Docs: Specify that sops will consume credentials as per binary and not from provider

[fardarter]

I've ended up having to do this to make the decrypt work in Azure Devops with an ARM Service Connection. Am I missing something? Shouldn't the provider be supplying the relevant details?

Thanks in advance for any attention.

   - job: terraform_apply
      displayName: 'Terraform apply'
      steps:
      - checkout: self
        clean: true
      - task: AzureCLI@2
        inputs:
          azureSubscription: <name>'
          scriptType: 'bash'
          scriptLocation: 'inlineScript'
          addSpnToEnvironment: true
          failOnStandardError: true
          inlineScript: |
            echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$servicePrincipalId"
            echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET;issecret=true]$servicePrincipalKey"
            echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$tenantId"
      - task: TerraformInstaller@0
        displayName: 'Install terraform (version: ${{ variables.terraformVersion }})'
        inputs:
          terraformVersion: ${{ variables.terraformVersion }}
      - task: TerraformCLI@0
        displayName: Terraform init
        name: terraform_init
        inputs:
          command: 'init'
          backendType: 'azurerm'
          backendServiceArm: '<name>'
          workingDirectory: '$(System.DefaultWorkingDirectory)/$(terraformEnvBasePath)'
          allowTelemetryCollection: false
      - task: TerraformCLI@0
        displayName: 'Terraform apply'
        name: terraform_apply
        env: 
          AZURE_CLIENT_ID: $(ARM_CLIENT_ID)
          AZURE_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
          AZURE_TENANT_ID: $(ARM_TENANT_ID)
          AZURE_AUTH_METHOD: "clientcredentials"
        inputs:
          command: 'apply'
          workingDirectory: '$(System.DefaultWorkingDirectory)/$(terraformEnvBasePath)'
          environmentServiceName: '<name>'
          allowTelemetryCollection: false
      - task: Bash@3
        condition: always()
        displayName: 'Clear environment variables'
        inputs:
          targetType: 'inline'
          script: |
            clear="clear"
            echo "##vso[task.setvariable variable=ARM_CLIENT_ID;issecret=true]$clear"
            echo "##vso[task.setvariable variable=ARM_CLIENT_SECRET;issecret=true]$clear"
            echo "##vso[task.setvariable variable=ARM_TENANT_ID;issecret=true]$clear"

[carlpett]

Hi @fardarter, I'm not familiar with Azure Devops, so unsure exactly what is exposed to the runners there automatically. Perhaps they consider the ARM_* environments too sensitive to expose to arbitrary tasks without you being explicit about it? But essentially, as long as the environment contains the necessary variables, however they got there, things should work. If the environment is not set, then there's not much we can do, I'm afraid.

Let me know if I'm misunderstanding the question!

[fardarter]

Hi @fardarter, I'm not familiar with Azure Devops, so unsure exactly what is exposed to the runners there automatically. Perhaps they consider the ARM_* environments too sensitive to expose to arbitrary tasks without you being explicit about it? But essentially, as long as the environment contains the necessary variables, however they got there, things should work. If the environment is not set, then there's not much we can do, I'm afraid.

Let me know if I'm misunderstanding the question!

The variables are not automatically set in the environment, but they are the same values that are used for rest of the terraform script. Knowing little about the internals of providers, I assumed you'd be able to retrieve those values internally and pass them to sops? The SP running the plan has the correct RBAC permissions.

(Worth adding this to the docs either way?)

Thanks for the reply.

[carlpett]

Closed in #93