Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive variables #266

Open
salarali opened this issue May 30, 2023 · 15 comments
Open

Sensitive variables #266

salarali opened this issue May 30, 2023 · 15 comments
Labels
enhancement New feature or request

Comments

@salarali
Copy link

Suggestion

Would it be possible to make the masking of sensitive variables a configurable value for terraform-plan?
@salarali salarali added the enhancement New feature or request label May 30, 2023
@dflook
Copy link
Owner

dflook commented May 30, 2023

Hello @salarali, what do you mean? Are you seeing sensitive variables that are not being masked, or are you seeing masked variables but would prefer to see the value?

@salarali
Copy link
Author

salarali commented May 30, 2023
edited

The later. I need to compare the plan output manually and an unable to do so because of the masking.

@dflook
Copy link
Owner

dflook commented May 30, 2023

Where do you see the masking?

  • In the terraform plan (either the workflow log or the PR comment) masking is controlled by terraform
  • In plan variables in the PR comment
  • Elsewhere in the workflow log?

@salarali
Copy link
Author

salarali commented May 30, 2023
edited

Mostly looking at the PR comment. It looks something like this:

  + resource "sdm_account_attachment" "this" {
      + account_id = (known after apply)
      + id         = (known after apply)
      + role_id    = "******************"
    }

@salarali
Copy link
Author

Oh, it seems I misunderstood the questions. I am not using any variables. I am just running terraform plan. And in the above comment, that is one of the outputs I see from the plan. role_id is getting masked somehow by the plan.

@salarali
Copy link
Author

The provider I am using is https://registry.terraform.io/providers/strongdm/sdm/latest/docs

And the resource is sdm_account_attachment

@salarali
Copy link
Author

I also see it for other providers:

  + resource "aws_route53_record" "url" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "url.url"
      + records         = (known after apply)
      + ttl             = 300
      + type            = "A"
      + zone_id         = "*********************"
    }

@dflook
Copy link
Owner

dflook commented May 30, 2023

What version of terraform are you using?

@salarali
Copy link
Author

1.4.6

@dflook
Copy link
Owner

dflook commented May 30, 2023
edited

I think this is coming from tfmask, which gets run on any plan output.
This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.

It will mask any attribute with id in the name by default. Can you try adding this environment variable to your workflow, which should stop it from masking id attributes:

env:
  TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"

Let me know if that stops your id's from getting masked.

@salarali
Copy link
Author

salarali commented May 30, 2023
edited

That seems to be working. Thanks for pointing me in the correct direction. In the end, if it doesnt work, I can just use tfmask for my own runs as well so make sure its the same output as the github action.

It would be great if this is a configurable option though.

@rcclemente
Copy link

I think this is coming from tfmask, which gets run on any plan output. This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.

It will mask any attribute with id in the name by default. Can you try adding this environment variable to your workflow, which should stop it from masking id attributes:

env:
  TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"

Let me know if that stops your id's from getting masked.

@dflook
we are passing some github environment secrets to the github action, will tfmask also hide these?

variables: |
            aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
            aws_account="${{ secrets.AWS_ACCOUNT }}"

@dflook
Copy link
Owner

dflook commented Jun 6, 2023
edited

If the variables are defined to be 'sensitive=true' they will be masked both by terraform and anywhere the sensitive values appear in the workflow log.

All actions environment secrets are masked in the workflow log also.

tfmask is doing extra masking on top of this.

@rcclemente
Copy link

Just to clarify is this how to set sensitive variable?

variables: |
            aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
            aws_account="${{ secrets.AWS_ACCOUNT }}"
            sensitive=true

@dflook
Copy link
Owner

dflook commented Jun 8, 2023
edited

You would set it where the variable is defined, e.g. in a variables.tf file:

variable "aws_account" {
  type      = string
  sensitive = true
}

More details are here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dflook @salarali @rcclemente