I’m interested in contributing SOPS support to Ansible.
SOPS https://github.com/mozilla/sops is a tool for encrypting only the values in YAML (and JSON) files using AWS KMS or GPG keys. Encrypting only the values makes both diff’s and the encrypted files human readable for many questions without leaking sensitive information in most applications (it’s not news that there’s a datadog_api key in a playbook that installs datadog, for example.)
My company is using this feature internally and is very pleased with the result.
Compatibility: SOPS support changes the meaning of sops keys at the top level in Ansible YAML files.
The basics of adding it to core are trivial: https://github.com/kindlyops/ansible/commit/7ec21724bffb43fe32d8231ab6a14c6e9b1fdc66 . I believe that still needs the following:
- Conditional importing of sops. If you don’t use the feature, you shouldn’t have to deal with building the dependencies.
- Tests, of course!
I have engineering resources available to do both of those, but before I do, I’m interested in reactions both to the feature and the approach.
Cheers,
Seth W. Klein
Operations Engineer, KindlyOps