terraform-github-actions
terraform-github-actions copied to clipboard
dflook
Sensitive variables
Suggestion
Would it be possible to make the masking of sensitive variables a configurable value for terraform-plan?
Hello @salarali, what do you mean? Are you seeing sensitive variables that are not being masked, or are you seeing masked variables but would prefer to see the value?
The later. I need to compare the plan output manually and an unable to do so because of the masking.
Where do you see the masking?
- In the terraform plan (either the workflow log or the PR comment) masking is controlled by terraform
- In plan variables in the PR comment
- Elsewhere in the workflow log?
Mostly looking at the PR comment. It looks something like this:
+ resource "sdm_account_attachment" "this" {
+ account_id = (known after apply)
+ id = (known after apply)
+ role_id = "******************"
}
Oh, it seems I misunderstood the questions. I am not using any variables. I am just running terraform plan. And in the above comment, that is one of the outputs I see from the plan. role_id is getting masked somehow by the plan.
The provider I am using is https://registry.terraform.io/providers/strongdm/sdm/latest/docs
And the resource is sdm_account_attachment
I also see it for other providers:
+ resource "aws_route53_record" "url" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "url.url"
+ records = (known after apply)
+ ttl = 300
+ type = "A"
+ zone_id = "*********************"
}
I think this is coming from tfmask, which gets run on any plan output. This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.
It will mask any attribute with id in the name by default. Can you try adding this environment variable to your workflow, which should stop it from masking id attributes:
env:
TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"
Let me know if that stops your id's from getting masked.
That seems to be working. Thanks for pointing me in the correct direction. In the end, if it doesnt work, I can just use tfmask for my own runs as well so make sure its the same output as the github action.
It would be great if this is a configurable option though.
I think this is coming from tfmask, which gets run on any plan output. This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.
It will mask any attribute with
idin the name by default. Can you try adding this environment variable to your workflow, which should stop it from maskingidattributes:env: TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"Let me know if that stops your id's from getting masked.
@dflook we are passing some github environment secrets to the github action, will tfmask also hide these?
variables: |
aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
aws_account="${{ secrets.AWS_ACCOUNT }}"
If the variables are defined to be 'sensitive=true' they will be masked both by terraform and anywhere the sensitive values appear in the workflow log.
All actions environment secrets are masked in the workflow log also.
tfmask is doing extra masking on top of this.
Just to clarify is this how to set sensitive variable?
variables: |
aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
aws_account="${{ secrets.AWS_ACCOUNT }}"
sensitive=true