# creation rules are evaluated sequentially, the first match wins
creation_rules:
    # - encrypted_regex: (key|user|username|password|passwd|email|stringData)$
    # upon creation of a file that matches the pattern *.dev.yaml,
    # KMS set A as well as PGP and age is used
    - path_regex: \.k\.dev\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'

    # prod files use KMS set B in the PROD IAM, PGP and age
    - path_regex: \.k\.prod\.yaml$
      age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'

    # Finally, if the rules above have not matched, this one is a
    # catchall that will encrypt the file using KMS set C as well as PGP
    # The absence of a path_regex means it will match everything
    -
      age: age1vjvgsyr2nef6rk60gj54yqqqdjtc7saj63fxr3ec567wycnrlqxscdyw34