From 4586d89370ec916869c86a0005cbe0c584de2751 Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 10:31:16 +0000
Subject: [PATCH 1/8] DOE-354 Add encryption to Terraform plan

---
 .github/workflows/terraform-core.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index 4a505f2..aa68c33 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -311,6 +311,15 @@ jobs:
           name: "${{ env.state_name }}-artefacts"
           path: ${{ matrix.stack.directory }}
 
+      - name: Decrypt Terraform plan
+        if: steps.download_plan.conclusion == 'success'
+        env:
+          ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
+        run: |
+          pass_file=$(mktemp)
+          printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
+          openssl enc -in tfplan.enc -out tfplan -d -aes256 -pass file:"$pass_file"
+
       - name: Terraform Plan
         id: tf_plan
         working-directory: "${{ matrix.stack.directory }}"
@@ -399,6 +408,14 @@ jobs:
 
           cat updated_matrix.json
 
+      - name: Encrypt Terraform plan
+        env:
+          ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
+        run: |
+          pass_file=$(mktemp)
+          printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
+          openssl enc -in tfplan -out tfplan.enc -e -aes256 -pass file:"$pass_file"
+
       - name: Upload Terraform Plan and matrix
         uses: actions/upload-artifact@v4
         if: ${{ inputs.upload_plan }}

From c47754cc19a151f6df56670acdbf739053dc995b Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 10:57:08 +0000
Subject: [PATCH 2/8] Use correct working directory

---
 .github/workflows/terraform-core.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index aa68c33..d8e7c62 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -313,6 +313,7 @@ jobs:
 
       - name: Decrypt Terraform plan
         if: steps.download_plan.conclusion == 'success'
+        working-directory: "${{ matrix.stack.directory }}"
         env:
           ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
         run: |
@@ -411,6 +412,7 @@ jobs:
       - name: Encrypt Terraform plan
         env:
           ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
+        working-directory: "${{ matrix.stack.directory }}"
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"

From 9c52fc411d6804c04725415515ba0782ee216841 Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 11:25:55 +0000
Subject: [PATCH 3/8] Add encryption passphrase secret to terraform core

---
 .github/workflows/terraform-core.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index d8e7c62..be1f4aa 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -87,6 +87,9 @@ on:
       SSH_DEPLOY_KEY:
         required: false
         description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead."
+      TF_PLAN_ENCRYPTION_PASSPHRASE:
+        required: true
+        description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts"
 
 jobs:
   initialise:

From 7e22ecb40167268ad871d268466d9e8d425c425a Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 11:28:45 +0000
Subject: [PATCH 4/8] Add ENC passphrase

---
 .github/workflows/_test-terraform-destroy.yml    | 3 ++-
 .github/workflows/_test-terraform-plan-apply.yml | 3 ++-
 .github/workflows/terraform-destroy.yml          | 5 ++++-
 .github/workflows/terraform-plan-apply.yml       | 4 ++++
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/_test-terraform-destroy.yml b/.github/workflows/_test-terraform-destroy.yml
index 4119db0..426e5b6 100644
--- a/.github/workflows/_test-terraform-destroy.yml
+++ b/.github/workflows/_test-terraform-destroy.yml
@@ -28,4 +28,5 @@ jobs:
       REPO_SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
       AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }}
       AWS_ROLE_NAME: ${{ secrets.TEST_AWS_ROLE_NAME }}
-      TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }}
\ No newline at end of file
+      TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }}
+      TF_PLAN_ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
\ No newline at end of file
diff --git a/.github/workflows/_test-terraform-plan-apply.yml b/.github/workflows/_test-terraform-plan-apply.yml
index 197a66d..f0e52d3 100644
--- a/.github/workflows/_test-terraform-plan-apply.yml
+++ b/.github/workflows/_test-terraform-plan-apply.yml
@@ -31,4 +31,5 @@ jobs:
       REPO_SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
       AWS_ACCOUNT_ID: ${{ secrets.TEST_AWS_ACCOUNT_ID }}
       AWS_ROLE_NAME: ${{ secrets.TEST_AWS_ROLE_NAME }}
-      TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }}
\ No newline at end of file
+      TF_MODULES_SSH_DEPLOY_KEY: ${{ secrets.TF_MODULES_SSH_DEPLOY_KEY }}
+      TF_PLAN_ENCRYPTION_PASSPHRASE: ${{ secrets.TF_PLAN_ENCRYPTION_PASSPHRASE }}
\ No newline at end of file
diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml
index 91e351b..33b7733 100644
--- a/.github/workflows/terraform-destroy.yml
+++ b/.github/workflows/terraform-destroy.yml
@@ -51,7 +51,10 @@ on:
       SSH_DEPLOY_KEY:
         required: false
         description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead."
-        
+      TF_PLAN_ENCRYPTION_PASSPHRASE:
+        required: true
+        description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts"
+  
 jobs:
   define_matrix:
     name: Define directory matrix for destroy
diff --git a/.github/workflows/terraform-plan-apply.yml b/.github/workflows/terraform-plan-apply.yml
index 1f8638e..8d005aa 100644
--- a/.github/workflows/terraform-plan-apply.yml
+++ b/.github/workflows/terraform-plan-apply.yml
@@ -59,6 +59,10 @@ on:
       SSH_DEPLOY_KEY:
         required: false
         description: "Deprecated: Use either TF_MODULES_SSH_DEPLOY_KEY or REPO_SSH_DEPLOY_KEY instead."
+      TF_PLAN_ENCRYPTION_PASSPHRASE:
+        required: true
+        description: "The passphrase used to encrypt Terraform Plans before uploading them as Github Artifacts"
+  
         
 jobs:
   define_matrix:

From c1a94ff96d1c58f08d62692f99e30c208a62081b Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 11:44:24 +0000
Subject: [PATCH 5/8] Use GPG to encrypt

---
 .github/workflows/terraform-core.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index be1f4aa..1d4138e 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -322,7 +322,7 @@ jobs:
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
-          openssl enc -in tfplan.enc -out tfplan -d -aes256 -pass file:"$pass_file"
+          gpg --batch --symmetric --passphrase-file "$pass_file" tfplan
 
       - name: Terraform Plan
         id: tf_plan
@@ -419,7 +419,7 @@ jobs:
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
-          openssl enc -in tfplan -out tfplan.enc -e -aes256 -pass file:"$pass_file"
+          gpg --decrypt --batch --symmetric --passphrase-file "$pass_file" tfplan
 
       - name: Upload Terraform Plan and matrix
         uses: actions/upload-artifact@v4
@@ -427,7 +427,7 @@ jobs:
         with:
           name: "${{ env.state_name }}-artefacts"
           path: |
-            ${{ matrix.stack.directory }}/tfplan*
+            ${{ matrix.stack.directory }}/tfplan.gpg
             ${{ matrix.stack.directory }}/updated_matrix.json
           if-no-files-found: warn
           compression-level: 1

From 1cfb618ecea0654b605d198f2027a370d1351d4f Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 11:44:46 +0000
Subject: [PATCH 6/8] decrypt during decrypt step

---
 .github/workflows/terraform-core.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index 1d4138e..cdb4c00 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -322,7 +322,7 @@ jobs:
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
-          gpg --batch --symmetric --passphrase-file "$pass_file" tfplan
+          gpg --decrypt --batch --symmetric --passphrase-file "$pass_file" tfplan
 
       - name: Terraform Plan
         id: tf_plan

From d81fb25f11b7033a70370bf5b67868d67899af05 Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 11:57:14 +0000
Subject: [PATCH 7/8] tfplan gpg

---
 .github/workflows/terraform-core.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index cdb4c00..38d2034 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -322,7 +322,7 @@ jobs:
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
-          gpg --decrypt --batch --symmetric --passphrase-file "$pass_file" tfplan
+          gpg --decrypt --batch --passphrase-file "$pass_file" --out tfplan tfplan.gpg
 
       - name: Terraform Plan
         id: tf_plan

From e5920d4d9bb29b780ae69239113574ae989429c6 Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <sam.ainsworth@ukhsa.gov.uk>
Date: Fri, 6 Dec 2024 12:00:44 +0000
Subject: [PATCH 8/8] Correct encrypt command

---
 .github/workflows/terraform-core.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terraform-core.yml b/.github/workflows/terraform-core.yml
index 38d2034..190e438 100644
--- a/.github/workflows/terraform-core.yml
+++ b/.github/workflows/terraform-core.yml
@@ -419,7 +419,7 @@ jobs:
         run: |
           pass_file=$(mktemp)
           printf "%s" "$ENCRYPTION_PASSPHRASE" > "$pass_file"
-          gpg --decrypt --batch --symmetric --passphrase-file "$pass_file" tfplan
+          gpg --batch --symmetric --passphrase-file "$pass_file" tfplan
 
       - name: Upload Terraform Plan and matrix
         uses: actions/upload-artifact@v4