I’m trying to get some terraform output into an edn file (for aero) but am struggling to see how to do it best. Planck or similar seems obvious but the issue is that I also need to decrypt a secret and I’m not sure how to do that with planck’s sh function — seems that piping doesn’t quite work. Does any one have experiences/advice to share in this regard? (Figured I’d ask here because you seem to be using terraform and aero in combination)

Do you use terraform template files? If you do, how do you handle the decrypting? Or do you decrypt on the server?

We use lumo.

We generate terraform json. What do you mean by decrypting? The answer is probably "it depends"

That’s your favorite answer @dominicm isn’t it? 😛

I'm afraid so :D

So my secret key is encrypted using a PGP key — I could just not do that but the docs recommended it so I did 😛

Do you read terraform JSON in your aero configs using a custom literal?

If so, what are you using Lumo for? @dominicm :thinking_face:

We go the other way. We run a script in lumo, that reads aero, and generates terraform JSON.

So, the PGP thing is down to your security profile for the value. Fact is that you need to get your private key somewhere. Is it okay if the server stores it in plaintext? We use AWS KMS which means that the ec2 server is the only thing with permission, and it reads some start-up data to find the encrypted payload. If you're using PGP, you might be better off using clj and java's bouncycastle.

I guess I’m fine with it being on the server in plaintext

I think I might have an idea how to proceed