From 55da2e3aa36a11c6f62625424ffa164b7a9247ec Mon Sep 17 00:00:00 2001
From: Luke Fritz <lukefritz@gmail.com>
Date: Mon, 23 Jan 2023 23:28:44 -0600
Subject: [PATCH] Prevent sops from prompting for GPG key passphrase (fix)

---
 .github/workflows/terragrunt-apply.yaml   | 2 ++
 scripts/terraform/run-terragrunt-apply.sh | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/terragrunt-apply.yaml b/.github/workflows/terragrunt-apply.yaml
index eab1dd2..0d8a33d 100644
--- a/.github/workflows/terragrunt-apply.yaml
+++ b/.github/workflows/terragrunt-apply.yaml
@@ -91,3 +91,5 @@ jobs:
         shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GIT_TOKEN_BASIC }}
+          CI_BOT_GPG_KEY_PASSPHRASE: ${{ secrets.CI_BOT_GPG_KEY_PASSPHRASE }}
+          CI_BOT_GPG_KEY_SUBJECT: ${{ secrets.CI_BOT_GPG_KEY_SUBJECT }}
diff --git a/scripts/terraform/run-terragrunt-apply.sh b/scripts/terraform/run-terragrunt-apply.sh
index 84ec56a..bd4eab9 100755
--- a/scripts/terraform/run-terragrunt-apply.sh
+++ b/scripts/terraform/run-terragrunt-apply.sh
@@ -3,6 +3,11 @@
 function main() {
   local -r base_directory="$1"
 
+  # Run a full encrypt/decrypt lifecycle to prevent sops from prompting for GPG key passphrase
+  echo "ENCRYPTION_TEST" | gpg --always-trust --encrypt --recipient "$CI_BOT_GPG_KEY_SUBJECT" > "temp.encrypted"
+  gpg --batch --yes --no-tty --decrypt --passphrase "$CI_BOT_GPG_KEY_PASSPHRASE" --pinentry-mode loopback --always-trust "temp.encrypted"
+  rm -f "temp.encrypted";
+
   # Initialize Terraform and upgrade provider/module references
   terragrunt run-all init -upgrade \
     --terragrunt-non-interactive \