From 81188033768e65967b41cc2964466d463ae661b5 Mon Sep 17 00:00:00 2001 From: Ken Tso Date: Thu, 16 May 2019 13:15:36 +0900 Subject: [PATCH] expand file path to full path before processing so that `path_regex` can match on the full path --- README.rst | 30 ++++++++++++++++++++++++++++-- cmd/sops/main.go | 6 +++++- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 843a24851..ae5392c76 100644 --- a/README.rst +++ b/README.rst @@ -471,7 +471,7 @@ Let's take an example: * file named **something.dev.yaml** should use one set of KMS A * file named **something.prod.yaml** should use another set of KMS B * other files use a third set of KMS C -* all live under **mysecretrepo/something.{dev,prod}.yaml** +* all live under **mysecretrepo/something.{dev,prod,gcp}.yaml** Under those circumstances, a file placed at **mysecretrepo/.sops.yaml** can manage the three sets of configurations for the three types of files: @@ -505,7 +505,33 @@ When creating any file under **mysecretrepo**, whether at the root or under a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is found, the filename of the file being created is compared with the filename regexes of the configuration file. The first regex that matches is selected, -and its KMS and PGP keys are used to encrypt the file. +and its KMS and PGP keys are used to encrypt the file. It should be noted that +the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of +the directory of the encrypting file (see `Issue 242 `_). + +The path_regex checks the full path of the encrypting file. Here is another example: + +* files located under directory **development** should use one set of KMS A +* files located under directory **production** should use another set of KMS B +* other files use a third set of KMS C + +.. code:: yaml + + creation_rules: + # upon creation of a file under development, + # KMS set A is used + - path_regex: .*/development/.* + kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' + + # prod files use KMS set B in the PROD IAM + - path_regex: .*/production/.* + kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' + + # other files use KMS set C + - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' + pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' Creating a new file with the right keys is now as simple as diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 18701f05d..ee17fec09 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -6,6 +6,7 @@ import ( "net" "net/url" "os" + "path/filepath" "reflect" "strconv" "strings" @@ -430,7 +431,10 @@ func main() { if c.Bool("in-place") && c.String("output") != "" { return common.NewExitError("Error: cannot operate on both --output and --in-place", codes.ErrorConflictingParameters) } - fileName := c.Args()[0] + fileName, err := filepath.Abs(c.Args()[0]) + if err != nil { + return toExitError(err) + } if _, err := os.Stat(fileName); os.IsNotExist(err) { if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-azure-kv") != "" || c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-azure-kv") != "" {