Open pierresebastien opened 1 year ago
We had the same problem when trying to configure permissions and groups.... The application was not available (error 502), and the credentials were included in the logs.
A workaround until solved can be
(GNU sed)
terraform apply 2>&1 | sed -e 's/\(http request: GET https\?:\/\/\)[^@]*/\1***/g'
⚠️ plz check with an invalid host in ur environment
Terraform Version
Terraform v1.5.6 on linux_amd64
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Show me an error without exposing sensitive data.
Actual Behavior
The API token used by the provider is exposed in the logs. Example : Error updating SonarQube user: failed to execute http request: POST https://squ_0000000000000000000000000000000000000000:@sonarqube.example.com/api/users/update_identity_provider?login=gitlab-john-doe&newExternalIdentity=john-doe&newExternalProvider=gitlab giving up after 5 attempt(s). Request: &{0xab1940 0xc00021c600}
Steps to Reproduce
terraform apply
With the current behavior, the token used to connect to my self-hosted SonarQube instance is displayed in my CI/CD logs and so other people having read access to my GitLab repository could use it to gain more access to SonarQube.