From 7f5dbb82f425f8cdf4fb237809b66038693a32fb Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 7 Mar 2026 13:57:42 +0000
Subject: [PATCH] [ci skip] phase 1: SOPS tooling setup (.sops.yaml,
 scripts/tg, .gitignore)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Part of SOPS multi-user secrets migration.
- .sops.yaml: defines age recipients (Viktor + CI)
- scripts/tg: wrapper that decrypts secrets before running terragrunt
- .gitignore: excludes decrypted secrets.auto.tfvars.json

No functional change — terraform.tfvars still works as before.
---
 .gitignore |  4 ++++
 .sops.yaml |  7 +++++++
 scripts/tg | 22 ++++++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 .sops.yaml
 create mode 100755 scripts/tg

diff --git a/.gitignore b/.gitignore
index 6ee60e66..f6c76158 100755
--- a/.gitignore
+++ b/.gitignore
@@ -35,6 +35,10 @@ override.tf.json
 
 git_crypt.key
 
+# SOPS — decrypted secrets (temporary, never commit)
+/secrets.auto.tfvars.json
+/secrets.auto.tfvars.json.*
+
 # Claude Code - temporary/sensitive files
 .claude/cmd_input.txt
 .claude/cmd_output.txt
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 00000000..586447a1
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+# SOPS configuration — defines who can decrypt which files
+# age public keys only (safe to commit)
+creation_rules:
+  - path_regex: ^secrets\.sops\.json$
+    age: >-
+      age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
+      age1hrafaswdslw4u63scxp8u5ye4tf8h0xjah0v85w280phy06m0vespz2u0n
diff --git a/scripts/tg b/scripts/tg
new file mode 100755
index 00000000..0565bd5b
--- /dev/null
+++ b/scripts/tg
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# scripts/tg — wrapper: decrypt secrets then run terragrunt
+# Usage: scripts/tg apply --non-interactive
+#        scripts/tg run --all -- plan
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+SOPS_FILE="$REPO_ROOT/secrets.sops.json"
+OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"
+
+# Decrypt if needed (skips if already decrypted and up-to-date)
+if [ -f "$SOPS_FILE" ]; then
+  if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
+    TEMP=$(mktemp "$OUT_FILE.XXXXXX")
+    trap "rm -f '$TEMP'" EXIT
+    sops -d "$SOPS_FILE" > "$TEMP"
+    mv "$TEMP" "$OUT_FILE"
+    echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
+  fi
+fi
+
+exec terragrunt "$@"