-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow masking output on comments #4331
base: main
Are you sure you want to change the base?
Conversation
did you test tfmask? or any other tool? |
I did, also terrahelp and even plain sed. The problem is that we are sending the output straight to the $planfile, so we can’t act on it. I even tried to change the $showfile, and while that works, Atlantis doesn’t use it for the comment. |
I see ok, it make sense on doing the pre-processing |
I like the feature and find it very useful. However, IMHO, the API could be better. workflows:
terragrunt:
plan:
steps:
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing|show|hide
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output:
- show
- strip_refreshing
- filter_regex: "((?i)secret:\\s\")[^\"]*" This would allow us to support previous |
Hi, thanks for the feedback 😃 I've been using this to support terraform for 100+ environments on the three major clouds with zero issues so far. I adjusted the regex to I have to rebase this soon, I'll take a stab at making it work the way you suggested and see how it behaves. |
4a4b5b6
to
d4742ae
Compare
Hi @GMartinez-Sisti, are you able to look at the suggestions from @anryko. It would be great to get this merged. |
I've been thinking about the suggested API, the suggested
I think this is not ideal and might create some confusion, we can support multiple types but only one at a time and act accordingly. This is my suggestion: workflows:
terragrunt:
plan:
steps:
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing|show|hide
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output:
- show
- strip_refreshing
- filter_regex
regex_expression: "((?i)secret:\\s\")[^\"]*"
WDYT @anryko and @X-Guardian ? |
The api I suggested would provide an option to apply a sequence of simple regexps one after another. It would make your feature more powerful. I understand the added implementation complexity you are referring to and believe that this would be a bit easier to implement on top of the changes done for this feature, which "loosens" the config unmarshaling. |
I see it, while being more verbose it will be more flexible indeed. I'll wait for #5024 to be merged then so I can leverage the new |
Hi @GMartinez-Sisti, #5024 is now merged. Can you resolve the conflicts on this? |
15eb8ac
to
fd73789
Compare
Signed-off-by: Gabriel Martinez <[email protected]>
fd73789
to
dd862aa
Compare
I've fixed the conflicts, but haven't updated the logic to match the suggestions. |
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
Will still work on this! |
what
Part of #163 (comment).
why
I have the requirements to mask some values that are passed to the comments posted by Atlantis, building up on
strip_refreshing
I added two new output configurations that will allow this via a regex configured on the step. There is an assumption that users that shouldn't see secrets/sensitive values won't have access to the URL jobs, where the plan outputs are shown untouched.Example (added to the docs):
Note that the changes related to mocks were automatically generated with
make go-generate
.tests
atlantis plan
provides the desired masked output on GitHub 😄references
Possibly solves #163.