carlpett
Output screwed with passphrase input dialog
When GPG prompt for passphrase, terraform keeps pushing out the state change in screen which screwed with the dialog.
Is it possible to pause on the dialog?
┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "Yujun Zhang <*>" │
│ 4096-bit RSA key, ID *1E54********C60C, │
│ created 2018-08-16 (main key ID 208C********D205). │
│ │
│ │
│ Passphrase: aws_s3_bucket.data: Refreshing state... (ID: datal)
│ │ aws_db_parameter_group.this: Refreshing state... (ID: rds) │ <OK> <Cancel> │
aws_iam_role.monitoring: Refreshing state... (ID: monitoring.rds)─────────────────────────────────────────┘
aws_db_option_group.this: Refreshing state... (ID: rds)
data.aws_security_group.bastion: Refreshing state...
da
Hm, I'm fairly sure this would be a bug in Terraform itself and should be reported on the core Terraform repo (https://github.com/hashicorp/terraform). Or does it only happen when using this provider?
Could be.
Reported here also since this is the first plugin I used which is asking for user input.
Yeah, might not be that common. Would you mind opening an issue there too and pinging me and we'll see what they have to say? If it "should" work in core then I can troubleshoot here better.
Yeah, might not be that common. Would you mind opening an issue there too and pinging me and we'll see what they have to say? If it "should" work in core then I can troubleshoot here better.
Done.
Thanks. As per the discussion in that issue, it actually falls on this plugin to deal with it. Thinking some more about it, I wonder, is this actually the plugin itself, or is the output from a gpg-agent?
I think it is from pinentry
brew info pinentry
pinentry: stable 1.1.0 (bottled)
Passphrase entry dialog utilizing the Assuan protocol
https://www.gnupg.org/related_software/pinentry/
/usr/local/Cellar/pinentry/1.1.0_1 (12 files, 263.9KB) *
Poured from bottle on 2018-08-23 at 05:46:30
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/pinentry.rb
With the following configuration:
GPG_TTY=$(tty)
export GPG_TTY
Alright. I'm actually not sure how to prevent this from happening, since it is several steps removed from the code here: Terraform calls terraform-provider-sops (this code) which uses the sops library, which checks with the gpg agent (pinentry in your case) if it needs to be unlocked. Do you have any ideas outside of reconfiguring your gpg agent?
Neither do I.
How do you handle passphrase protected PGP private key at the moment?
Personally I've only used sops with cloud key vaults, so there it is not an issue (there are no interactive components)
For normal gpg usage, my agent queries for passphrase once per every X minutes, but this may or may not be a reasonable configuration in your circumstances (and anyway will require that you do some sort of no-op before running terraform just to get the key unlocked)
Have you tried using pinentry-program /usr/local/bin/pinentry-mac @yujunz ? Haven't tried it with this provider, but came across this issue and thought I'd let you know about this option.
