dmattia
commented
3 years ago There are many terragrunt functions that are necessary to generate atlantis.yaml, but I agree that sops_decrypt_file is not a super common one that would be needed. It's possible we could add a block list for functions that we don't want Terragrunt to actually execute (like I have started in a WIP PR: https://github.com/transcend-io/terragrunt-atlantis-config/pull/70/files#diff-6a86d8a9f6cd199e4c88a751a77dc763a1ad3a8d31aa7f2b3378a82f7f2cc4ffR136-R158).
Are the permissions here the biggest issue for you, or is there performance related data you have on this taking too long for your tastes, or are you being rate-limited by KMS?
For the permissions, where do you have terragrunt-atlantis-config running? In most cases, I would have guessed that the tool would be run on the Atlantis server, which would need those permissions anyways in order to actually run the atlantis plan commands right after generating the atlantis.yaml file. I'd gladly hear your use case though!
povils
Currently
terragrunt-atlantis-configis actually invoking the terragrunt functionsops_decrypt_file. When we have thousands of small secret files withsops_decrypt_file, it would be great that theterragrunt-atlantis-configwould just skip the invocation. I don't really see a need to be honest, because not sure how reading secrets is helping to autogenerateatlantis.yaml. Besides unneccesary calls to let's say AWS KMS in order to decrypt files,terragrunt-atlantis-configcommand also requires AWS access in the first place