Merge pull request #1417 from dsalaza4/main

refac(back): #1378 deprecate secrets for gpg

Author: drestrepom

.github/workflows/dev.yml

@@ -55,22 +55,6 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-  linux_envVars_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /envVars/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example"
-  macos_envVars_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /envVars/example
-        run: nix-env -if . && m . /envVars/example
-
   linux_formatBash:
     runs-on: ubuntu-latest
     steps:
@@ -244,38 +228,6 @@ jobs:
         with:
           args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /lintWithAjv/test"
 
-  linux_secretsForEnvFromSops_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /secretsForEnvFromSops/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example"
-  macos_secretsForEnvFromSops_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /secretsForEnvFromSops/example
-        run: nix-env -if . && m . /secretsForEnvFromSops/example
-
-  linux_secretsForGpgFromEnv_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /secretsForGpgFromEnv/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example"
-  macos_secretsForGpgFromEnv_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /secretsForGpgFromEnv/example
-        run: nix-env -if . && m . /secretsForGpgFromEnv/example
-
   linux_testLicense:
     runs-on: ubuntu-latest
     steps:
@@ -340,22 +292,6 @@ jobs:
       - name: /tests/makeScript
         run: nix-env -if . && m . /tests/makeScript
 
-  linux_tests_secretsForGpgFromEnv:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /tests/secretsForGpgFromEnv
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv"
-  macos_tests_secretsForGpgFromEnv:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /tests/secretsForGpgFromEnv
-        run: nix-env -if . && m . /tests/secretsForGpgFromEnv
-
   linux_testTerraform_module:
     runs-on: ubuntu-latest
     steps:

.github/workflows/prod.yml

@@ -133,26 +133,6 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-  linux_envVars_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /envVars/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example"
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  macos_envVars_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /envVars/example
-        run: nix-env -if . && m . /envVars/example
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
   linux_formatBash:
     runs-on: ubuntu-latest
     steps:
@@ -368,46 +348,6 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-  linux_secretsForEnvFromSops_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /secretsForEnvFromSops/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example"
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  macos_secretsForEnvFromSops_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /secretsForEnvFromSops/example
-        run: nix-env -if . && m . /secretsForEnvFromSops/example
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
-  linux_secretsForGpgFromEnv_example:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /secretsForGpgFromEnv/example
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example"
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  macos_secretsForGpgFromEnv_example:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /secretsForGpgFromEnv/example
-        run: nix-env -if . && m . /secretsForGpgFromEnv/example
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
   linux_testLicense:
     runs-on: ubuntu-latest
     steps:
@@ -484,26 +424,6 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-  linux_tests_secretsForGpgFromEnv:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
-        name: /tests/secretsForGpgFromEnv
-        with:
-          args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv"
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-  macos_tests_secretsForGpgFromEnv:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
-      - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
-      - name: /tests/secretsForGpgFromEnv
-        run: nix-env -if . && m . /tests/secretsForGpgFromEnv
-        env:
-          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-
   linux_testTerraform_module:
     runs-on: ubuntu-latest
     steps:

docs/src/api/builtins/secrets.md

@@ -192,90 +192,6 @@ Example:
     }
     ```
 
-## secretsForGpgFromEnv
-
-Load GPG public or private keys
-from environment variables
-into an ephemeral key-ring.
-
-Each key content must be stored
-in a environment variable
-in [ASCII Armor](https://www.techopedia.com/definition/23150/ascii-armor) format.
-
-Types:
-
-- secretsForGpgFromEnv (`attrsOf (listOf str)`): Optional.
-    Mapping of name
-    to a list of environment variable names
-    where the GPG key contents are stored.
-    Defaults to `{ }`.
-
-Example:
-
-=== "secrets.yaml"
-
-    ```yaml
-    # /path/to/my/project/secrets.yaml
-    password: ENC[AES256_GCM,data:cLbgzNHgBN5drfsDAS+RTV5fL6I=,iv:2YHhHxKg+lbGqdB5nhhG2YemeKB6XWvthGfNNkVgytQ=,tag:cj/el3taq1w7UOp/JQSNwA==,type:str]
-    # ...
-    ```
-
-=== "makes.nix"
-
-    ```nix
-    # /path/to/my/project/makes.nix
-    {
-      outputs,
-      ...
-    }: {
-      # Load keys into an ephemeral GPG keyring
-      secretsForGpgFromEnv = {
-        example = [
-          "ENV_VAR_FOR_PRIVATE_KEY_CONTENT"
-          "ENV_VAR_FOR_PUB_KEY_CONTENT"
-        ];
-      };
-      # Use sops to decrypt an encrypted file
-      secretsForEnvFromSops = {
-        example = {
-          manifest = "/secrets.yaml";
-          vars = [ "password" ];
-        };
-      };
-    }
-    ```
-
-=== "main.nix"
-
-    ```nix
-    # /path/to/my/project/makes/example/main.nix
-    {
-      makeScript,
-      outputs,
-      ...
-    }:
-    makeScript {
-      name = "example";
-      searchPaths.source = [
-        # First setup an ephemeral GPG keyring
-        outputs."/secretsForGpgFromEnv/example"
-        # Now sops will decrypt secrets using the GPG keys in the ring
-        outputs."/secretsForEnvFromSops/example"
-      ];
-      entrypoint = ''
-        echo Decrypted password: $password
-      '';
-    }
-    ```
-
-=== "Invocation"
-
-    ```bash
-    $ m . /example
-
-      Decrypted password: 123
-    ```
-
 ## secretsForTerraformFromEnv
 
 Export secrets in a format suitable for Terraform

docs/src/security/threat-model.md

@@ -118,8 +118,7 @@
         For example:
         `secretsForAwsFromEnv`,
         `secretsForAwsFromGitlab`,
-        `secretsForEnvFromSops`,
-        `secretsForGpgFromEnv`, and
+        `secretsForEnvFromSops`, and
         `secretsForTerraformFromEnv`.
 
         However, we don't currently have a way to protect the user

src/args/agnostic.nix

@@ -80,8 +80,6 @@ let
         import ./make-secret-for-aws-from-gitlab/default.nix self;
       makeSecretForEnvFromSops =
         import ./make-secret-for-env-from-sops/default.nix self;
-      makeSecretForGpgFromEnv =
-        import ./make-secret-for-gpg-from-env/default.nix self;
       makeSecretForKubernetesConfigFromAws =
         import ./make-secret-for-kubernetes-config-from-aws/default.nix self;
       makeSecretForNomadFromEnv =

src/args/make-secret-for-gpg-from-env/default.nix

@@ -27,7 +27,6 @@
     (import ./secrets-for-aws-from-env/default.nix args)
     (import ./secrets-for-aws-from-gitlab/default.nix args)
     (import ./secrets-for-env-from-sops/default.nix args)
-    (import ./secrets-for-gpg-from-env/default.nix args)
     (import ./secrets-for-terraform-from-env/default.nix args)
     (import ./test-license/default.nix args)
     (import ./test-terraform/default.nix args)

src/args/make-secret-for-gpg-from-env/template.sh

@@ -8,8 +8,6 @@
     ./makeSearchPaths/makes.nix
     ./makeTemplate/makes.nix
     ./pipelines/makes.nix
-    ./secretsForEnvFromSops/makes.nix
-    ./secretsForGpgFromEnv/makes.nix
     ./terraform/makes.nix
   ];
 }