Skip to content

Unsupport encrypted state file format

include:
  - component: gitlab.com/components/opentofu/job-templates@main

fmt:
  stage: validate
  extends: [.opentofu:fmt]

validate:
  stage: validate
  environment: stg
  extends: [.opentofu:validate]

graph:
  stage: validate
  environment: stg
  extends: [.opentofu:graph]

test:
  stage: test
  environment: stg
  extends: [.opentofu:test]

State file is encrypted with encryption block.

terraform {
  encryption {
    key_provider "pbkdf2" "default" {
      passphrase = var.passphrase
    }

    method "aes_gcm" "default" {
      keys = key_provider.pbkdf2.default
    }

    state {
      method = method.aes_gcm.default
      enforced = true
    }

    plan {
      method = method.aes_gcm.default
      enforced = true
    }
  }
}

Backend is enabled.

terraform {
  backend "http" {}
}

During the initialization, graph can fetch state and decrypt successfully.

$ gitlab-tofu graph > "graph.dot"
Initializing the backend...
Successfully configured the backend "http"! OpenTofu will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of cloudflare/cloudflare from the dependency lock file
- Installing hashicorp/random v3.6.3...
- Installed hashicorp/random v3.6.3 (signed, key ID 0C0AF313E5FD9F80)
- Installing cloudflare/cloudflare v4.51.0...
- Installed cloudflare/cloudflare v4.51.0 (signed, key ID C76001609EE3B136)
Providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://opentofu.org/docs/cli/plugins/signing/
OpenTofu has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.
OpenTofu has been successfully initialized!

However, test and validate are not.

$ gitlab-tofu test
Error refreshing state: Unsupported state file format: This state file is encrypted and can not be read without an encryption configuration
$ gitlab-tofu validate
Error refreshing state: Unsupported state file format: This state file is encrypted and can not be read without an encryption configuration

│ Error: missing or corrupted provider plugins:
│   - registry.opentofu.org/cloudflare/cloudflare: the cached package for registry.opentofu.org/cloudflare/cloudflare 4.51.0 (in .terraform/providers) does not match any of the checksums recorded in the dependency lock file
│   - registry.opentofu.org/hashicorp/random: the cached package for registry.opentofu.org/hashicorp/random 3.6.3 (in .terraform/providers) does not match any of the checksums recorded in the dependency lock file

After some search, I found backend is explicit disabled in these two jobs. https://gitlab.com/components/opentofu/-/blob/main/src/gitlab-tofu.sh#L416-425

passphrase is supplied through environment variable and it works for graph.

How can I fix this error?