Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Random failure to decrypt when we have multiple(>=7) files to decrypt in .tf #126

Open
mrdntgrn opened this issue Nov 13, 2024 · 0 comments
Open

Random failure to decrypt when we have multiple(>=7) files to decrypt in .tf #126

mrdntgrn opened this issue Nov 13, 2024 · 0 comments

Comments

@mrdntgrn
Copy link

When we have more than 6 (>=7) sops_file data blocks in tf code the decode(for example when we run terraform plan) fails randomly. The files to decrypt have been encrypted by using sops -e -i <file-name> based on gpg with passphrase. One can think that they typed wrong passphrase but the issue appears randomly and sometime decrypt can succeed. The sops -d <file-name> succeeds always.
By increasing the count of sops_file data blocks the probability of failures also increase, so that for 15 items only 1 from 10 may succeed.
The number 7 maybe fixed or maybe depend on system performance, I tested on Apple MacBook m3 pro (and also on ubuntu linux on local and remote docker based terraform ci/cd pipeline). When we having only few(less than 7) sops_file blocks in tif no failures can be seen.

Tested with latest terraform and sops provider version (same issue also can be seen with old terraform and sops provider versions).

Here is the tools version informations:

# output of `terraform version`
Terraform v1.9.3
on darwin_arm64
+ provider registry.terraform.io/carlpett/sops v1.1.1

Here is sample tf code which can be used to reproduce the issue with 10 sops_file data blocks:

# main.tf file content
terraform {
  required_providers {
    sops = {
      source  = "carlpett/sops"
      version = "1.1.1"
    }
  }
}

provider "sops" {}

data "sops_file" "this1" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this2" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this3" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this4" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this5" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this6" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this7" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this8" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this9" {
  source_file = "my-gpg-encrypted-data.yaml"
}
data "sops_file" "this10" {
  source_file = "my-gpg-encrypted-data.yaml"
}

please let me know if you need more info
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mrdntgrn