search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.17k stars 854 forks source link

sops ignores the `--input-type` flag #1168

Open tbenthompson opened 1 year ago

tbenthompson commented 1 year ago

First run with a .gitignore file extension. The file is not treated as an ENV file despite the --input-type dotenv flag.

❯ sops -e --input-type dotenv cloud/sops_kms/prod_secrets.gitignore                 
{
        "REMOVED": "ENC[AES256_GCM,data:REMOVED,type:str]",
        "sops": {
                "kms": [
                        {
                                "arn": "REMOVED",
                                "enc": "REMOVED",
                                "aws_profile": ""
                        }
                ],
                "gcp_kms": null,
                "azure_kv": null,
                "hc_vault": null,
                "age": null,
                "lastmodified": "2023-01-23T23:22:46Z",
                "mac": "ENC[AES256_GCM,data:REMOVED,type:str]",
                "pgp": null,
                "unencrypted_suffix": "_unencrypted",
                "version": "3.7.3"
        }
}

Compare with a second run where I've renamed the file to have a .env extension:

❯ sops -e --input-type dotenv cloud/sops_kms/prod_secrets.gitignore.env
REMOVED=ENC[AES256_GCM,data:REMOVED,type:str]
sops_unencrypted_suffix=_unencrypted
sops_kms__list_0__map_created_at=2023-01-23T23:23:13Z
sops_kms__list_0__map_enc=REMOVED
sops_mac=ENC[AES256_GCM,data:REMOVED,type:str]
sops_version=3.7.3
sops_lastmodified=2023-01-23T23:23:14Z
sops_kms__list_0__map_arn=REMOVED
sops_kms__list_0__map_aws_profile=
felixfontein commented 1 year ago

It looks like sops is correctly handling the env file to me from what you pasted here. --input-type is about how the file is read, not about the format that the resulting encrypted file is written in. In your first example, you have to use both --input-type dotenv and --output-type dotenv to tell sops to load cloud/sops_kms/prod_secrets.gitignore as a dotenv file, and write the encrypted result as a dotenv file as well.

tbenthompson commented 1 year ago

Oh, I see! I hadn't noticed the --output-type flag. Thanks for explaining. This feels like confusing behavior to me. I would expect the output format to default to being the same as the input format. But, I would also understand not wanting to break backwards compatibility.