First and foremost thanks for your great work with terraform sops provider.
To reduce the risk of having files containing secrets keys around the filesystem I have
applied the patch suggested on https://github.com/mozilla/sops/pull/946. This patch
will allow exposing the SOPS secret key as an environment variable rather than a key
file, moreover will enhance the automation experience with GH actions or any other CI
tool. Because the sops PR 946 actually solves a big problem, I took the matter on my
own hands and compiled a sops from PR496 which includes the possibility to expose
the private key such as SOPS_AGE_KEY environment variable.
I have generated a new age key pair and exposed as:
Created a secret.yaml sops file and added some custom test secrets
with sops secret.yaml. This actually proves that SOPS_AGE_KEY works
as expected. However, when I tried to read those secrets from terraform
configured with sops provider I get this back.
│ Error: Error getting data key: 0 successful groups required, got 0
│
│ with data.sops_file.secrets,
│ on locals.tf line 2, in data "sops_file" "secrets":
│ 2: data "sops_file" "secrets" {
│
To me looks like the provider is not passing the SOPS_AGE_KEY variable.
But if I unset the SOPS_AGE_KEY and I use export SOPS_AGE_KEY_FILE="${PWD}/key.txt
everything works seamlessly and I'm able to read my secrets and create the resources
wanted.
Hi Calle,
First and foremost thanks for your great work with terraform sops provider.
To reduce the risk of having files containing secrets keys around the filesystem I have applied the patch suggested on https://github.com/mozilla/sops/pull/946. This patch will allow exposing the SOPS secret key as an environment variable rather than a key file, moreover will enhance the automation experience with GH actions or any other CI tool. Because the sops PR 946 actually solves a big problem, I took the matter on my own hands and compiled a sops from PR496 which includes the possibility to expose the private key such as SOPS_AGE_KEY environment variable.
I have generated a new age key pair and exposed as:
export SOPS_AGE_RECIPIENTS=age1foobarfoobarfoobarfoobar
export SOPS_AGE_KEY=AGE-SECRET-KEY-XXXXXXXXXYYYYYYYYYYYYZZZZZZZZZZ
Created a secret.yaml sops file and added some custom test secrets with sops secret.yaml. This actually proves that SOPS_AGE_KEY works as expected. However, when I tried to read those secrets from terraform configured with sops provider I get this back.
│ Error: Error getting data key: 0 successful groups required, got 0 │ │ with data.sops_file.secrets, │ on locals.tf line 2, in data "sops_file" "secrets": │ 2: data "sops_file" "secrets" { │
To me looks like the provider is not passing the SOPS_AGE_KEY variable. But if I unset the SOPS_AGE_KEY and I use export SOPS_AGE_KEY_FILE="${PWD}/key.txt everything works seamlessly and I'm able to read my secrets and create the resources wanted.
Any idea would be really appreciated.
Best regards,
Phillip