Prevent sops from prompting for GPG key passphrase (fix)

cncsc · Jan 24, 2023 · 55da2e3 · 55da2e3
1 parent 94ea143
commit 55da2e3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/.github/workflows/terragrunt-apply.yaml b/.github/workflows/terragrunt-apply.yaml
@@ -91,3 +91,5 @@ jobs:
         shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GIT_TOKEN_BASIC }}
+          CI_BOT_GPG_KEY_PASSPHRASE: ${{ secrets.CI_BOT_GPG_KEY_PASSPHRASE }}
+          CI_BOT_GPG_KEY_SUBJECT: ${{ secrets.CI_BOT_GPG_KEY_SUBJECT }}
diff --git a/scripts/terraform/run-terragrunt-apply.sh b/scripts/terraform/run-terragrunt-apply.sh
@@ -3,6 +3,11 @@
 function main() {
   local -r base_directory="$1"
 
+  # Run a full encrypt/decrypt lifecycle to prevent sops from prompting for GPG key passphrase
+  echo "ENCRYPTION_TEST" | gpg --always-trust --encrypt --recipient "$CI_BOT_GPG_KEY_SUBJECT" > "temp.encrypted"
+  gpg --batch --yes --no-tty --decrypt --passphrase "$CI_BOT_GPG_KEY_PASSPHRASE" --pinentry-mode loopback --always-trust "temp.encrypted"
+  rm -f "temp.encrypted";
+
   # Initialize Terraform and upgrade provider/module references
   terragrunt run-all init -upgrade \
     --terragrunt-non-interactive \