DoiT consoleOpenAPISupport
Guides
About
Start typing to search…
  1. Documentation
  2. Terraform Provider

Integrating with SOPS

How to integrate DoiT Terraform provider using best practices for authentication, and SOPS secrets.

Managing the DoiT API token with SOPS

For teams already using Git for Terraform, a good pattern is to keep the API token in an encrypted file managed by SOPS. This allows you to:

  • Keep the Terraform code and secrets in the same repository.
  • Encrypt the secrets file with AWS/GCP KMS, or age so the repo is safe to share.
  • Decrypt secrets only on trusted machines or CI runners with the right keys.

This section shows how to wire the DoiT provider to a SOPS-encrypted secrets file using thecarlpett/sops Terraform provider.

Example: API token from a SOPS-encrypted file

terraform {
  required_providers {
    doit = {
      source  = "doitintl/doit"
      version = "~> 0.24.0"   # align with the version you use elsewhere
    }
    sops = {
      source  = "carlpett/sops"
      version = "~> 1.0.0"
    }
  }
}

# Read and decrypt the secrets from a SOPS-managed file
data "sops_file" "secrets" {
  source_file = "secrets.enc.yaml"
}

provider "doit" {
  host             = "https://api.doit.com"
  api_token        = data.sops_file.secrets.data["doit_api_key"]
}

In this pattern:

  • secrets.enc.yaml is a SOPS-encrypted YAML file checked into Git.
  • The sops_file data source decrypts it at plan/apply time.
  • The DoiT provider reads the API token from the decrypted data map.

A minimal secrets.enc.yaml before encryption might look like:

doit_api_key: "YOUR_DOIT_API_TOKEN"

You then encrypt it with SOPS and commit only the encrypted version.

Why this pattern works well for FinOps and platform teams

  • Centralised secret management The DoiT API token lives in one place that can be rotated, audited, and managed like any other secret infrastructure.

  • Git friendly The encrypted file can be committed to the repo, so new environments or engineers only need:

    • Access to the repo.
    • Access to the SOPS key.

  • CI integration CI systems can be given access to the SOPS key material and run terraform plan or terraform apply without exposing the raw token in pipeline definitions.

  • Explicit wiring The provider configuration clearly shows where the token comes from. There is no hidden magic in environment variables, which simplifies debugging.

Recommended practices for this pattern

  • Store secrets.enc.yaml at the root of the Terraform project or in a dedicated secrets folder and document the path so it is consistent across modules.
  • Use your cloud KMS (AWS KMS, GCP KMS, Azure Key Vault) or age for SOPS encryption, not a local PGP key that only lives on one laptop.
  • Make sure the doit_api_key is marked and treated as sensitive wherever you surface it in Terraform variables or outputs.
  • Keep the DoiT provider version in required_providers aligned with the version you reference in the rest of your documentation and infrastructure. When upgrading the provider, update it in one place and run terraform init -upgrade.

Updated 2 days ago