Attributes:
        key_type: The type of the encryption key.
        **kwargs: Additional configuration for the encryption provider.

    Example:
        Encryption transformer with `age` encryption provider:
        ```yaml
        type: encryption
        key_type: age
        import_from_storage:
            provider: envvar
            params:
                key: AGE_PRIVATE_KEY
        ```
    """

    model_config = ConfigDict(extra="allow")
    key_type: str

Encryption Protocol Specification

EncryptionProtocol

Bases: Protocol

Protocol for encryption providers.

Every encryption provider must implement EncryptionProtocol methods - and register to the terraflex.plugins.transformer.encryption entrypoint.

Example

Register age encryption provider - if your project is based on poetry: 

[tool.poetry.plugins."terraflex.plugins.transformer.encryption"]
age = "terraflex.plugins.encryption_transformation.age.provider:AgeEncryptionProvider"

Source code in terraflex/plugins/encryption_transformation/encryption_base.py 
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
@runtime_checkable
class EncryptionProtocol(Protocol):
    """Protocol for encryption providers.


    Every encryption provider must implement `EncryptionProtocol` methods - and register to the `terraflex.plugins.transformer.encryption` entrypoint.

    Example:
        Register age encryption provider - if your project is based on poetry:
        ```toml
        [tool.poetry.plugins."terraflex.plugins.transformer.encryption"]
        age = "terraflex.plugins.encryption_transformation.age.provider:AgeEncryptionProvider"
        ```
    """

    @classmethod
    async def from_config(
        cls,
        raw_config: Any,
        *,
        storage_providers: dict[str, StorageProviderProtocol],
        manager: DependenciesManager,
    ) -> Self:
        """Create an instance of the encryption provider from the configuration.

        Args:
            raw_config: The raw configuration propagated from the transformer config.
            storage_providers: All the initialized storage providers specified in the config file.
            manager: The dependencies manager - allows to request a binary path from.

        Returns:
            The initialized instance of the encryption provider.
        """
        ...

    async def encrypt(self, file_name: str, content: bytes) -> bytes:
        """Encrypt the content of the file.

        Args:
            file_name: The name of the file.
            content: The content of the file.

        Returns:
            The encrypted content.
        """
        ...

    async def decrypt(self, file_name: str, content: bytes) -> bytes:
        """Decrypt the content of the file.

        Args:
            file_name: The name of the file.
            content: The content of the file.

        Returns:
            The decrypted content.
        """
        ...

decrypt(file_name, content) async

Decrypt the content of the file.

Parameters:

Name Type Description Default
file_name str

The name of the file.

 required
content bytes

The content of the file.

 required

Returns:

Type Description
bytes

The decrypted content.
Source code in terraflex/plugins/encryption_transformation/encryption_base.py 
54
55
56
57
58
59
60
61
62
63
64
async def decrypt(self, file_name: str, content: bytes) -> bytes:
    """Decrypt the content of the file.

    Args:
        file_name: The name of the file.
        content: The content of the file.

    Returns:
        The decrypted content.
    """
    ...

encrypt(file_name, content) async

Encrypt the content of the file.

Parameters:

Name Type Description Default
file_name str

The name of the file.

 required
content bytes

The content of the file.

 required

Returns:

Type Description
bytes

The encrypted content.
Source code in terraflex/plugins/encryption_transformation/encryption_base.py 
42
43
44
45
46
47
48
49
50
51
52
async def encrypt(self, file_name: str, content: bytes) -> bytes:
    """Encrypt the content of the file.

    Args:
        file_name: The name of the file.
        content: The content of the file.

    Returns:
        The encrypted content.
    """
    ...

from_config(raw_config, *, storage_providers, manager) async classmethod

Create an instance of the encryption provider from the configuration.

Parameters:

Name Type Description Default
raw_config Any

The raw configuration propagated from the transformer config.

 required
storage_providers dict[str, StorageProviderProtocol]

All the initialized storage providers specified in the config file.

 required
manager DependenciesManager

The dependencies manager - allows to request a binary path from.

 required

Returns:

Type Description
Self

The initialized instance of the encryption provider.
Source code in terraflex/plugins/encryption_transformation/encryption_base.py 
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
@classmethod
async def from_config(
    cls,
    raw_config: Any,
    *,
    storage_providers: dict[str, StorageProviderProtocol],
    manager: DependenciesManager,
) -> Self:
    """Create an instance of the encryption provider from the configuration.

    Args:
        raw_config: The raw configuration propagated from the transformer config.
        storage_providers: All the initialized storage providers specified in the config file.
        manager: The dependencies manager - allows to request a binary path from.

    Returns:
        The initialized instance of the encryption provider.
    """
    ...