tfmask
tfmask copied to clipboard
Published
20 hours ago •
cloudposse-archives
cloudposse-archives
AWS ECS Container definition environments do not get masked
Environment variables passed to AWS ECS container definition do not get masked
export TFMASK_CHAR="#"
export TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|password|pass_for_service|pass_|passwd|key|result|id).*$"
Actual
[2021-10-21T07:03:02Z] + resource "aws_ecs_task_definition" "main_task" {
--
| [2021-10-21T07:03:02Z] + arn = (known after apply)
| [2021-10-21T07:03:02Z] + container_definitions = jsonencode(
| [2021-10-21T07:03:02Z] [
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + cpu = 192
| [2021-10-21T07:03:02Z] + environment = [
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + name = "ENVIRONMENT"
| [2021-10-21T07:03:02Z] + value = "sandpit"
| [2021-10-21T07:03:02Z] },
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + name = "PASS_FOR_SERVICE"
| [2021-10-21T07:03:02Z] + value = "abkjcdksj3892jjw"
| [2021-10-21T07:03:02Z] },
| [2021-10-21T07:03:02Z] ]
...
Expected
[2021-10-21T07:03:02Z] + resource "aws_ecs_task_definition" "main_task" {
--
| [2021-10-21T07:03:02Z] + arn = (known after apply)
| [2021-10-21T07:03:02Z] + container_definitions = jsonencode(
| [2021-10-21T07:03:02Z] [
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + cpu = 192
| [2021-10-21T07:03:02Z] + environment = [
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + name = "ENVIRONMENT"
| [2021-10-21T07:03:02Z] + value = "sandpit"
| [2021-10-21T07:03:02Z] },
| [2021-10-21T07:03:02Z] + {
| [2021-10-21T07:03:02Z] + name = "PASS_FOR_SERVICE"
| [2021-10-21T07:03:02Z] + value = "#################"
| [2021-10-21T07:03:02Z] },
| [2021-10-21T07:03:02Z] ]
...
I am using the latest version of tfmask
Hi, I am also getting a similar issue. I am trying to test with kubectl manifest, but tfmask is not working.
Without tfmask
Terraform will perform the following actions:
# kubectl_manifest.test will be updated in-place
~ resource "kubectl_manifest" "test" {
id = "/api/v1/namespaces/default/configmaps/vishnu-test-demo"
name = "vishnu-test-demo"
~ yaml_body = (sensitive value)
~ yaml_body_parsed = <<-EOT
apiVersion: v1
data:
- password: ijMmsd1piZwz
+ password: ijMms1piZwz_paa
kind: ConfigMap
metadata:
name: vishnu-test-demo
EOT
# (12 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
With tfmask
Terraform will perform the following actions:
# kubectl_manifest.test will be updated in-place
~ resource "kubectl_manifest" "test" {
id = "######################################################"
name = "vishnu-test-demo"
~ yaml_body = (sensitive value)
~ yaml_body_parsed = <<-EOT
apiVersion: v1
data:
- password: ijMmsd1piZwz
+ password: ijMms1piZwz_paa
kind: ConfigMap
metadata:
name: vishnu-test-demo
EOT
# (12 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
My env params:
export TFMASK_CHAR="#"
export TFMASK_VALUES_REGEX="(?i)^.*(oauth|secret|token|password|key|result|id).*$"
command :
terraform plan -var-file=staging.tfvars -no-color | tfmask
Expected was to also mask the password section
