[NDR-71] Redact account ids and invocation urls (#302)

* [NDR-71] Add masking for sensitive information in Terraform plan output

* [NDR-71] Add masking for sensitive information in Terraform plan output

* [NDR-71] Enhance masking for sensitive URLs in Terraform plan output

* [NDR-71] Remove debug outputs

* [NDR-71] Refactor Terraform plan output handling to hide sensitive values

* [NDR-71] Update GitHub Actions workflow for Terraform to enhance security and streamline processes

* [NDR-71] Enhance masking logic for AWS account IDs in Terraform plan output

* [NDR-71] Debug

* [NDR-71] Add fallback message for missing Lambda URLs in output masking

* [NDR-71] Enhance masking logic in Terraform plan output to handle missing API URLs, Lambda URLs, and AWS account IDs gracefully

* [NDR-71] Enhance Terraform Plan output logging by redirecting stderr to capture errors in plan and show commands

* [NDR-71] Update Terraform CI workflow for improved structure and clarity

Author: MatthewMoore-NHS

.github/workflows/terraform-dev-to-main-ci.yml

@@ -70,8 +70,40 @@ jobs:
     - name: Terraform Plan
       id: plan
       run: |
-        terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        terraform show -no-color tf.plan > tfplan.txt
+        terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
+        terraform show -no-color tf.plan > tfplan.txt 2>&1
+        
+        # Mask sensitive URLs in the Terraform Plan output
+        grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
+          if [ -n "$api_url" ]; then
+            echo "::add-mask::$api_url"
+          fi
+        done || echo "No api URLs found to mask."
+
+        # Mask Lambda invocation URLs
+        grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do
+          if [ -n "$lambda_url" ]; then
+            echo "::add-mask::$lambda_url"
+          fi
+        done || echo "No Lambda URLs found to mask."
+
+        # Mask AWS account IDs (12-digit numbers)
+        grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do
+          if [ -n "$account_id" ]; then
+            echo "::add-mask::$account_id"
+          fi
+        done || echo "No Account IDs found to mask."
+
+        # Mask GitHub secrets
+        echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
+        echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
+
+        # Mask Terraform variables
+        echo "::add-mask::${{ vars.TF_VARS_FILE }}"
+
+        # Output the sanitized plan to logs
+        cat plan_output.txt
+
         echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
       working-directory: ./infrastructure
       shell: bash
@@ -87,6 +119,13 @@ jobs:
         ${{ steps.plan.outputs.stderr }}
         EOF
         )
+
+        # Optionally redact sensitive strings in the PLAN_FULL variable
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
+
         echo "PLAN<<EOF" >> $GITHUB_ENV
         echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
         [ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV