Digger-Cloud: Call to function "sops_decrypt_file" failed

[MAXxATTAXx]

🚨 Describe the bug

Need help with the following error message when trying to use digger-cloud + Terragrunt and the sops_decrypt_file function. The error suggests that Digger is attempting to decrypt the content of my secrets, which is unexpected and concerning.

🔍 To Reproduce

Steps to reproduce the behavior:

1. Configure digger.yml as follows:

   telemetry: false
   auto_merge: true
   auto_merge_strategy: squash
   pr_locks: true
   traverse_to_nested_projects: true
   generate_projects:
     blocks:
       - include: infrastructure/**
         terragrunt: true
         root_dir: infrastructure

2. In your Terragrunt module, include and expose the common settings:

   include "root" {
     path = find_in_parent_folders("root.hcl")
   }
   
   include "provider" {
     path = find_in_parent_folders("provider.hcl")
   }
   
   include "common" {
     path = find_in_parent_folders("common.hcl")
     expose = true
   }
   
   terraform {
     source = "git::${include.common.locals.source_url}/${include.common.locals.auth_module_path}?ref=${include.common.locals.source_ref}"
   }

3. Attempt to decode secrets into local variables:

   locals {
     secret_vars = yamldecode(sops_decrypt_file("${get_terragrunt_dir()}/secrets.enc.yaml"))
   }
   
   inputs = merge(
     local.secret_vars,
     {
       # ... some vars ...
     }
   )

4. Run your Digger pipeline (digger-cloud + Terragrunt).

✅ Expected behavior

Digger-cloud reads the Terragrunt configuration and schedule the execution of github actions.

💥 Actual behavior

Digger fails parsing the configuration and fails to execute any pipeline with an error indicating it cannot obtain a data key for decryption:

❌ Error loading digger config: error loading digger.yml: error cloning and loading config failed to autogenerate digger_config, error during parse: /tmp/repo1742312139/infrastructure/xx/xx/xx/terragrunt.hcl:22,28-46: Error in function call; Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.

🛠️ Environment

• OS: [e.g. Ubuntu 24.04]
• Digger version: [e.g. digger-cloud v0.6.102]
• Terragrunt version: [e.g. v0.76.8]
• Terraform version: [e.g. v1.10.5]

📋 Logs

# Pipeline output snippet
❌ Error loading digger config: error loading digger.yml: error cloning and loading config failed to autogenerate digger_config, error during parse: /tmp/repo1742312139/infrastructure/xx/xx/xx/terragrunt.hcl:22,28-46: Error in function call; Call to function "sops_decrypt_file" failed: Error getting data key: 0 successful groups required, got 0.

💡 Possible Solution

From Slack user @motatoes

Hello! I think this is a current bug because the underlying terragrunt function we are using to evaluate hcl files is attempting to evaluate the locals and decrypt sops but it doesn't have access to the key of course , could you file an issue on github please so we can take a look on options to avoid sops decryption at this phase

🕵️‍♂️ Additional context

• secrets.enc.yaml is located alongside terragrunt.hcl and encrypted using an Sops AGE key.

[motatoes]

Thanks for reporting! Seems that digger's underlying libraries are attempting to decrypt sops values and we do this on the backend to perform project generation but ofcourse keys aren't available at that point so we need to disable sops evaluation to address this issue

[motatoes]

a workaround has been shipped in #1968 and its released to v0.6.105 , you can use the env variable DIGGER_GENERATE_PROJECT as a conditional to avoid this crash https://docs.digger.dev/ce/howto/using-terragrunt#note-regarding-sops