terraform-provider-sops
terraform-provider-sops copied to clipboard
carlpett
SOPS provider fails to decrypt the file when only certain keys are encrypted.
Hi @carlpett , Here is my use case This is my test.yaml file
global:
hello: world
local:
dummy:
- alpha: beta
I am using my AWS KMS key to encrypt/decrypt the data
I used --encrypted-regex to encrypt only key alpha. It gets encrypted fine, using command
sops -i --encrypt --encrypted-regex '^(alpha)$' test.yaml
This is how my encrypted files looks like
global:
hello: world
local:
dummy:
- alpha: ENC[AES256_GCM,data:Nc/Ngg==,iv:k5H4i9FIgf+XPLCeCKP6pWNYFtaKGriquD701Qqv2ro=,tag:FJyHiVqsFYmU26J36GGPOg==,type:str]
sops:
kms:
- arn: XXXXXXXXX
created_at: '2020-03-09T07:45:47Z'
enc: XXXXXXXXXXXXXXXXXXXX
aws_profile: ""
gcp_kms: []
azure_kv: []
lastmodified: '2020-03-09T07:45:49Z'
mac: XXXXXXXXXXXXXXXXXX
pgp: []
encrypted_regex: ^(alpha)$
version: 3.5.0
It gets decrypted also without any issue, when using this command:
sops -i --decrypt test.yaml
But when used with Terraform SOPS provider code, It fails with following error
data "sops_file" "test_secret" {
source_file = "test.yaml"
input_type = "yaml"
}
Error:
Error: Error refreshing state: 1 error occurred:
* data.sops_file.test_secret: 1 error occurred:
* data.sops_file.test_secret: data.sops_file.test_secret: Error walking tree: Could not decrypt value: Input string world does not match sops' data format
As you can see here, terraform provider is trying to decrypt a string world which was never encrypted. Hence the error.
I tried searching all over the internet, but could not find any solution, hence reaching out to you.
Hi @abhisheksinghrathod, I wasn't able to replicate this, I'm afraid. I've added some tests on this, which seem to work, and bumped the sops library. While this didn't affect my results, it would be very helpful if you could check if it helps you, by trying out the new binary from here: https://81-138219030-gh.circle-artifacts.com/0/terraform-provider-sops
