You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
84
-
if [ -n "$cert_block" ]; then
85
-
echo "::add-mask::$cert_block"
86
-
fi
87
-
done || echo "No certificate blocks found to mask."
88
-
89
-
# Mask sensitive URLs in the Terraform Plan output
90
-
grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
91
-
if [ -n "$api_url" ]; then
92
-
echo "::add-mask::$api_url"
93
-
fi
94
-
done || echo "No api URLs found to mask."
95
-
96
-
# Mask Lambda invocation URLs
97
-
grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do
98
-
if [ -n "$lambda_url" ]; then
99
-
echo "::add-mask::$lambda_url"
100
-
fi
101
-
done || echo "No Lambda URLs found to mask."
102
-
103
-
# Mask AWS account IDs (12-digit numbers)
104
-
grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do
105
-
if [ -n "$account_id" ]; then
106
-
echo "::add-mask::$account_id"
107
-
fi
108
-
done || echo "No Account IDs found to mask."
109
-
110
-
# Mask GitHub secrets
111
-
echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
112
-
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
113
-
114
-
# Mask Terraform variables
115
-
echo "::add-mask::${{ vars.TF_VARS_FILE }}"
116
-
117
-
# Output the sanitized plan to logs
118
-
cat plan_output.txt
119
-
120
-
echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
121
-
working-directory: ./infrastructure
122
-
shell: bash
123
-
124
-
- name: Truncate Plan Output
125
-
id: plan-truncated
126
-
if: success() || failure()
127
-
env:
128
-
LENGTH: 64512
129
-
run: |
130
-
PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF'
131
-
${{ steps.plan.outputs.stdout }}
132
-
${{ steps.plan.outputs.stderr }}
133
-
EOF
134
-
)
135
-
136
-
# Optionally redact sensitive strings in the PLAN_FULL variable
137
-
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
138
-
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
139
-
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
140
-
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
141
-
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
142
-
143
-
echo "PLAN<<EOF" >> $GITHUB_ENV
144
-
echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
145
-
[ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV
146
-
echo "EOF" >> $GITHUB_ENV
76
+
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
0 commit comments