dflook
commented
1 year ago Hello @salarali, what do you mean? Are you seeing sensitive variables that are not being masked, or are you seeing masked variables but would prefer to see the value?
Open salarali opened 1 year ago
dflook
commented
1 year ago Hello @salarali, what do you mean? Are you seeing sensitive variables that are not being masked, or are you seeing masked variables but would prefer to see the value?
salarali
commented
1 year ago The later. I need to compare the plan output manually and an unable to do so because of the masking.
dflook
commented
1 year ago Where do you see the masking?
salarali
commented
1 year ago Mostly looking at the PR comment. It looks something like this:
+ resource "sdm_account_attachment" "this" {
+ account_id = (known after apply)
+ id = (known after apply)
+ role_id = "******************"
}Oh, it seems I misunderstood the questions. I am not using any variables. I am just running terraform plan. And in the above comment, that is one of the outputs I see from the plan. role_id is getting masked somehow by the plan.
salarali
commented
1 year ago The provider I am using is https://registry.terraform.io/providers/strongdm/sdm/latest/docs
And the resource is sdm_account_attachment
salarali
commented
1 year ago I also see it for other providers:
+ resource "aws_route53_record" "url" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "url.url"
+ records = (known after apply)
+ ttl = 300
+ type = "A"
+ zone_id = "*********************"
}What version of terraform are you using?
salarali
commented
1 year ago 1.4.6
dflook
commented
1 year ago I think this is coming from tfmask, which gets run on any plan output. This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.
It will mask any attribute with id in the name by default. Can you try adding this environment variable to your workflow, which should stop it from masking id attributes:
env:
TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"Let me know if that stops your id's from getting masked.
salarali
commented
1 year ago That seems to be working. Thanks for pointing me in the correct direction. In the end, if it doesnt work, I can just use tfmask for my own runs as well so make sure its the same output as the github action.
It would be great if this is a configurable option though.
rcclemente
commented
1 year ago I think this is coming from tfmask, which gets run on any plan output. This has been in place for a long time, since before providers (and terraform) got better at masking sensitive values themselves. I'd quite like to get rid of it, but I think it's still doing some useful masking.
It will mask any attribute with
idin the name by default. Can you try adding this environment variable to your workflow, which should stop it from maskingidattributes:env: TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result).*$"Let me know if that stops your id's from getting masked.
@dflook we are passing some github environment secrets to the github action, will tfmask also hide these?
variables: |
aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
aws_account="${{ secrets.AWS_ACCOUNT }}"If the variables are defined to be 'sensitive=true' they will be masked both by terraform and anywhere the sensitive values appear in the workflow log.
All actions environment secrets are masked in the workflow log also.
tfmask is doing extra masking on top of this.
rcclemente
commented
1 year ago Just to clarify is this how to set sensitive variable?
variables: |
aws_assume_role="${{ secrets.AWS_ASSUME_ROLE }}"
aws_account="${{ secrets.AWS_ACCOUNT }}"
sensitive=true
Suggestion
Would it be possible to make the masking of sensitive variables a configurable value for terraform-plan?