1

I have configured SOPS with generator:

.sops.yaml

creation_rules:
  - path_regex: \.dev\.yaml$
    kms: *kms_arn*
    aws_profile: dev

To generate a file sops secrets.dev.yaml

It generates file with encryption as:

hello: ENC[AES256_GCM,data:8gtnzBNu2AG9l2zHFy3ovCS0gWFj3bdjgb3B/X8CUkvgox8GcxLQv/99aMUndQ==,iv:lw8VYzpWQUrm6bWQgJ6/KEYizhe8VxJAmdysF+Q6zTM=,tag:vRrdCo/iH4ec4dPzI7DB5Q==,type:str]
sops:
    kms:
    -   arn: *kms_arn*
        created_at: '2021-01-12T05:24:17Z'
        enc: *enc_key*
        aws_profile: dev
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    lastmodified: "2021-01-12T05:24:43Z"
    mac: *mac_key*
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.6.1

Using in terragrunt:

terragrunt.hcl

locals {
  secret_vars = yamldecode(sops_decrypt_file(find_in_parent_folders("secrets.dev.yaml")))
}

Error:

Error: Error in function call:

Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.

Ashok
  • 75
  • 12

2 Answers2

0

Using export AWS_PROFILE=dev is not an option for me as I am using generate provider.tf

account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite_terragrunt"
  contents  = <<EOF
provider "aws" {
  region = "${local.aws_region}"
  shared_credentials_file = "~/.aws/credentials"
  profile                 = "${local.account_name}"
}
EOF
}

I ended up with a workaround setting roles directly inside key groups

creation_rules:
  - path_regex: \.dev\.yaml$
    key_groups:
      - kms:
          - arn: <<kms_arn>>
            role: <<role_arn>>
Ashok
  • 75
  • 12
0

In my case I've updated SOPS provider version, and it worked

sops = {
  source  = "carlpett/sops"
  version = "~> 0.5.2 --> 0.7.1"
}
Aidar Gatin
  • 755
  • 1
  • 7
  • 9