-
Notifications
You must be signed in to change notification settings - Fork 27
/
README.yaml
217 lines (159 loc) · 7.53 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
---
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: tfmask
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/tfmask
# Badges to display
badges:
- name: "Build Status"
image: "https://travis-ci.org/cloudposse/tfmask.svg?branch=master"
url: "https://travis-ci.org/cloudposse/tfmask"
- name: "Latest Release"
image: "https://img.shields.io/github/release/cloudposse/tfmask.svg"
url: "https://github.com/cloudposse/tfmask/releases/latest"
- name: "Slack Community"
image: "https://slack.cloudposse.com/badge.svg"
url: "https://slack.cloudposse.com"
# Short description of this project
description: |-
Command line utility to mask sensitive output from a `transform plan` or `terraform apply`.
introduction: |-
If you answer "yes" to any of these questions, then look no further!
* Have you ever wished you could easily filter sensitive output from a `terraform plan` or `terraform apply`?
* Do you use terraform providers that leak sensitive data to `stdout` (e.g. `terraform-github-provider`)?
**Yes?** Great! Then this utility is for you.
The `tfmask` utility will replace the "old value" and the "new value" with the masking character (e.g. `*`).
__NOTE__: `tfmask` will preserve the name of the nodes in the graph
screenshots:
- name: "terraform plan"
description: "Example of masking output from a `terraform plan` execution"
url: "https://user-images.githubusercontent.com/52489/51474936-c1003800-1d35-11e9-9e25-11245388a372.png"
- name: "terraform apply"
description: "Example of masking output from a `terraform apply` execution"
url: "https://user-images.githubusercontent.com/52489/51475052-248a6580-1d36-11e9-9f55-5ad46bf77bcb.png"
# How to use this project
usage: |-
__NOTE__: The utility supports a number of configuration settings which can be passed via environment variables.
| Environment Variable | Description | Default |
|--------------------------|------------------------------------------------|------------|
| `TFMASK_CHAR` | Character used to mask all output | `*` |
| `TFMASK_VALUES_REGEX` | Regular expression used to match values | [see code] |
| `TFMASK_RESOURCES_REGEX` | Regular expression used to match resources | [see code] |
__IMPORTANT__: Pass `-no-color` to `terraform plan` and `terraform apply` for proper parsing
The basic usage looks like this. We're going to run `terraform plan` and filter it through `tfmask`:
```sh
terraform plan -no-color | tfmask
```
### Direnv
You can use `tfmask` with [`direnv`](https://direnv.net/) to set the defaults.
Example `.envrc`:
```sh
# Export terraform environment
export TFMASK_CHAR="#"
export TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|secret|token|password|key|result|id).*$"
```
<details>
<summary>Example of Masked Output</summary>
```sh
Terraform will perform the following actions:
~ module.atlantis.module.web_app.module.ecs_codepipeline.aws_codepipeline.source_build_deploy
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => "*******************************************"
Plan: 0 to add, 1 to change, 0 to destroy.
```
</details>
related:
- name: "Packages"
description: "Cloud Posse installer and distribution of native apps"
url: "https://github.com/cloudposse/packages"
- name: "build-harness"
description: "Collection of Makefiles to facilitate building Golang projects, Dockerfiles, Helm charts, and more"
url: "https://github.com/cloudposse/build-harness"
- name: "geodesic"
description: "Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on strictly Open Source tools."
url: "https://github.com/cloudposse/geodesic"
- name: "direnv"
description: "Unclutter your .profile with an environment switcher for the shell"
url: "https://direnv.net/"
- name: "tfenv"
description: "Transform environment variables for use with Terraform (e.g. `HOSTNAME` ⇨ `TF_VAR_hostname`)"
url: "https://github.com/cloudposse/tfenv"
examples: |-
### Compiling the Binary
```sh
make go/build
```
### Use with Terraform Plan
Many terraform providers unintentionally leak sensitive information when running `terraform plan`. **This is very bad.**
<details>
<summary>Example of a Leaked Secret from a Terraform Plan</summary>
```sh
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ module.example.aws_codepipeline.source_build_deploy
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => "efba05dbe9b94ba18ae3737a6d6de16eefba05dbe9b9"
Plan: 0 to add, 1 to change, 0 to destroy.
```
__NOTE:__ This `OAuthToken` is just an example and not a valid token.
</details>
Using `tfmask`, the output from `terraform plan` will be masked like this:
```sh
terraform plan -no-color | tfmask
```
<details>
<summary>Example of Masked Terraform Plan Output</summary>
```
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ module.example.aws_codepipeline.source_build_deploy
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => ********************************************"
Plan: 0 to add, 1 to change, 0 to destroy.
```
</details>
### Use with Terraform Apply
Many terraform providers unintentionally leak sensitive information when running `terraform apply`. **This is very bad.**
<details>
<summary>Example of a Leaked Secret from a Terraform Apply</summary>
```sh
terraform apply
module.example.aws_codepipeline.source_build_deploy: Modifying... (ID: example-codepipeline)
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => "efba05dbe9b94ba18ae3737a6d6de16eefba05dbe9b9"
module.example.aws_codepipeline.source_build_deploy: Modifications complete after 1s (ID: example-codepipeline)
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
```
__NOTE:__ This `OAuthToken` is just an example and not a valid token.
</details>
Using `tfmask`, the output from `terraform apply` will be masked like this:
```sh
terraform apply -no-color | tfmask
```
<details>
<summary>Example of Masked Terraform Apply Output</summary>
```sh
module.example.aws_codepipeline.source_build_deploy: Modifying... (ID: example-codepipeline)
stage.0.action.0.configuration.%: "4" => "5"
stage.0.action.0.configuration.OAuthToken: "" => "********************************************"
module.example.aws_codepipeline.source_build_deploy: Modifications complete after 1s (ID: example-codepipeline)
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
```
</details>
# Contributors to this project
contributors:
- name: "Erik Osterman"
homepage: "https://github.com/osterman"
github: "osterman"