search

scottwinkler / terraform-provider-shell

Terraform provider for executing shell commands and saving output to state file
Mozilla Public License 2.0
279 stars 60 forks source link

add sensitive env block #42

Closed scottwinkler closed 4 years ago

scottwinkler commented 4 years ago

This closes issue #22 and pull request #38 .

A new optional block is added to both the shell_script data source and managed resource. This block, called sensitive_environment functions exactly the same as environment, except it is marked as sensitive and any variables in the map will not be printed to the console (both in DEBUG and non DEBUG). All sensitive values are replaced with "**" if they would have otherwise been printed. This makes the provider work better with secrets that you don't want in the state file or leaked in the plan.

Consider the following code snippet:

data "shell_script" "print_credentials" {
  lifecycle_commands {
    read = "echo $AWS_SECRET_ACCESS_KEY"
  }
  sensitive_environment = {
      AWS_SECRET_ACCESS_KEY = "secret_value"
  }
}

If this were to be applied, the following would appear in the logs:

data.shell_script.print_credentials: Refreshing state...
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Reading shell script data resource...
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Locking "shellScriptMutexKey"
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Locked "shellScriptMutexKey"
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] shell script going to execute: /bin/sh -c
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47    echo $AWS_SECRET_ACCESS_KEY
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 -------------------------
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Starting execution...
2020-04-14T03:59:47.760-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 -------------------------
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47   ******
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 -------------------------
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Command execution completed:
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 -------------------------
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] no valid JSON strings found at end of output:
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: ******
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Unlocking "shellScriptMutexKey"
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] Unlocked "shellScriptMutexKey"
2020-04-14T03:59:47.765-0700 [DEBUG] plugin.terraform-provider-shell_v1.2.0: 2020/04/14 03:59:47 [DEBUG] State from read operation was nil. Marking resource for deletion.

Besides this new feature, there was some general cleanup work to the shell_script resource. As part of the emphasis on secrets management, state is no longer printed before and after an execution. You can still print the environment if you want to debug by using a normal CLI command like "printenv". Update() was simplified - the only thing that gets saved between runs is the output (previously, the old environment was saved but didnt do anything anyways).