[NDR-71] Refactor Terraform plan output handling to hide sensitive values

MatthewMoore-NHS · MatthewMoore-NHS · commit f35ca6fdce37 · 2025-05-13T11:10:22.000+01:00
diff --git a/.github/workflows/terraform-dev-to-main-ci.yml b/.github/workflows/terraform-dev-to-main-ci.yml
@@ -72,21 +72,6 @@ jobs:
       run: |
         terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
         terraform show -no-color tf.plan > tfplan.txt
-        echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
-      working-directory: ./infrastructure
-      shell: bash
-
-    - name: Truncate Plan Output
-      id: plan-truncated
-      if: success() || failure()
-      env:
-        LENGTH: 64512
-      run: |
-        PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF'
-        ${{ steps.plan.outputs.stdout }}
-        ${{ steps.plan.outputs.stderr }}
-        EOF
-        )
 
         # Mask AWS account IDs (12-digit numbers)
         echo "$PLAN_FULL" | grep -oE '[0-9]{12}' | while read -r account_id; do
@@ -115,6 +100,22 @@ jobs:
         # Mask Terraform variables
         echo "::add-mask::${{ vars.TF_VARS_FILE }}"
 
+        echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
+      working-directory: ./infrastructure
+      shell: bash
+
+    - name: Truncate Plan Output
+      id: plan-truncated
+      if: success() || failure()
+      env:
+        LENGTH: 64512
+      run: |
+        PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF'
+        ${{ steps.plan.outputs.stdout }}
+        ${{ steps.plan.outputs.stderr }}
+        EOF
+        )
+
         # Optionally redact sensitive strings in the PLAN_FULL variable
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
