Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call to function "sops_decrypt_file" failed: No keys found in file. #1562

Closed
teamfighter opened this issue Feb 25, 2021 · 2 comments
Closed

Call to function "sops_decrypt_file" failed: No keys found in file. #1562

teamfighter opened this issue Feb 25, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@teamfighter
Copy link
Contributor

Hello!
I am experiencing problems with sops_decrypt_file function, while using hc_vault backend.
Here is an error that I recieve:

➜  microservices-env terragrunt plan     
Error: Error in function call

  on /infra-live/develop/terragrunt.hcl line 3, in locals:     
   3:   secret_vars    = yamldecode(sops_decrypt_file("${find_in_parent_folders("secret_vars.yaml")}"))       

Call to function "sops_decrypt_file" failed: No keys found in file.

ERRO[0000] Encountered error while evaluating locals.
ERRO[0000] /infra-live/develop/terragrunt.hcl:3,31-49: Error in function call; Call to function "sops_decrypt_file" failed: No keys found in file.
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

Here is my configuration:

.sops.yaml:

creation_rules:
  # Encrypt using Vault
  - path_regex: .*develop.*
    hc_vault_transit_uri: "https://vault.example.com/v1/kms-develop/keys/terragrunt"

terragrunt.hcl:

locals {
  common_vars = yamldecode(file("${find_in_parent_folders("common_vars.yaml")}"))
  secret_vars = yamldecode(sops_decrypt_file("${find_in_parent_folders("secret_vars.yaml")}"))
}
inputs = merge(
  local.secret_vars, 
  { ....}
)

Here is what I got in encrypted file:

vault-postgres:
    user:
        name: ENC[AES256_GCM,data:AYkrZV7fS+C4PQ==,iv:S9S+2j5xG8M8OskIrDXgEljr9JfHUgsFCdSL12zmotI=,tag:OrbFESJFlKqVmBuV+ktgSA==,type:str]
        password: ENC[AES256_GCM,data:of06ygqS5Ls=,iv:JYoV8inJ7S5KOCDAdPoa8e7thCtVQTxgwWPZdQsucDA=,tag:kSz1MpLmkmorWdWRb+luQw==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault:
    -   vault_address: https://vault.example.com
        engine_path: kms-develop
        key_name: terragrunt
        created_at: '2021-02-25T12:49:24Z'
        enc: vault:v1:ccU26qVb2b4G+s1X6i/6E9pxGmJ58L36Qbhq+uIFJ2eEDBYFoUvN9RZc+LsquJ0tq2NKftRKieaAF3k1
    lastmodified: '2021-02-25T12:49:24Z'
    mac: ENC[AES256_GCM,data:1PyeAB1MUP4hXrgAlO94UScAJBf/R5hDTVT/2WmZunZUmEIkggMllOyNSl4/M/6kP6RaCYvwA1OjYQ21pKnrva0bufPSudBsafn12DhEQYhGzNSL187QzK+pG6D5DjKVZ2Jv66DpsWsvY8GAKPyegQOoeiuAbgHdSuTQ0gBYy/8=,iv:hYatTXwUaiV53Df9yvYM0yOcF5/sWHjkyKBYncWaGWE=,tag:vTZfzTzWX/5RonYx2LbzOQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.6.1

So the main question is - does sops_decrypt_file support hc_vault backend?
It definitely works with gcp_kms backend, but we need it working with hc_vault.
Sops version used is 3.6.1, terragrunt version v0.28.7
@teamfighter teamfighter mentioned this issue Feb 26, 2021
Merged
@teamfighter
Copy link
Contributor Author

Looks like I found the solution, here is related PR
#1564

@yorinasub17 yorinasub17 added the bug Something isn't working label Mar 3, 2021
@brikis98
Copy link
Member

Fixed in #1564 and released in https://github.com/gruntwork-io/terragrunt/releases/tag/v0.28.22. New binaries should show up shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yorinasub17 @brikis98 @teamfighter