Guides
  1. Documentation
  2. Terraform Provider

Integrating with SOPS

Managing the DoiT API token with SOPS

For teams already using Git for Terraform, a good pattern is to keep the API token in an encrypted file managed by SOPS. This allows you to:

  • Keep the Terraform code and secrets in the same repository.
  • Encrypt the secrets file with AWS/GCP KMS, or age so the repo is safe to share.
  • Decrypt secrets only on trusted machines or CI runners with the right keys.

This section shows how to wire the DoiT provider to a SOPS-encrypted secrets file using thecarlpett/sops Terraform provider.

Example: API token from a SOPS-encrypted file

terraform {
  required_providers {
    doit = {
      source  = "doitintl/doit"
      version = "~> 0.24.0"   # align with the version you use elsewhere
    }
    sops = {
      source  = "carlpett/sops"
      version = "~> 1.0.0"
    }
  }
}

# Read and decrypt the secrets from a SOPS-managed file
data "sops_file" "secrets" {
  source_file = "secrets.enc.yaml"
}

provider "doit" {
  host             = "https://api.doit.com"
  api_token        = data.sops_file.secrets.data["doit_api_key"]
}

In this pattern:

  • secrets.enc.yaml is a SOPS-encrypted YAML file checked into Git.
  • The sops_file data source decrypts it at plan/apply time.
  • The DoiT provider reads the API token from the decrypted data map.

A minimal secrets.enc.yaml before encryption might look like:

doit_api_key: "YOUR_DOIT_API_TOKEN"

You then encrypt it with SOPS and commit only the encrypted version.

Why this pattern works well for FinOps and platform teams

  • Centralised secret management
    The DoiT API token lives in one place that can be rotated, audited, and managed like any other secret infrastructure.

  • Git friendly
    The encrypted file can be committed to the repo, so new environments or engineers only need:

    • Access to the repo.
    • Access to the SOPS key.

  • CI integration
    CI systems can be given access to the SOPS key material and run terraform plan or terraform apply without exposing the raw token in pipeline definitions.

  • Explicit wiring
    The provider configuration clearly shows where the token comes from. There is no hidden magic in environment variables, which simplifies debugging.

Recommended practices for this pattern

  • Store secrets.enc.yaml at the root of the Terraform project or in a dedicated secrets folder and document the path so it is consistent across modules.
  • Use your cloud KMS (AWS KMS, GCP KMS, Azure Key Vault) or age for SOPS encryption, not a local PGP key that only lives on one laptop.
  • Make sure the doit_api_key is marked and treated as sensitive wherever you surface it in Terraform variables or outputs.
  • Keep the DoiT provider version in required_providers aligned with the version you reference in the rest of your documentation and infrastructure. When upgrading the provider, update it in one place and run terraform init -upgrade.