Skip to content

fix: hide admin password in TF apply logs #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
+58 −10
Open

fix: hide admin password in TF apply logs #526

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
8ad04d4
fix: hide admin password in TF apply logs
Aditya-ranjan-16 Sep 20, 2025
84d3908
fix: pre-commit
Aditya-ranjan-16 Sep 22, 2025
65c9c2e
Merge branch 'main' into data-read-fix
Aditya-ranjan-16 Sep 23, 2025
eb53725
fix
Aditya-ranjan-16 Sep 30, 2025
c084c40
Merge branch 'main' into data-read-fix
Aditya-ranjan-16 Sep 30, 2025
2f6bdf0
Merge branch 'main' into data-read-fix
shemau Oct 3, 2025
c3b2a78
Merge branch 'main' into data-read-fix
Aditya-ranjan-16 Oct 7, 2025
b8bebb2
fix: added external data block
Aditya-ranjan-16 Oct 10, 2025
fe994a1
fix
Aditya-ranjan-16 Oct 10, 2025
c0acef7
Merge branch 'main' into data-read-fix
Aditya-ranjan-16 Oct 15, 2025
ae50e9c
fix
Aditya-ranjan-16 Oct 15, 2025
9f99c3c
fix: tests
Aditya-ranjan-16 Oct 15, 2025
2873aa6
Merge branch 'main' into data-read-fix
Aditya-ranjan-16 Oct 20, 2025
4d76aa0
Merge branch 'main' into data-read-fix
shemau Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .secrets.baseline
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
"generated_at": "2025-10-11T11:57:05Z",
"generated_at": "2025-10-15T14:30:02Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down Expand Up @@ -110,7 +110,7 @@
"hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d",
"is_secret": false,
"is_verified": false,
"line_number": 413,
"line_number": 415,
"type": "Base64 High Entropy String",
"verified_result": null
}
Expand Down
15 changes: 10 additions & 5 deletions solutions/fully-configurable/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,15 +464,20 @@ locals {
code_engine_project_id = var.existing_code_engine_project_id != null ? var.existing_code_engine_project_id : null
code_engine_project_name = local.code_engine_project_id != null ? null : (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_project_name}" : var.kibana_code_engine_new_project_name
code_engine_app_name = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_app_name}" : var.kibana_code_engine_new_app_name
kibana_version = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body).version.number : null
kibana_version = var.enable_kibana_dashboard ? try(data.external.es_metadata[0].result.version_number, null) : null
kibana_system_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_system_password[0].result, "-") ? "J${substr(random_password.kibana_system_password[0].result, 1, -1)}" : startswith(random_password.kibana_system_password[0].result, "_") ? "K${substr(random_password.kibana_system_password[0].result, 1, -1)}" : random_password.kibana_system_password[0].result : null
kibana_app_login_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_app_login_password[0].result, "-") ? "J${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : startswith(random_password.kibana_app_login_password[0].result, "_") ? "K${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : random_password.kibana_app_login_password[0].result : null
}

data "http" "es_metadata" {
count = var.enable_kibana_dashboard ? 1 : 0
url = "https://${local.elasticsearch_username}:${local.admin_pass}@${local.elasticsearch_hostname}:${local.elasticsearch_port}"
ca_cert_pem = base64decode(local.elasticsearch_cert)
data "external" "es_metadata" {
count = var.enable_kibana_dashboard ? 1 : 0
program = ["bash", "${path.module}/scripts/es_metadata.sh"]
query = {
url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}"
username = local.elasticsearch_username
password = local.admin_pass
ca_cert_b64 = local.elasticsearch_cert
}
}

module "code_engine_kibana" {
Expand Down
41 changes: 41 additions & 0 deletions solutions/fully-configurable/scripts/es_metadata.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail

# Read JSON from stdin
INPUT_JSON="$(cat)"

# Extract fields using jq
URL="$(echo "$INPUT_JSON" | jq -r '.url')"
USERNAME="$(echo "$INPUT_JSON" | jq -r '.username')"
PASSWORD="$(echo "$INPUT_JSON" | jq -r '.password')" # pragma: allowlist secret
CA_CERT_B64="$(echo "$INPUT_JSON" | jq -r '.ca_cert_b64')"

# Create a temporary directory for the CA cert
TMPDIR="$(mktemp -d)"
trap 'rm -rf "$TMPDIR"' EXIT

CA_PEM="$TMPDIR/ca.pem"
# Decode the base64 CA cert to a PEM file
echo "$CA_CERT_B64" | base64 -d > "$CA_PEM"

# Build Basic Auth header value
BASIC_AUTH="$(printf '%s:%s' "$USERNAME" "$PASSWORD" | base64)" # pragma: allowlist secret

# Fetch ES root endpoint, which returns cluster metadata including version
# -s silent, -S show errors, --fail for HTTP errors
# --cacert to trust the provided CA
RESP="$(curl -sS --fail \
-H "Authorization: Basic $BASIC_AUTH" \
--cacert "$CA_PEM" \
"$URL")"

# Parse version.number using jq
VERSION_NUMBER="$(echo "$RESP" | jq -r '.version.number // empty')"

# The external data source expects a flat JSON object on stdout.
# If version_number is empty, still return valid JSON but with null.
if [[ -z "$VERSION_NUMBER" ]]; then
echo '{"version_number":null}'
else
echo "{\"version_number\":\"$VERSION_NUMBER\"}"
fi
6 changes: 3 additions & 3 deletions solutions/fully-configurable/version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ terraform {
source = "hashicorp/random"
version = "3.7.2"
}
http = {
source = "hashicorp/http"
version = "3.5.0"
external = {
source = "hashicorp/external"
version = "~> 2.3"
}
}
}
2 changes: 2 additions & 0 deletions tests/pr_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) {
TarIncludePatterns: []string{
"*.tf",
fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir),
fmt.Sprintf("%s/scripts/*.sh", fullyConfigurableSolutionTerraformDir),
fmt.Sprintf("%s/*.sh", "scripts"),
},
TemplateFolder: fullyConfigurableSolutionTerraformDir,
Expand Down Expand Up @@ -201,6 +202,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) {
"*.tf",
fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir),
fmt.Sprintf("%s/*.tf", securityEnforcedSolutionTerraformDir),
fmt.Sprintf("%s/scripts/*.sh", fullyConfigurableSolutionTerraformDir),
fmt.Sprintf("%s/*.sh", "scripts"),
},
TemplateFolder: securityEnforcedSolutionTerraformDir,
Expand Down