Logan hard-codes the credentials used to decrypt secrets
Logan currently hard-codes the decryption key for secrets to uis-automation-dm/terraform/admin-service-account
allow this to be overridden in the configuration via a new key
configuration setting for a secret. The secret would now look like:
secrets:
- name: some secret
source: a/foo.txt.enc
target: b/foo.txt
key:
type: google-kms
project: some-project-id
location: europe-west2
keyring: some-keyring
key: some-key
The default for all secrets will be:
key:
type: google-kms
project: uis-automation-dm
location: global
keyring: terraform
key: admin-service-account