Skip to content

Instantly share code, notes, and snippets.

@tcarrio

tcarrio/Makefile

Last active June 13, 2024 20:50
Show Gist options
  • Save tcarrio/b28c360cc2d7615b92380993176b745b to your computer and use it in GitHub Desktop.
Save tcarrio/b28c360cc2d7615b92380993176b745b to your computer and use it in GitHub Desktop.
Download ZIP
Zero at-rest residual decryption of sops for Make process execution with AWS auth
Raw
README.md

DECRYPTED_ENV_PIPE := $(shell mktemp)

Generates the FIFO file at a random path every execution

@ (sops -d $(ENCRYPTED_ENV_FILE) > $(DECRYPTED_ENV_PIPE) ; rm $(DECRYPTED_ENV_PIPE)) &

This process is executed in the background since the write will hang until the FIFO file is also read. This inter-process communication in a serial execution mode like Makefile's initialization process requires the execution be forked.

-include $(DECRYPTED_ENV_PIPE)

This declaration is interpreted by Make to now read the file. This refers a Make target, so it executes that target before including it.

Summary

This satisfies both ends of the FIFO the write mode with the sops decryption and the read mode with the Make include. The communication now initiates between these two processes and Make receives a stream of decrypted content from .sops.env in-memory.

Raw
Makefile
SHELL:=/bin/bash
CURRENT_DIR := $(PWD)
ENV := ${CURRENT_DIR}/.env # the location of the environment file
ENCRYPTED_ENV_FILE := ${CURRENT_DIR}/.sops.env # the location of the sops encrypted environment file
DECRYPTED_ENV_PIPE := $(shell mktemp)
# Ensure the plaintext environment file is loaded into Make
include $(ENV)
# This bit of fun magic creates a named pipe that exists for transmitting
# the decrypted environment variables for the Makefile to 'include'
# ensuring that they don't sit unencrypted in the environment after execution
# Additionally, this ensures that you are authenticated with AWS which is required
# for sops decryption. If AWS SSO is disabled this is a no-op.
$(DECRYPTED_ENV_PIPE): ensure-aws
@ aws sts get-caller-identity >/dev/null \
|| ([ "${REQUIRE_AWS_SSO}" != "" ] && [ "${REQUIRE_AWS_SSO}" != "true" ]) \
|| aws sso login
@ rm -f $(DECRYPTED_ENV_PIPE)
@ mkfifo $(DECRYPTED_ENV_PIPE)
@ (sops -d $(ENCRYPTED_ENV_FILE) > $(DECRYPTED_ENV_PIPE) ; rm $(DECRYPTED_ENV_PIPE)) &
-include $(DECRYPTED_ENV_PIPE)
# ... the rest of Makefile ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment