Open kavya498 opened 2 years ago
The request and response bodies in KeyProtect mostly contain sensitive information that should never be in logs, so probably not.
The risk of accidentally exposing encryption keys by someone setting TF_LOG because they are looking at some other plugins requests is one obvious example I can think of.
The client does provide a config option to dump only certain parts of requests with the Verbose field on the client configuration.
see https://github.com/IBM/keyprotect-go-client/blob/master/kp.go#L79 and https://github.com/IBM/keyprotect-go-client/blob/master/kp.go#L49
It appears this is busted and still disabled from a previous issue where customer keys were accidentally being logged...
Please let me know what specifically in the request / responses you would like to log.
Also, there is always the possibility of passing in your own Transport or RoundTripper object to replace the default, which could intercept traffic obviously. I would caution that we have had a lot of issues with exposed sensitive information in logs recently, and still think its best to avoid logging any body data.
TF Provider Ref: https://github.com/IBM-Cloud/terraform-provider-ibm/blob/master/ibm/config.go#L2635 Other SDK references- https://github.com/IBM/go-sdk-core/blob/main/v5/core/log.go#L167
We would want KP-client also to have the similar behaviour..
Thanks..