Failing decrypting from sops age key as environment variable.

[p0bailey]

Hi Calle,

First and foremost thanks for your great work with terraform sops provider.

To reduce the risk of having files containing secrets keys around the filesystem I have applied the patch suggested on https://github.com/mozilla/sops/pull/946. This patch will allow exposing the SOPS secret key as an environment variable rather than a key file, moreover will enhance the automation experience with GH actions or any other CI tool. Because the sops PR 946 actually solves a big problem, I took the matter on my own hands and compiled a sops from PR496 which includes the possibility to expose the private key such as SOPS_AGE_KEY environment variable.

I have generated a new age key pair and exposed as:

export SOPS_AGE_RECIPIENTS=age1foobarfoobarfoobarfoobar

export SOPS_AGE_KEY=AGE-SECRET-KEY-XXXXXXXXXYYYYYYYYYYYYZZZZZZZZZZ

Created a secret.yaml sops file and added some custom test secrets with sops secret.yaml. This actually proves that SOPS_AGE_KEY works as expected. However, when I tried to read those secrets from terraform configured with sops provider I get this back.

│ Error: Error getting data key: 0 successful groups required, got 0 │ │ with data.sops_file.secrets, │ on locals.tf line 2, in data "sops_file" "secrets": │ 2: data "sops_file" "secrets" { │

To me looks like the provider is not passing the SOPS_AGE_KEY variable. But if I unset the SOPS_AGE_KEY and I use export SOPS_AGE_KEY_FILE="${PWD}/key.txt everything works seamlessly and I'm able to read my secrets and create the resources wanted.

Any idea would be really appreciated.

Best regards,

Phillip

[heseifert]

+1

[carlpett]

Hi! This should be fixed with sops 3.7.2, which is included in the just-released 0.7.0!

[p0bailey]

really appreciated!

Thanks,

Phillip