Feature Request: Support masking output

[osterman]

what

• Support replacing strings matching regexes with a masking character (E.g. *)

why

• One of the challenges with terraform in a CI/CD context is leaking sensitive information

interfaces

Create a .scenery.yaml:

mask:
  character: '*'
  patterns:
  # Mask all UUIDs
  - '/\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b/'

Usage:

terraform apply 2>&1 | scenery --mask

related

• https://github.com/opencredo/terrahelp
• QUESTION: Terraform plan output may contain sensitive data.  runatlantis/atlantis#163

[dmlittle]

@osterman thanks for opening up an issue with this suggestion!

I think the feature request and reasoning makes sense. I can't promise a timeline nor implementation details but I'll use this issue to keep track of the progress of this feature.

[osterman]

Here's an example using a random_string resource.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
Terraform will perform the following actions:
  ~ aws_ssm_parameter.mq_master_password
      value:       <sensitive> => <sensitive> (attribute changed)
-/+ random_string.mq_admin_password (new resource required)
      id:          "none" => <computed> (forces new resource)
      length:      "16" => "16"
      lower:       "true" => "true"
      min_lower:   "0" => "0"
      min_numeric: "0" => "0"
      min_special: "0" => "0"
      min_upper:   "0" => "0"
      number:      "true" => "true"
      result:      "hHz1cRAgUbKLSsAR" => <computed>
      special:     "false" => "true" (forces new resource)
      upper:       "true" => "true"
Plan: 1 to add, 1 to change, 1 to destroy.
------------------------------------------------------------------------

[osterman]

A PR for a random_password resource was just opened yesterday.

hashicorp/terraform-provider-random#52

Though we're trying to solve the general case when we cannot immediately upstream the right fix in terraform.

[osterman]

We wrote tfmask to address this: https://github.com/cloudposse/tfmask

[dmlittle]

Scenery is not actively maintained and the repo will be archived momentarily. I no longer have the time to maintain this tool nor do I think it should be kept being used as Terraform 0.11 has been deprecated for over a year now (scenery can only parse Terraform 0.11 plan outputs). Terraform 0.14 has some plan output changes as well as introduced the concept of concise diff plan outputs which does most of what scenery currently does.

If you'd like to add new functionality as you cannot upgrade your terraform version feel free you fork the repo.