search

jason-johnson / azure-pipelines-tasks-terraform

Azure Pipelines extension for Terraform
MIT License
121 stars 52 forks source link

TerraformCLI@0 init command shows secret in plain text #335

Closed darrens280 closed 1 year ago

darrens280 commented 1 year ago

When using Azure yaml pipeline to perform Terraform init task (which calls from a yaml template file), the Azure Service Connection secret is getting displayed as plain text in the pipeline job results.

The client_id is masked, but the client_secret is not

steps:
  - task: TerraformCLI@0
    displayName: "terraform init"
    inputs:
      command: "init"
      workingDirectory: $(workingDirectory)
      backendType: "azurerm"
      ensureBackend: false
      backendServiceArm: $(azureDevOpsServiceConnectionName)
      backendAzureRmResourceGroupName: $(backend-resource-group)
      backendAzureRmStorageAccountName: $(backend-storage-account)
      backendAzureRmContainerName: $(backend-blob-container)
      backendAzureRmKey: $(statefile)
      allowTelemetryCollection: $(useTelemetery)

Here is an extract of the resulting job in the pipeline:

...
Your version of Terraform is out of date! The latest version
is 1.3.9. You can update by downloading from https://www.terraform.io/downloads.html
C:\Tools\terraform.exe init -backend-config=storage_account_name=<MY_STORAGE_ACCOUNT_NAME> -backend-config=container_name=<MY_BLOB_CONTAINER_NAME> -backend-config=key=<MY_STATE>.terraform.tfstate -backend-config=resource_group_name=<MY_RESOURCE_GROUP_NAME> -backend-config=subscription_id=<MY_SUBSCRIPTION_ID> -backend-config=tenant_id=<MY_TENANT_ID> -backend-config=client_id=*** -backend-config=client_secret=supersecretpassword
Initializing modules...
...

Hoping you can assist or advise. Thanks

darrens280 commented 1 year ago

Incorrectly logged, therefore closing issue.