You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/workflows/terraform-dev-to-main-ci.yml
+41-2Lines changed: 41 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -70,8 +70,40 @@ jobs:
70
70
- name: Terraform Plan
71
71
id: plan
72
72
run: |
73
-
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
74
-
terraform show -no-color tf.plan > tfplan.txt
73
+
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
74
+
terraform show -no-color tf.plan > tfplan.txt 2>&1
75
+
76
+
# Mask sensitive URLs in the Terraform Plan output
77
+
grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
78
+
if [ -n "$api_url" ]; then
79
+
echo "::add-mask::$api_url"
80
+
fi
81
+
done || echo "No api URLs found to mask."
82
+
83
+
# Mask Lambda invocation URLs
84
+
grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do
85
+
if [ -n "$lambda_url" ]; then
86
+
echo "::add-mask::$lambda_url"
87
+
fi
88
+
done || echo "No Lambda URLs found to mask."
89
+
90
+
# Mask AWS account IDs (12-digit numbers)
91
+
grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do
92
+
if [ -n "$account_id" ]; then
93
+
echo "::add-mask::$account_id"
94
+
fi
95
+
done || echo "No Account IDs found to mask."
96
+
97
+
# Mask GitHub secrets
98
+
echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
99
+
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
100
+
101
+
# Mask Terraform variables
102
+
echo "::add-mask::${{ vars.TF_VARS_FILE }}"
103
+
104
+
# Output the sanitized plan to logs
105
+
cat plan_output.txt
106
+
75
107
echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
76
108
working-directory: ./infrastructure
77
109
shell: bash
@@ -87,6 +119,13 @@ jobs:
87
119
${{ steps.plan.outputs.stderr }}
88
120
EOF
89
121
)
122
+
123
+
# Optionally redact sensitive strings in the PLAN_FULL variable
124
+
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
125
+
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
126
+
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
127
+
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
128
+
90
129
echo "PLAN<<EOF" >> $GITHUB_ENV
91
130
echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
92
131
[ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV
0 commit comments