[feature] Redact / Mask atlantis output

[atlantisbot]

Issue by @so0k
Monday Jan 29, 2018 at 06:59 GMT
Migrated from hootsuite/atlantis#235
Why was it migrated?

---

Is there any way to redact Atlantis output into the PR comments?

In our company there is a concern with secrets in PR comments and we would need finer control over the comments created by Atlantis.

for Terraform, opencredo/terrahelp provides masking functionality by piping Terraform output through it and masking any variables that are in the tfvars file.

At this stage I see 2 options:

1. Provide a way to pipe terraform output through other binaries before sending it to the github comment renderer (this would be the most flexible way)
2. Make the comment templates configurable and including a functionmap that can help masking (most likely too complicated as the masking functions would need to be compiled within Atlantis)

or maybe there is a workaround I'm not seeing?

[atlantisbot]

Comment by @lkysow
Tuesday Jan 30, 2018 at 00:48 GMT

---

@so0k I think I favour option 1 (for now at least). If there was a way to configure exactly what command was run for plan/apply, then you could run terraform with the terrahelp wrapper.

I'm going to be looking at this soon.

[lkysow]

Specific to terrahelp it's possible now:

With 0.4.1, you can override the default plan commands via an atlantis.yaml file:

version: 2
projects:
- dir: terrahelp
  workflow: terrahelp
workflows:
  terrahelp:
    plan:
      steps:
      - init
      - run: terraform plan -no-color -out $PLANFILE | terrahelp mask

The issue is where terrahelp's terraform.tfvars file comes from (this is where it has the secrets) because if you check this in, it's not secret anymore! Maybe you could use a provisioner or a custom run step to download it from a secure location prior to plan?