mask + trunc

SWhyteAnswer · SWhyteAnswer · commit a30c87e7efef · 2025-06-12T15:30:56.000+01:00
diff --git a/.github/workflows/terraform-deploy-feature-to-sandbox.yml b/.github/workflows/terraform-deploy-feature-to-sandbox.yml
@@ -73,10 +73,81 @@ jobs:
       - name: Terraform Plan
         id: plan
         run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
+          terraform show -no-color tf.plan > tfplan.txt 2>&1
+  
+          # Mask PEM certificates (BEGIN...END CERTIFICATE)
+          awk 'BEGIN{cert=""}
+          /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next}
+          /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next}
+          in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
+            if [ -n "$cert_block" ]; then
+              echo "::add-mask::$cert_block"
+            fi
+          done || echo "No certificate blocks found to mask."
+          
+          # Mask sensitive URLs in the Terraform Plan output
+          grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
+            if [ -n "$api_url" ]; then
+              echo "::add-mask::$api_url"
+            fi
+          done || echo "No api URLs found to mask."
+  
+          # Mask Lambda invocation URLs
+          grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do
+            if [ -n "$lambda_url" ]; then
+              echo "::add-mask::$lambda_url"
+            fi
+          done || echo "No Lambda URLs found to mask."
+  
+          # Mask AWS account IDs (12-digit numbers)
+          grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do
+            if [ -n "$account_id" ]; then
+              echo "::add-mask::$account_id"
+            fi
+          done || echo "No Account IDs found to mask."
+  
+          # Mask GitHub secrets
+          echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
+          echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
+  
+          # Mask Terraform variables
+          echo "::add-mask::${{ vars.TF_VARS_FILE }}"
+  
+          # Output the sanitized plan to logs
+          cat plan_output.txt
+  
+          echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
+        working-directory: ./infrastructure
+        shell: bash
+  
+      - name: Truncate Plan Output
+        id: plan-truncated
+        if: success() || failure()
+        env:
+          LENGTH: 64512
+        run: |
+          PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF'
+          ${{ steps.plan.outputs.stdout }}
+          ${{ steps.plan.outputs.stderr }}
+          EOF
+          )
+  
+          # Optionally redact sensitive strings in the PLAN_FULL variable
+          PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
+          PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
+          PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
+          PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
+          PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
+  
+          echo "PLAN<<EOF" >> $GITHUB_ENV
+          echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
+          [ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
         working-directory: ./infrastructure
         shell: bash
 
       - name: Terraform Apply
         run: terraform apply -auto-approve -input=false tf.plan
         working-directory: ./infrastructure
+
diff --git a/.github/workflows/terraform-dev-to-main-ci.yml b/.github/workflows/terraform-dev-to-main-ci.yml
@@ -72,6 +72,16 @@ jobs:
       run: |
         terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
         terraform show -no-color tf.plan > tfplan.txt 2>&1
+
+        # Mask PEM certificates (BEGIN...END CERTIFICATE)
+        awk 'BEGIN{cert=""}
+        /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next}
+        /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next}
+        in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
+          if [ -n "$cert_block" ]; then
+            echo "::add-mask::$cert_block"
+          fi
+        done || echo "No certificate blocks found to mask."
         
         # Mask sensitive URLs in the Terraform Plan output
         grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
@@ -125,6 +135,7 @@ jobs:
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
 
         echo "PLAN<<EOF" >> $GITHUB_ENV
         echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
