I intend to use this provider to decrypt the encrypted AWS passwords before printing them during plan/apply to avoid to do it manually for every single secret.
In the case you want to rotate the gpg keys some resources have the encrypted secrets encrypted with the old public key in the state. Since I do not store both keys in the state (generated by your gpg_key resource; that would defeat the purpose of encryption) I read both keys from the local file system. This means I only have one key pair available to terraform. Hence the decryption of older secrets will fail and only the later ones will be successful.
I would like to have an argument on data.pgp_decrypt like ingore_errors which fills the object with nulls or empty strings. So that the following runs through. Currently, it fails on planning phase when processing data.php_decrypt.
I intend to use this provider to decrypt the encrypted AWS passwords before printing them during plan/apply to avoid to do it manually for every single secret.
In the case you want to rotate the gpg keys some resources have the encrypted secrets encrypted with the old public key in the state. Since I do not store both keys in the state (generated by your gpg_key resource; that would defeat the purpose of encryption) I read both keys from the local file system. This means I only have one key pair available to terraform. Hence the decryption of older secrets will fail and only the later ones will be successful.
I would like to have an argument on
data.pgp_decryptlikeingore_errorswhich fills the object with nulls or empty strings. So that the following runs through. Currently, it fails on planning phase when processingdata.php_decrypt.What do you think?
Cheers Thomas