support filtered regex (#1978)

* support masking of sensitive values

Author: motatoes

cli/pkg/digger/digger_test.go

@@ -63,7 +63,7 @@ func (m *MockTerraformExecutor) Show(params []string, envs map[string]string, pl
 	return nonEmptyTerraformPlanJson, "", nil
 }
 
-func (m *MockTerraformExecutor) Plan(params []string, envs map[string]string, planJsonFilePath string) (bool, string, string, error) {
+func (m *MockTerraformExecutor) Plan(params []string, envs map[string]string, planJsonFilePath string, s *string) (bool, string, string, error) {
 	m.Commands = append(m.Commands, RunInfo{"Plan", strings.Join(params, " "), time.Now()})
 	return true, "", "", nil
 }

docs/ce/howto/masking-sensitive-values.mdx

@@ -0,0 +1,27 @@
+---
+title: "Masking sensitive values"
+---
+
+You can use a regular expression to ensure that senstivie outputs are masked from plan outputs and comments by digger.
+This can be done at the workflow level as follows:
+
+```
+workflows:
+  default:
+    plan:
+      filter_regex: "((?i)filterme:\\s\"?)[^\"]*"
+      steps:
+        - init
+        - plan
+```
+
+Currently this is only supported at the plan step. The filter_regex is a regular expression and it will mask any occurence of
+that expression in the logs and the comment, replacing it with `<REDACTED>`. For example the following terraform:
+
+```
+output "filterme" {
+  value = "example_secret: filterme: topsecret"
+}
+```
+
+![](/images/configuration/masking-sensitive-values.png)

docs/images/configuration/masking-sensitive-values.png

@@ -92,6 +92,7 @@
         "ce/howto/generate-projects",
         "ce/howto/group-plans-by-source",
         "ce/howto/include-exclude-patterns",
+        "ce/howto/masking-sensitive-values",
         "ce/howto/multiacc-aws",
         "ce/howto/policy-overrides",
         "ce/howto/project-level-roles",

docs/mint.json

@@ -94,7 +94,8 @@ type Step struct {
 }
 
 type Stage struct {
-	Steps []Step
+	Steps       []Step
+	FilterRegex *string
 }
 
 func defaultWorkflow() *Workflow {

libs/digger_config/config.go

@@ -120,7 +120,9 @@ func copyTerraformEnvConfig(terraformEnvConfig *TerraformEnvConfigYaml) *Terrafo
 }
 
 func copyStage(stage *StageYaml) *Stage {
-	result := Stage{}
+	result := Stage{
+		FilterRegex: stage.FilterRegex,
+	}
 	result.Steps = make([]Step, len(stage.Steps))
 
 	for i, s := range stage.Steps {

libs/digger_config/converters.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/samber/lo"
@@ -546,6 +547,31 @@ func ValidateDiggerConfigYaml(configYaml *DiggerConfigYaml, fileName string) err
 		}
 	}
 
+	if configYaml.Workflows != nil {
+		for _, workflow := range configYaml.Workflows {
+			if workflow == nil {
+				continue
+			}
+			if workflow.Plan != nil && workflow.Plan.FilterRegex != nil {
+				_, err := regexp.Compile(*workflow.Plan.FilterRegex)
+				if err != nil {
+					slog.Error("invalid regex for plan filter",
+						"regex", *workflow.Plan.FilterRegex,
+						"error", err)
+					return fmt.Errorf("regex for plan filter is invalid: %v", err)
+				}
+			}
+			if workflow.Apply != nil && workflow.Apply.FilterRegex != nil {
+				_, err := regexp.Compile(*workflow.Apply.FilterRegex)
+				if err != nil {
+					slog.Error("invalid regex for apply filter",
+						"regex", *workflow.Apply.FilterRegex,
+						"error", err)
+					return fmt.Errorf("regex for apply filter is invalid: %v", err)
+				}
+			}
+		}
+	}
 	if configYaml.GenerateProjectsConfig != nil {
 		if configYaml.GenerateProjectsConfig.Include != "" &&
 			configYaml.GenerateProjectsConfig.Exclude != "" &&

libs/digger_config/digger_config.go

@@ -513,10 +513,12 @@ projects:
   workflow: my_custom_workflow
 workflows:
   my_custom_workflow:
-    steps:
-      - run: echo "run"
-      - init: terraform init
-      - plan: terraform plan
+    plan:
+      filter_regex: "myregex"
+      steps:
+        - run: echo "run"
+        - init: 
+        - plan:
 `
 	deleteFile := createFile(path.Join(tempDir, "digger.yaml"), diggerCfg)
 	defer deleteFile()
@@ -527,6 +529,8 @@ workflows:
 	assert.Equal(t, "my_custom_workflow", dg.Projects[0].Workflow)
 	_, ok := dg.Workflows["my_custom_workflow"]
 	assert.True(t, ok)
+	r := dg.Workflows["my_custom_workflow"].Plan.FilterRegex
+	assert.Equal(t, "myregex", *r)
 }
 
 func TestDiggerConfigCustomWorkflowMissingParams(t *testing.T) {

libs/digger_config/digger_config_test.go

@@ -78,7 +78,8 @@ func (s *StageYaml) ToCoreStage() Stage {
 }
 
 type StageYaml struct {
-	Steps []StepYaml `yaml:"steps"`
+	FilterRegex *string    `yaml:"filter_regex,omitempty"`
+	Steps       []StepYaml `yaml:"steps"`
 }
 
 type StepYaml struct {

libs/digger_config/yaml.go

@@ -234,7 +234,7 @@ func (d DiggerExecutor) Plan() (*iac_utils.IacSummary, bool, bool, string, strin
 			// TODO remove those only for pulumi project
 			planArgs = append(planArgs, step.ExtraArgs...)
 
-			_, stdout, stderr, err := d.TerraformExecutor.Plan(planArgs, d.CommandEnvVars, d.PlanPathProvider.LocalPlanFilePath())
+			_, stdout, stderr, err := d.TerraformExecutor.Plan(planArgs, d.CommandEnvVars, d.PlanPathProvider.LocalPlanFilePath(), d.PlanStage.FilterRegex)
 			if err != nil {
 				return nil, false, false, "", "", fmt.Errorf("error executing plan: %v", err)
 			}