Merge branch 'master' into develop

README.rst

@@ -344,7 +344,7 @@ If you want to use a specific profile, you can do so with `aws_profile`:
 	sops:
 	    kms:
 	    -	arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e
-            aws_profile: foo
+	        aws_profile: foo
 
 If no AWS profile is set, default credentials will be used.
 
@@ -471,7 +471,7 @@ Let's take an example:
 * file named **something.dev.yaml** should use one set of KMS A
 * file named **something.prod.yaml** should use another set of KMS B
 * other files use a third set of KMS C
-* all live under **mysecretrepo/something.{dev,prod}.yaml**
+* all live under **mysecretrepo/something.{dev,prod,gcp}.yaml**
 
 Under those circumstances, a file placed at **mysecretrepo/.sops.yaml**
 can manage the three sets of configurations for the three types of files:
@@ -505,7 +505,33 @@ When creating any file under **mysecretrepo**, whether at the root or under
 a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is
 found, the filename of the file being created is compared with the filename
 regexes of the configuration file. The first regex that matches is selected,
-and its KMS and PGP keys are used to encrypt the file.
+and its KMS and PGP keys are used to encrypt the file. It should be noted that
+the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of
+the directory of the encrypting file (see `Issue 242 <https://github.com/mozilla/sops/issues/242>`_).
+
+The path_regex checks the full path of the encrypting file. Here is another example:
+
+* files located under directory **development** should use one set of KMS A
+* files located under directory **production** should use another set of KMS B
+* other files use a third set of KMS C
+
+.. code:: yaml
+
+    creation_rules:
+        # upon creation of a file under development,
+        # KMS set A is used
+        - path_regex: .*/development/.*
+          kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod'
+          pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A'
+
+        # prod files use KMS set B in the PROD IAM
+        - path_regex: .*/production/.*
+          kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod'
+          pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A'
+
+        # other files use KMS set C
+        - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e'
+          pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A'
 
 Creating a new file with the right keys is now as simple as
 

cmd/sops/main.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"strconv"
 	"strings"
@@ -430,7 +431,10 @@ func main() {
 		if c.Bool("in-place") && c.String("output") != "" {
 			return common.NewExitError("Error: cannot operate on both --output and --in-place", codes.ErrorConflictingParameters)
 		}
-		fileName := c.Args()[0]
+		fileName, err := filepath.Abs(c.Args()[0])
+		if err != nil {
+			return toExitError(err)
+		}
 		if _, err := os.Stat(fileName); os.IsNotExist(err) {
 			if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-azure-kv") != "" ||
 				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-azure-kv") != "" {