Masking Sensitive data like passwords when commenting to GitHub

[vishnu-techprescient-teika]

Feature Overview

Masking Sensitive data like passwords when commenting to GitHub.

Why is the feature needed?

Terraform masks sensitive data automatically but there are cases where it is still unable to do it.
Like :

• As a part of the database connection URL.
• As a part of some yaml script.

Sometimes these resources as coded in such a fashion Terraform misses it or we want to check part of the resource but will only get sensitive in place.
If we can mask the same before pushing it to Github that would be great.

Does the feature include Breaking Changes?

No, it should not have breaking changes. Tfcmt is parsing terraform output before posting to Github, we should be able to add a regex match and replace function easily, with a switch.

Example Code

$ 

Configuration

ENABLE_MASKING
MASKING_REGEX
MASKING_CHAR

Reference

https://github.com/cloudposse-archives/tfmask

[suzuki-shunsuke]

Thank you for your proposal.

I note my several ideas of the interface.

• Command line arguments
  • --masked-envs
  • --masked-values
• Environment variables
  • TFCMT_MASKED_VALUES
  • TFCMT_MASKED_ENVS

export TFCMT_MASKED_VALUES=foo,bar
export TFCMT_MASKED_ENVS=GITHUB_TOKEN,DATADOG_API_KEY

• Configuration file

masked_envs:
  - GITHUB_TOKEN
masked_patterns:
  # GitHub Access Token
  - ghp_[^ ]{36}

[suzuki-shunsuke]

export TFCMT_MASKS="env:GITHUB_TOKEN;regexp:ghp_[^ ]{36}"
export TFCMT_MASKS_SEPARATOR=;

[suzuki-shunsuke]

• feat: support masking secrets #1115

[suzuki-shunsuke]

We published the prerelease version v4.9.0-1 v4.9.0-2.
Please see the release note.

@vishnu-techprescient-teika Could you try v4.9.0-1 v4.9.0-2 and give us your feedback?

[suzuki-shunsuke]

tfcmt v4.9.0 is out 🎉

https://github.com/suzuki-shunsuke/tfcmt/releases/tag/v4.9.0

tfcmt has supported masking sensitive data.
Please see the release note and document.

https://suzuki-shunsuke.github.io/tfcmt/mask-sensitive-data/

[suzuki-shunsuke]

Terraform sensitive input variables and outputs and sensitive function

Terraform itself has features to prevent sensitive data from being leaked.

• https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
• https://developer.hashicorp.com/terraform/language/functions/sensitive
• https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-suppressing-values-in-cli-output
• https://developer.hashicorp.com/terraform/language/values/variables#suppressing-values-in-cli-output
• https://www.hashicorp.com/blog/terraform-0-14-adds-the-ability-to-redact-sensitive-values-in-console-output
• https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-15-general-availability

So first you should use these features.
But even if these features are available, it still makes sense for tfcmt to mask sensitive data.
Please imagine the situation that platform engineers manage Terraform workflows and product teams manage Terraform codes in a Monorepo.
Then platform engineers need to prevent sensitive data from being leaked, but if product teams forget to protect them with sensitive flags, sensitive data would be leaked.
By protecting sensitive data using tfcmt, platform engineers can prevent sensitive data from being leaked while delegating the management of Terraform codes to product teams.
tfcmt's masking feature works as a guardrail.