Encrypt MACH configuration¶
A MACH configuration typically contains secrets that are configured on the components as well as secrets used to configure the integrations.
We recommend using SOPS to encrypt your MACH configuration files or a part of it.
Encrypting your file can be done with the
sops --encrypt command:
$ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" $ sops -e --encrypted-regex '^(.*(secret|token).*)$' main.yml > main.enc.yml $ mv main.enc.yml main.yml
$ export SOPS_AZURE_KEYVAULT_URLS="https://yoursharedsops.vault.azure.net/keys/sops-key/<your-key>" $ sops -e --encrypted-regex '^(.*(secret|token).*)$' main.yml > main.enc.yml $ mv main.enc.yml main.yml
Decrypt during deployment¶
MACH composer offers built-in support for decrypting sops-encrypted files automatically.
When MACH composer encounters an encrypted YAML file, it will attempt to decrypt the file prior to the execution of
Make sure that your CI/CD environment has access to the appropriate encryption keys in AWS KMS or Azure KeyVault.
Manual decrypting of the configuration can be done as follows:
$ sops -d main.yml --output-type=yaml > main.yml.dec
And you can then execute MACH composer with this decrypted file:
$ mach apply -f main.yml.dec
Just as you would encrypt your MACH configuration, it is also possible to use an encrypted variable file to be used in your configuration.
For example, if you would run MACH with
mach apply -f main.yml --var-file variables.yml
variables.yml is encrpyted with SOPS, MACH will use terraform-sops to make sure the encrypted variables are used in a secure manner.
More info on using variables and variable files in MACH.