fix: redact api key in log files

ludwig-mueller · ludwig-mueller · commit 2b4622e31adf · 2025-10-02T13:10:40.000+02:00
diff --git a/solutions/standard-openshift/ansible/main.tf b/solutions/standard-openshift/ansible/main.tf
@@ -169,6 +169,16 @@ resource "terraform_data" "execute_playbooks" {
     ]
   }
 
+  # Again replace the API Key in any logs where it may have been included in plain text
+  provisioner "remote-exec" {
+    inline = [
+      "APIKEY=\"${local.ibmcloud_api_key}\"",
+      "grep -RIl -- \"$APIKEY\" \"/root\" | while IFS= read -r file; do",
+      "sed -i 's/'\"$APIKEY\"'/***redacted***/g' \"$file\"",
+      "done"
+    ]
+  }
+
   # print output of openshift installation if applicable, else do nothing
   provisioner "remote-exec" {
     inline = [
@@ -273,6 +283,16 @@ resource "terraform_data" "execute_playbooks_with_vault" {
     ]
   }
 
+  # Again replace the API Key in any logs where it may have been included in plain text
+  provisioner "remote-exec" {
+    inline = [
+      "APIKEY=\"${local.ibmcloud_api_key}\"",
+      "grep -RIl -- \"$APIKEY\" \"/root\" | while IFS= read -r file; do",
+      "sed -i 's/'\"$APIKEY\"'/***redacted***/g' \"$file\"",
+      "done"
+    ]
+  }
+
   # Again delete Ansible Vault password used to encrypt the var
   # files with sensitive information and private ssh key
   provisioner "remote-exec" {
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl
@@ -27,9 +27,17 @@ if [ $? -ne 0 ]; then
     if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
+    # remove API Key from any logs where it may have been included in plain text
+    grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+      sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+    done
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
 if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
+# remove API Key from any logs where it may have been included in plain text
+grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+  sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+done
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl
@@ -27,9 +27,18 @@ if [ $? -ne 0 ]; then
     if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
+    # remove API Key from any logs where it may have been included in plain text
+    grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+      sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+    done
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
 if [ -f /root/.powervs/config.json ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
+
+# remove API Key from any logs where it may have been included in plain text
+grep -RIl -- "$IBMCLOUD_API_KEY" "/root" | while IFS= read -r file; do
+  sed -i 's/'"$IBMCLOUD_API_KEY"'/***redacted***/g' "$file"
+done
