provisioning/config/templates/sops.yaml.example

# SOPS Configuration Example
# Copy this file to the root of your workspace as .sops.yaml
#
# SOPS (Secrets OPerationS) configuration defines encryption rules
# for configuration files based on path patterns.
#
# Documentation: https://github.com/mozilla/sops

# Encryption rules (evaluated top to bottom, first match wins)
creation_rules:
  # Rule 1: Encrypt workspace secure configs with Age
  - path_regex: workspace/.*/config/secure\.yaml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
    # Replace with your Age public key

  # Rule 2: Encrypt all .enc.yaml files with Age
  - path_regex: .*\.enc\.yaml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

  # Rule 3: Encrypt all .enc.yml files with Age
  - path_regex: .*\.enc\.yml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

  # Rule 4: Encrypt all .enc.toml files with Age
  - path_regex: .*\.enc\.toml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

  # Rule 5: Encrypt provider credentials with Age
  - path_regex: workspace/.*/config/providers/.*credentials.*\.toml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

  # Rule 6: Encrypt platform secrets with Age
  - path_regex: workspace/.*/config/platform/.*secret.*\.yaml$
    age: >-
      age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

# ----------------------------------------------------------------------------
# AWS KMS Configuration Example (uncomment and configure for production)
# ----------------------------------------------------------------------------

# # Rule 7: Encrypt production configs with AWS KMS
# - path_regex: workspace/prod-.*/config/.*\.yaml$
#   kms: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
#   # Replace with your KMS key ARN

# # Rule 8: Encrypt staging configs with AWS KMS
# - path_regex: workspace/staging-.*/config/.*\.yaml$
#   kms: "arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321"

# # Rule 9: Multi-region AWS KMS (for disaster recovery)
# - path_regex: workspace/prod-.*/config/critical/.*\.yaml$
#   kms: >-
#     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012,
#     arn:aws:kms:us-west-2:123456789012:key/87654321-4321-4321-4321-210987654321

# ----------------------------------------------------------------------------
# HashiCorp Vault Configuration Example
# ----------------------------------------------------------------------------

# # Rule 10: Encrypt with Vault (requires Vault server)
# - path_regex: workspace/.*/config/vault-encrypted/.*\.yaml$
#   vault_uri: "https://vault.example.com:8200/v1/transit/keys/provisioning"

# ----------------------------------------------------------------------------
# Advanced Examples
# ----------------------------------------------------------------------------

# # Rule 11: Multi-recipient (multiple Age keys for team access)
# - path_regex: workspace/shared-.*/config/.*\.yaml$
#   age: >-
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p,
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q,
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8r

# # Rule 12: PGP encryption (legacy, not recommended)
# - path_regex: workspace/legacy-.*/config/.*\.yaml$
#   pgp: >-
#     FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4

# # Rule 13: Mixed backends (Age + AWS KMS for redundancy)
# - path_regex: workspace/critical-.*/config/.*\.yaml$
#   age: >-
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
#   kms: >-
#     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

# # Rule 14: Specific key for CI/CD (separate from developers)
# - path_regex: \.github/workflows/.*\.yaml$
#   age: >-
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

# # Rule 15: Per-environment keys
# - path_regex: workspace/dev-.*/config/.*\.yaml$
#   age: >-
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p  # Dev key
# - path_regex: workspace/prod-.*/config/.*\.yaml$
#   age: >-
#     age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8q  # Prod key

# ----------------------------------------------------------------------------
# Notes
# ----------------------------------------------------------------------------

# 1. Rules are evaluated top to bottom, first match wins
# 2. Use regex for flexible path matching
# 3. Multiple recipients (comma-separated) allow team access
# 4. Keep this file (.sops.yaml) unencrypted and commit to git
# 5. Never commit private keys (Age, PGP, etc.) to git
# 6. Store Age private keys in ~/.config/sops/age/keys.txt
# 7. Set environment variable: export SOPS_AGE_RECIPIENTS="age1..."

# ----------------------------------------------------------------------------
# How to Use
# ----------------------------------------------------------------------------

# 1. Generate Age key:
#    age-keygen -o ~/.config/sops/age/keys.txt
#
# 2. Extract public key (recipient):
#    grep "public key:" ~/.config/sops/age/keys.txt
#
# 3. Replace the Age recipients above with your public key
#
# 4. Set environment variable:
#    export SOPS_AGE_RECIPIENTS="age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
#
# 5. Encrypt a file:
#    provisioning config encrypt workspace/config/secure.yaml
#
# 6. Decrypt a file:
#    provisioning config decrypt workspace/config/secure.enc.yaml
#
# 7. Edit encrypted file:
#    provisioning config edit-secure workspace/config/secure.enc.yaml

# ----------------------------------------------------------------------------
# Security Best Practices
# ----------------------------------------------------------------------------

# 1. Use separate keys for dev/staging/prod
# 2. Rotate keys regularly (quarterly for production)
# 3. Use AWS KMS for production (centralized key management)
# 4. Enable audit logging (with AWS KMS or Vault)
# 5. Never share private keys via email/chat
# 6. Backup private keys securely (encrypted backup)
# 7. Remove access when team members leave (rotate keys)
# 8. Use multi-recipient for team access, not shared keys