Terragrunt: Inconsistent resolution of path in `sops_decrypt_file`

Created on 27 Aug 2020  路  1Comment  路  Source: gruntwork-io/terragrunt

Given the following block, when running terragrunt apply in the module directory the path resolves correctly and works, however running a terragrunt apply-all from the root directory fails:

locals {
  example = yamldecode(sops_decrypt_file("${path_relative_from_include()}/../../example/secrets.yaml"))
}

The resulting error when running terragrunt apply-all:

Call to function "sops_decrypt_file" failed: Failed to read "../../../../../../example/secrets.yaml": open ../../../../../../example/secrets.yaml: no such file or directory.

If I replace sops_decrypt_file(...) with a simple file(...) the apply works (albeit with encrypted values). There appears to be inconsistent resolution of the path between these two functions and/or an inconsistency between the former's implementation in apply and apply-all.

enhancement help wanted
Source
picture lukiffer
👍1

Most helpful comment

After a bit more debugging, it appears that sops_decrypt_file(...) expects a path relative to $PWD rather than relative to the location of the terragrunt.hcl. This isn't expected 鈥撀爀specially given the behaviour of file(...), and isn't documented.

Happy to contribute a documentation update if this is the intended behaviour, but I don't have the bandwidth to do a PR for changes to the functionality and corresponding tests. 馃槩

As a workaround, instead of using path_relative_from_include() I'm using a path relative of get_parent_terragrunt_dir() which isn't ideal in all scenarios, but works for this specific case.

picture lukiffer on 28 Aug 2020
👍3

>All comments

After a bit more debugging, it appears that sops_decrypt_file(...) expects a path relative to $PWD rather than relative to the location of the terragrunt.hcl. This isn't expected 鈥撀爀specially given the behaviour of file(...), and isn't documented.

Happy to contribute a documentation update if this is the intended behaviour, but I don't have the bandwidth to do a PR for changes to the functionality and corresponding tests. 馃槩

As a workaround, instead of using path_relative_from_include() I'm using a path relative of get_parent_terragrunt_dir() which isn't ideal in all scenarios, but works for this specific case.

lukiffer picture lukiffer on 28 Aug 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shaharmor picture shaharmor  路  3Comments
goseeped picture goseeped  路  3Comments
michelzanini picture michelzanini  路  3Comments
brikis98 picture brikis98  路  4Comments
mpkerr picture mpkerr  路  3Comments