v4.9.0-2

v4.8.0...v4.9.0-2

Changes from v4.9.0-1

56dfca4 fix(mask): Change the default separator from ; to ,

Features

#1083 #1115 support masking secrets

You can mask secrets in outputs of terraform.
This feature prevents the leak of secrets.

The following outputs are masked.

• Standard output of terraform command
• Standard error output of terraform command
• Pull request comment of tfcmt plan and tfcmt apply
• local files created by --output option

Caution

Even if you maske secrets using this feature, secrets are still stored in Terraform States.
Please see also Sensitive Data in State.

You can use environment variables TFCMT_MASKS and TFCMT_MASKS_SEPARATOR.

• TFCMT_MASKS: A list of masks. Masks are joined by TFCMT_MASKS_SEPARATOR
• TFCMT_MASKS_SEPARATOR: A separator of masks. The default value is ,

The format of each mask is ${type}:${value}.
${type} must be either env or regexp.
If ${type} is env, ${value} is a masked environment variable name.
If ${type} is regexp, ${value} is a masked regular expression.

e.g. Mask GitHub access tokens and the environment variable DATADOG_API_KEY.

export TFCMT_MASKS="env:GITHUB_TOKEN,env:DATADOG_API_KEY,regexp:ghp_[^ ]+"
tfcmt plan -- terraform plan

e.g. Change the separator to /.

export TFCMT_MASKS_SEPARATOR=/
export TFCMT_MASKS="env:GITHUB_TOKEN/env:DATADOG_API_KEY/regexp:ghp_[^ ]+"

All matching strings are replaced with ***.
Replacements are done in order of TFCMT_MASKS, so the result depends on the order of TFCMT_MASKS.
For example, if TFCMT_MASKS is regexp:foo,regexp:foo.*, regexp:foo.* has no meaning because all foo are replaced with *** before replacing foo.* with *** so foo.* doesn't match with anything.

Example

This example creates a resource google_cloudbuild_trigger.
This resource has a GitHub Access token as a field substitutions._GH_TOKEN.

main.tf

resource "google_cloudbuild_trigger" "filename_trigger" {
  location = "us-central1"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  substitutions = {
    _GH_TOKEN = var.gh_token # Secret
  }

  filename = "cloudbuild.yaml"
}

variable "gh_token" {
  type        = string
  description = "GitHub Access token"
}

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "5.13.0"
    }
  }
}

If you run terraform plan without masking, the secret would be leaked.
To prevent the leak, let's mask the secret.

export TFCMT_MASKS=env:TF_VAR_gh_token # Mask the environment variable TF_VAR_gh_token

Please see _GH_TOKEN in the output of tfcmt plan and the pull request comment.
You can confirm _GH_TOKEN is masked as *** properly.

$ tfcmt plan -- terraform plan
tfcmt plan -- terraform plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_cloudbuild_trigger.filename_trigger will be created
  + resource "google_cloudbuild_trigger" "filename_trigger" {
      + create_time   = (known after apply)
      + filename      = "cloudbuild.yaml"
      + id            = (known after apply)
      + location      = "us-central1"
      + name          = (known after apply)
      + project       = "hello"
      + substitutions = {
          + "_GH_TOKEN" = "***"
        }
      + trigger_id    = (known after apply)

      + trigger_template {
          + branch_name = "main"
          + project_id  = (known after apply)
          + repo_name   = "my-repo"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

v4.9.0-1

v4.8.0...v4.9.0-1

Features

#1083 #1115 support masking secrets

You can mask secrets in outputs of terraform.
This feature prevents the leak of secrets.

The following outputs are masked.

• Standard output of terraform command
• Standard error output of terraform command
• Pull request comment of tfcmt plan and tfcmt apply
• local files created by --output option

Caution

Even if you maske secrets using this feature, secrets are still stored in Terraform States.
Please see also Sensitive Data in State.

You can use environment variables TFCMT_MASKS and TFCMT_MASKS_SEPARATOR.

• TFCMT_MASKS: A list of masks. Masks are joined by TFCMT_MASKS_SEPARATOR
• TFCMT_MASKS_SEPARATOR: A separator of masks. The default value is ;

The format of each mask is ${type}:${value}.
${type} must be either env or regexp.
If ${type} is env, ${value} is a masked environment variable name.
If ${type} is regexp, ${value} is a masked regular expression.

e.g. Mask GitHub access tokens and the environment variable DATADOG_API_KEY.

export TFCMT_MASKS="env:GITHUB_TOKEN;env:DATADOG_API_KEY;regexp:ghp_[^ ]+"
tfcmt plan -- terraform plan

e.g. Change the separator to /.

export TFCMT_MASKS_SEPARATOR=/
export TFCMT_MASKS="env:GITHUB_TOKEN/env:DATADOG_API_KEY/regexp:ghp_[^ ]+"

All matching strings are replaced with ***.
Replacements are done in order of TFCMT_MASKS, so the result depends on the order of TFCMT_MASKS.
For example, if TFCMT_MASKS is regexp:foo;regexp:foo.*, regexp:foo.* has no meaning because all foo are replaced with *** before replacing foo.* with *** so foo.* doesn't match with anything.

Example

This example creates a resource google_cloudbuild_trigger.
This resource has a GitHub Access token as a field substitutions._GH_TOKEN.

main.tf

resource "google_cloudbuild_trigger" "filename_trigger" {
  location = "us-central1"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  substitutions = {
    _GH_TOKEN = var.gh_token # Secret
  }

  filename = "cloudbuild.yaml"
}

variable "gh_token" {
  type        = string
  description = "GitHub Access token"
}

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "5.13.0"
    }
  }
}

If you run terraform plan without masking, the secret would be leaked.
To prevent the leak, let's mask the secret.

export TFCMT_MASKS=env:TF_VAR_gh_token # Mask the environment variable TF_VAR_gh_token

Please see _GH_TOKEN in the output of tfcmt plan and the pull request comment.
You can confirm _GH_TOKEN is masked as *** properly.

$ tfcmt plan -- terraform plan
tfcmt plan -- terraform plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_cloudbuild_trigger.filename_trigger will be created
  + resource "google_cloudbuild_trigger" "filename_trigger" {
      + create_time   = (known after apply)
      + filename      = "cloudbuild.yaml"
      + id            = (known after apply)
      + location      = "us-central1"
      + name          = (known after apply)
      + project       = "hello"
      + substitutions = {
          + "_GH_TOKEN" = "***"
        }
      + trigger_id    = (known after apply)

      + trigger_template {
          + branch_name = "main"
          + project_id  = (known after apply)
          + repo_name   = "my-repo"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

v4.8.0

Pull Requests | Issues | v4.7.3...v4.8.0

Features

#1090 #1091 Support passing GitHub Access token via the environment variable TFCMT_GITHUB_TOKEN

In addition to the environment variable GITHUB_TOKEN, tfcmt supports the environment variable TFCMT_GITHUB_TOKEN too.

v4.8.0-1

v4.7.3...v4.8.0-1

Features

#1090 #1091 Support passing GitHub Access token via the environment variable TFCMT_GITHUB_TOKEN

In addition to the environment variable GITHUB_TOKEN, tfcmt supports the environment variable TFCMT_GITHUB_TOKEN too.

v4.7.3

Pull Requests | Issues | v4.7.2...v4.7.3

Bug Fixes

#1073 Fix a bug code blocks are broken if "```" are used in the command output @jemiam

When triple backticks are in results for terraform command, wrapCode method uses HTML tags(pre + code) to escape it.
But currently these tags are also escaped so it doesn't work as intended.

New Contributor 🎉

Thank you for your contirbution!

@jemiam #1073

v4.7.2

Pull Requests | Issues | v4.7.1...v4.7.2

Fixes

#1061 #1062 Change the default template to fix the issue that emojis aren't rendered

Recently, some emojis in tfcmt's comments aren't rendered properly.

We guess this is a bug of GitHub itself.

• https://github.com/orgs/community/discussions/77605
• https://github.com/orgs/community/discussions/77606

We found the bug doesn't occur if we remove emojis from the end of lines.

Before

### :warning: Resource Deletion will happen :warning:

After

### :warning: Resource Deletion will happen

Until the bug will be fixed, we'll remove emojis from the end of lines.

Others

Update dependencies

#1058 chore(deps): update dependency golang/go to v1.21.5

v4.7.1

Pull Requests | Issues | v4.7.0...v4.7.1

Others

#959 chore(deps): update dependency golang/go to v1.21.3
#960 fix(deps): update module github.com/google/go-cmp to v0.6.0

v4.7.0

Pull Requests | Issues | v4.6.1...v4.7.0

#955 #956 Support OpenTofu

We roughly checked if tfcmt worked with OpenTofu, then we fixed some issues that tfcmt didn't work with OpenTofu.
We tested tfcmt with OpenTofu v1.6.0-alpha2.
tfcmt seems to work with OpenTofu.
You can simply replace Terraform CLI with OpenTofu CLI.

$ tfcmt plan -- tofu plan
$ tfcmt apply -- tofu apply

But we didn't check deeply. We just checked roughly.
And we don't promise OpenTofu Support for now.
We primary support Terraform.

v4.6.1

Pull Requests | Issues | v4.6.0...v4.6.1

Others

#952 Fix Go Module Path

This update fixes the issue that tfcmt can't be installed by go install.

$ go install github.com/suzuki-shunsuke/tfcmt/cmd/[email protected]
go: github.com/suzuki-shunsuke/tfcmt/cmd/[email protected]: github.com/suzuki-shunsuke/[email protected]: invalid version: module contains a go.mod file, so module path must match major version ("github.com/suzuki-shunsuke/tfcmt/v4")

$ go install github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]
go: github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]: github.com/suzuki-shunsuke/[email protected]: invalid version: module contains a go.mod file, so module path must match major version ("github.com/suzuki-shunsuke/tfcmt/v4")

As of v4.6.1, you can install tfcmt by go install.

$ go install github.com/suzuki-shunsuke/tfcmt/v4/cmd/[email protected]
go: downloading github.com/suzuki-shunsuke/tfcmt/v4 v4.6.1

#947 Update Go 1.21.1 to 1.21.2
#890 Update github.com/google/go-github/v53 to v55

Addressed go-github's breaking changes.

#711 Update dependency golangci/golangci-lint to v1.54.2

Fixed lint errors.

v4.6.1-1

Pull Requests | Issues | v4.6.0...v4.6.1-1

Changelog

• cb656cf test
• 475ee37 chore(deps): update dependency golangci/golangci-lint to v1.54.2 (#711)
• 3e7f2ec fix(deps): update module github.com/google/go-github/v53 to v55 (#890)
• 6a4db81 fix: update Go Module Path (#952)
• d568ca7 chore(aqua): update aqua-checksums.json
• 7ad2a09 chore(deps): update dependency aquaproj/aqua-registry to v4.59.0
• 3cdfffc chore(go): go mod tidy
• 00d1374 fix(deps): update module golang.org/x/oauth2 to v0.13.0
• 28ecddf chore(aqua): update aqua-checksums.json
• 04f2994 chore(deps): update dependency aquaproj/aqua-registry to v4.58.0
• d531a70 chore(deps): update dependency aquaproj/aqua to v2.12.2
• bc5d20f chore(deps): update dependency golang/go to v1.21.2
• 90f5698 chore(aqua): update aqua-checksums.json
• e5d8570 chore(deps): update dependency aquaproj/aqua-registry to v4.57.0
• 65c82fb chore(aqua): update aqua-checksums.json
• abdd0af chore(deps): update dependency aquaproj/aqua-registry to v4.56.0
• cab3588 chore(aqua): update aqua-checksums.json
• 0f15eb5 chore(deps): update dependency aquaproj/aqua-registry to v4.55.0
• ceccd4d chore(aqua): update aqua-checksums.json
• a31ba1f chore(deps): update dependency aquaproj/aqua-registry to v4.54.0
• 7b619d6 chore(deps): update dependency aquaproj/aqua to v2.12.1
• 738ae95 chore(aqua): update aqua-checksums.json
• 52be44b chore(deps): update dependency aquaproj/aqua-registry to v4.53.0
• 8743c6a chore(deps): update dependency goreleaser/goreleaser to v1.21.2 (#938)
• bc3a5e3 chore(deps): update dependency aquaproj/aqua-renovate-config to v1.11.0
• 4d32656 chore(aqua): update aqua-checksums.json
• da74904 chore(deps): update dependency goreleaser/goreleaser to v1.21.1
• 8808c67 chore(aqua): update aqua-checksums.json
• 1a4f92c chore(deps): update dependency goreleaser/goreleaser to v1.21.0
• e67e468 chore(aqua): update aqua-checksums.json
• 290acb5 chore(deps): update dependency aquaproj/aqua-registry to v4.52.1
• 6a59478 chore(deps): update actions/checkout action to v4.1.0