[NDR-71] Add masking for sensitive information in Terraform plan output

MatthewMoore-NHS · MatthewMoore-NHS · commit 6dfff27e0891 · 2025-05-13T10:16:29.000+01:00
diff --git a/.github/workflows/terraform-dev-to-main-ci.yml b/.github/workflows/terraform-dev-to-main-ci.yml
@@ -87,6 +87,29 @@ jobs:
         ${{ steps.plan.outputs.stderr }}
         EOF
         )
+
+        # Mask AWS account IDs (12-digit numbers)
+        echo "$PLAN_FULL" | grep -oE '[0-9]{12}' | while read -r account_id; do
+          echo "::add-mask::$account_id"
+        done
+
+        # Mask Lambda invocation URLs
+        echo "$PLAN_FULL" | grep -oE 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' | while read -r lambda_url; do
+          echo "::add-mask::$lambda_url"
+        done
+
+        # Mask GitHub secrets
+        echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
+        echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
+
+        # Mask Terraform variables
+        echo "::add-mask::${{ vars.TF_VARS_FILE }}"
+
+        # Optionally redact sensitive strings in the PLAN_FULL variable
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
+
         echo "PLAN<<EOF" >> $GITHUB_ENV
         echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
         [ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV
