Error message expose API token

[pierresebastien]

Terraform Version

Terraform v1.5.6 on linux_amd64

Affected Resource(s)

• sonarqube_user_external_identity (not tested with other resources)

Terraform Configuration Files

resource "sonarqube_user" "john_doe" {
  login_name = "gitlab-john-doe"
  name       = "John Doe"
  email      = "[email protected]"
  is_local   = false
}

resource "sonarqube_user_external_identity" "john_doe" {
  login_name        = sonarqube_user.john_doe.login_name
  external_identity = "john-doe"
  external_provider = "gitlab"
}

Expected Behavior

Show me an error without exposing sensitive data.

Actual Behavior

The API token used by the provider is exposed in the logs. Example : Error updating SonarQube user: failed to execute http request: POST https://squ_0000000000000000000000000000000000000000:@sonarqube.example.com/api/users/update_identity_provider?login=gitlab-john-doe&newExternalIdentity=john-doe&newExternalProvider=gitlab giving up after 5 attempt(s). Request: &{0xab1940 0xc00021c600}

Steps to Reproduce

2. terraform apply

With the current behavior, the token used to connect to my self-hosted SonarQube instance is displayed in my CI/CD logs and so other people having read access to my GitLab repository could use it to gain more access to SonarQube.

[agaillar]

We had the same problem when trying to configure permissions and groups.... The application was not available (error 502), and the credentials were included in the logs.

[lkwg82]

A workaround until solved can be

(GNU sed)

terraform apply 2>&1 | sed -e 's/\(http request: GET https\?:\/\/\)[^@]*/\1***/g'

⚠️ plz check with an invalid host in ur environment