terraform-github-actions icon indicating copy to clipboard operation
terraform-github-actions copied to clipboard

Published 20 hours ago verified publisher icon dflook

action dflook/terraform-plan don't mask sensitive variables when add comments to the PR

Open GiuseppeChiesa-TomTom opened this issue 3 years ago • 8 comments

I've noticed that when the add_github_comment is true, the variables reported in the comment on the Pull Request might contain sensitive data.

I think the action should either mask the variables that are considered sensitive from terraform.

GiuseppeChiesa-TomTom avatar Nov 19 '21 15:11 GiuseppeChiesa-TomTom

Yes, this is planned soon. This is noted in the docs. If you set a label, then the variables won't be shown in the comment.

dflook avatar Nov 19 '21 17:11 dflook

Just ran into this myself for the first time :)

I much prefer the layout of the comments when a label is not set.

e.g.

nice and clear what exactly plan is based on image

missing important info in my opinion image

Ideal for me we would have the no-label layout with anything either marked sensitive in the terraform config or coming from a github secret masked?

erzz avatar Jan 17 '22 14:01 erzz

Yes, this is planned soon. This is noted in the docs. If you set a label, then the variables won't be shown in the comment.

@dflook I could find the reference in the documentation but I'm afraid I have no idea what this means ... could you give an example on how to modify the below such that the content of secret is not visible in the PR comment?

... snip ...
    - name: Terraform Plan
      uses: dflook/[email protected]
      id: terraform-plan
      with:
        path: .github/_scratch/xxxxxxxxxxx
        variables: |-
        name =  "some value"
        secret = "${{ secrets.MY_SECRET_VALUE }}"
... snip ...

JelleSmet-TomTom avatar May 10 '22 13:05 JelleSmet-TomTom

Hi @JelleSmet-TomTom, it would look something like this:

    - name: Terraform Plan
      uses: dflook/[email protected]
      id: terraform-plan
      with:
        label: production
        path: .github/_scratch/xxxxxxxxxxx
        variables: |-
        name =  "some value"
        secret = "${{ secrets.MY_SECRET_VALUE }}"

where the label is whatever makes sense for that plan. It should be the same in the dflook/terraform-apply step, if there is one.

dflook avatar May 10 '22 16:05 dflook

Oh ok, I'll try this out tomorrow. It's somewhat odd/not intuitive this cause & effect exists. Tnx @dflook for the project & support

JelleSmet-TomTom avatar May 11 '22 07:05 JelleSmet-TomTom

Hi @dflook I'm afraid I can't seem to achieve that by setting a label value?

So to summarize and to check if I understood the behavior correctly:

Terraform variables which have the sensitive property set will have their value masked in the pull request comment added by the dflook action once a random value is assigned to the label parameter of the dflook/terraform-plan and dflook/terraform-apply actions.

edit: it seems the moment I set label the complete variables section is missing from the PR comment?

JelleSmet-TomTom avatar May 12 '22 09:05 JelleSmet-TomTom

There is no masking at all at the moment. Without a label, the comment contains the variables. With a label, the comment contains only the label.

dflook avatar May 12 '22 12:05 dflook

ok got it .. thank you so much for clarifying!

JelleSmet-TomTom avatar May 12 '22 12:05 JelleSmet-TomTom

v1.31.0 has been released which masks sensitive variables in the PR comment

dflook avatar Nov 22 '22 23:11 dflook