Last active
October 5, 2022 17:55
-
-
Save Lunik/45883533704efcbe008e900aa78799fa to your computer and use it in GitHub Desktop.
Decrypt Terraform state in GitLab backend
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################# | |
| # Configuration # | |
| ################# | |
| # Retreived from GitLab rails secrets | |
| # https://docs.gitlab.com/ee/development/application_secrets.html | |
| # This is a dummy key base. Don't bother using it | |
| db_key_base = "e0bc64a63258bb79d4770dfca969a1c6b646c1fe3d9fdd0caa16960bb984fcf402a554667454888eec81226d68f6d826f7c0a97f8f4d1e2f7d5a7795924aa213" | |
| # The project ID in GitLab | |
| project_id = "199" | |
| # The file to decrypt | |
| input_file = "0.tfstate" | |
| # The file where to write the terraform state content | |
| output_file = "state.json" | |
| ############# | |
| # ALGORITHM # | |
| ############# | |
| # Compute encryption key | |
| key = OpenSSL::HMAC.digest('SHA256', db_key_base, project_id) | |
| # Generate LockBox tool | |
| # https://github.com/ankane/lockbox | |
| lockbox = Lockbox.new(key: key) | |
| encrypted_state_content = File.binread(input_file) | |
| state_content = lockbox.decrypt_str(encrypted_state_content) | |
| File.write(output_file, state_content) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| rails new myapp | |
| cd myapp/ | |
| echo 'gem "lockbox"' >> Gemfile | |
| bundle install | |
| bundle exec rails runner decode.rb |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment