fix: only redact api key if it was passed as an environment variable

ludwig-mueller · ludwig-mueller · commit 03a0e4589398 · 2025-10-02T21:37:21.000+02:00
diff --git a/solutions/standard-openshift/ansible/main.tf b/solutions/standard-openshift/ansible/main.tf
@@ -172,10 +172,12 @@ resource "terraform_data" "execute_playbooks" {
   # Again replace the API Key in any logs where it may have been included in plain text
   provisioner "remote-exec" {
     inline = [
-      "APIKEY=\"${local.ibmcloud_api_key}\"",
-      "grep -RIl -- \"$APIKEY\" \"/root\" | while IFS= read -r file; do",
-      "sed -i 's/'\"$APIKEY\"'/***redacted***/g' \"$file\"",
-      "done"
+      "if [ ! -z $IBMCLOUD_API_KEY ]; then",
+      "  IBMCLOUD_API_KEY=\"${local.ibmcloud_api_key}\"",
+      "  grep -RIl --devices=skip --exclude-dir='.ansible/' -- \"$IBMCLOUD_API_KEY\" \"/root\" | while IFS= read -r file; do",
+      "    sed -i 's/'\"$IBMCLOUD_API_KEY\"'/***redacted***/g' \"$file\"",
+      "  done",
+      "fi"
     ]
   }
 
@@ -286,10 +288,12 @@ resource "terraform_data" "execute_playbooks_with_vault" {
   # Again replace the API Key in any logs where it may have been included in plain text
   provisioner "remote-exec" {
     inline = [
-      "APIKEY=\"${local.ibmcloud_api_key}\"",
-      "grep -RIl -- \"$APIKEY\" \"/root\" | while IFS= read -r file; do",
-      "sed -i 's/'\"$APIKEY\"'/***redacted***/g' \"$file\"",
-      "done"
+      "if [ ! -z $IBMCLOUD_API_KEY ]; then",
+      "  IBMCLOUD_API_KEY=\"${local.ibmcloud_api_key}\"",
+      "  grep -RIl --devices=skip --exclude-dir='.ansible/' -- \"$IBMCLOUD_API_KEY\" \"/root\" | while IFS= read -r file; do",
+      "    sed -i 's/'\"$IBMCLOUD_API_KEY\"'/***redacted***/g' \"$file\"",
+      "  done",
+      "fi"
     ]
   }
 
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl
@@ -28,16 +28,20 @@ if [ $? -ne 0 ]; then
     rm -f password_file
     rm -rf $${ansible_private_key_file}
     # remove API Key from any logs where it may have been included in plain text
-    grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
-      sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
-    done
+    if [ ! -z $IBMCLOUD_API_KEY ]; then
+      grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+        sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+      done
+    fi
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
 if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
 # remove API Key from any logs where it may have been included in plain text
-grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
-  sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
-done
+if [ ! -z $IBMCLOUD_API_KEY ]; then
+  grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+    sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+  done
+fi
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl
@@ -28,9 +28,11 @@ if [ $? -ne 0 ]; then
     rm -f password_file
     rm -rf $${ansible_private_key_file}
     # remove API Key from any logs where it may have been included in plain text
-    grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
-      sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
-    done
+    if [ ! -z $IBMCLOUD_API_KEY ]; then
+      grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+        sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+      done
+    fi
     exit 1
 fi
 echo \"Playbook command successful\"
@@ -39,6 +41,9 @@ if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/
 rm -f password_file
 
 # remove API Key from any logs where it may have been included in plain text
-grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
-  sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
-done
+if [ ! -z $IBMCLOUD_API_KEY ]; then
+  grep -RIl --devices=skip --exclude-dir='.ansible/' -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+    echo Replacing \"$IBMCLOUD_API_KEY\" in file \"$file\"
+    sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+  done
+fi
