Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS provider fails to decrypt the file when only certain keys are encrypted. #38

Open
abhisheksinghrathod opened this issue Mar 9, 2020 · 1 comment
Open

SOPS provider fails to decrypt the file when only certain keys are encrypted. #38

abhisheksinghrathod opened this issue Mar 9, 2020 · 1 comment

Comments

@abhisheksinghrathod
Copy link

Hi @carlpett ,
Here is my use case
This is my test.yaml file

global:
    hello: world
local:
    dummy:
    -   alpha: beta

I am using my AWS KMS key to encrypt/decrypt the data

I used --encrypted-regex to encrypt only key alpha. It gets encrypted fine, using command
sops -i --encrypt --encrypted-regex '^(alpha)$' test.yaml

This is how my encrypted files looks like

global:
    hello: world
local:
    dummy:
    -   alpha: ENC[AES256_GCM,data:Nc/Ngg==,iv:k5H4i9FIgf+XPLCeCKP6pWNYFtaKGriquD701Qqv2ro=,tag:FJyHiVqsFYmU26J36GGPOg==,type:str]
sops:
    kms:
    -   arn: XXXXXXXXX
        created_at: '2020-03-09T07:45:47Z'
        enc: XXXXXXXXXXXXXXXXXXXX
        aws_profile: ""
    gcp_kms: []
    azure_kv: []
    lastmodified: '2020-03-09T07:45:49Z'
    mac: XXXXXXXXXXXXXXXXXX
    pgp: []
    encrypted_regex: ^(alpha)$
    version: 3.5.0

It gets decrypted also without any issue, when using this command:
sops -i --decrypt test.yaml

But when used with Terraform SOPS provider code, It fails with following error

data "sops_file" "test_secret" {
  source_file = "test.yaml"
  input_type = "yaml"
}

Error:

Error: Error refreshing state: 1 error occurred:
	* data.sops_file.test_secret: 1 error occurred:
	* data.sops_file.test_secret: data.sops_file.test_secret: Error walking tree: Could not decrypt value: Input string world does not match sops' data format

As you can see here, terraform provider is trying to decrypt a string world which was never encrypted. Hence the error.

I tried searching all over the internet, but could not find any solution, hence reaching out to you.
@carlpett
Copy link
Owner

Hi @abhisheksinghrathod,
I wasn't able to replicate this, I'm afraid. I've added some tests on this, which seem to work, and bumped the sops library. While this didn't affect my results, it would be very helpful if you could check if it helps you, by trying out the new binary from here: https://81-138219030-gh.circle-artifacts.com/0/terraform-provider-sops

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carlpett @abhisheksinghrathod