Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clearer error message when sops_decrypt_file fails because of missing credentials/permissions #3064

Open
JeanFred opened this issue Apr 16, 2024 · 0 comments
Open

Clearer error message when sops_decrypt_file fails because of missing credentials/permissions #3064

JeanFred opened this issue Apr 16, 2024 · 0 comments
Labels
enhancement New feature or request terragrunt

Comments

@JeanFred
Copy link
Contributor

We use SOPS to manage secrets. The SOPS secret file is decrypted using sops_decrypt_file in our top-level terragrunt.hcl file. Something like:

locals {
  my_secrets = yamldecode(sops_decrypt_file(find_in_parent_folders("my-secrets.yml")))
}

inputs = merge(
  local.my_secrets,
 {...}
)

It happens quite often that executing Terragrunt fails with

time=2024-04-16T12:14:13+02:00 level=error msg=Error: Error in function call
time=2024-04-16T12:14:13+02:00 level=error msg=  on /path/infra/environments/terragrunt.hcl line 22, in locals:
time=2024-04-16T12:14:13+02:00 level=error msg=  22:   my_secrets = yamldecode(sops_decrypt_file(find_in_parent_folders("my-secrets.yml")))
time=2024-04-16T12:14:13+02:00 level=error msg=
time=2024-04-16T12:14:13+02:00 level=error msg=Call to function "sops_decrypt_file" failed: Error getting data key: 0
successful groups required, got 0.
time=2024-04-16T12:14:13+02:00 level=error msg=Encountered error while evaluating locals.
time=2024-04-16T12:14:13+02:00 level=error msg=/path/infra/environments/terragrunt.hcl:22,32-50: Error in function call; Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.
time=2024-04-16T12:14:13+02:00 level=error msg=Unable to determine underlying exit code, so Terragrunt will exit with error code 1

and people get really really confused what is happening.

  • The typical reason is that people just forgot to expose their AWS credentials (we use aws-vault, but people may forget to wrap the terragrunt call in it).
  • Since AWS resources (including the KMS key) can only be accessed when using VPN (enforced in IAM), the call might fail even when using the correct AWS credentials (ie the correct aws-vault profile) if people forgot to be on VPN
  • A more subtle reason is that we have secrets encrypted with a KMS key living in a central AWS account, shared with other AWS accounts (using IAM), and we may have forgotten to share the key with the new account.

Either way, it's a permission problem, but the error message is not really helping figuring that out.

Describe the solution you'd like

Some kind of hint that the failure is likely related to some permission/credentials problem. I don’t have a good wording suggestion I’m afraid

Describe alternatives you've considered
I considered using terragrunt error hook to parse the message and display an error message, but 1/ I could not make it work (although I did not try really hard) 2/ I would rather not have to do that in every repo anyways
@JeanFred JeanFred added the enhancement New feature or request label Apr 16, 2024
@ZachGoldberg ZachGoldberg added the terragrunt label Apr 18, 2024 — with Linear
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request terragrunt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ZachGoldberg @JeanFred