Skip to content

Encrypt MACH composer configuration

A MACH composer configuration typically contains secrets that are configured on the components as well as secrets used to configure the integrations.

We recommend using SOPS to encrypt your MACH composer configuration files or a part of it.

Using SOPS


Encrypting your file can be done with the sops --encrypt command:

$ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500"
$ sops -e --encrypted-regex '^(.*(secret|token).*)$' main.yml > main.enc.yml
$ mv main.enc.yml main.yml
$ export SOPS_AZURE_KEYVAULT_URLS="<your-key>"
$ sops -e --encrypted-regex '^(.*(secret|token).*)$' main.yml > main.enc.yml
$ mv main.enc.yml main.yml

First, log in to gcloud

$ sops -e --encrypted-regex '^(.*(secret|token).*)$' main.yml > main.enc.yml
$ mv main.enc.yml main.yml

Decrypt during deployment

MACH composer offers built-in support for decrypting sops-encrypted files automatically.

When MACH composer encounters an encrypted YAML file, it will attempt to decrypt the file prior to the execution of generate, plan or apply. Make sure that your CI/CD environment has access to the appropriate encryption keys in AWS KMS or Azure KeyVault.

Decrypting manually

Manual decrypting of the configuration can be done as follows:

$ sops -d main.yml --output-type=yaml > main.yml.dec

And you can then execute MACH composer with this decrypted file:

$ mach-composer apply -f main.yml.dec

Encrypted variables

Just as you would encrypt your MACH composer configuration, it is also possible to use an encrypted variable file to be used in your configuration.

For example, if you would run MACH composer with

mach-composer apply -f main.yml --var-file variables.yml

and variables.yml is encrypted with SOPS, MACH composer will use terraform-sops to make sure the encrypted variables are used in a secure manner.

Using variables

More info on using variables and variable files in MACH composer.