[ci skip] phase 1: SOPS tooling setup (.sops.yaml, scripts/tg, .gitignore)

Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before.
2026-03-07 13:57:42 +00:00 · 2026-03-07 13:57:42 +00:00 · 7f5dbb82f4
commit 7f5dbb82f4
parent 88989cfad3
3 changed files with 33 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -35,6 +35,10 @@ override.tf.json

 git_crypt.key

+# SOPS — decrypted secrets (temporary, never commit)
+/secrets.auto.tfvars.json
+/secrets.auto.tfvars.json.*
+
 # Claude Code - temporary/sensitive files
 .claude/cmd_input.txt
 .claude/cmd_output.txt
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+# SOPS configuration — defines who can decrypt which files
+# age public keys only (safe to commit)
+creation_rules:
+  - path_regex: ^secrets\.sops\.json$
+    age: >-
+      age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
+      age1hrafaswdslw4u63scxp8u5ye4tf8h0xjah0v85w280phy06m0vespz2u0n
--- a/scripts/tg
+++ b/scripts/tg
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# scripts/tg — wrapper: decrypt secrets then run terragrunt
+# Usage: scripts/tg apply --non-interactive
+#        scripts/tg run --all -- plan
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+SOPS_FILE="$REPO_ROOT/secrets.sops.json"
+OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"
+
+# Decrypt if needed (skips if already decrypted and up-to-date)
+if [ -f "$SOPS_FILE" ]; then
+  if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
+    TEMP=$(mktemp "$OUT_FILE.XXXXXX")
+    trap "rm -f '$TEMP'" EXIT
+    sops -d "$SOPS_FILE" > "$TEMP"
+    mv "$TEMP" "$OUT_FILE"
+    echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
+  fi
+fi
+
+exec terragrunt "$@"