Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Masking sensitive data in tarraform parameters #45

Open
apielasa opened this issue Mar 22, 2023 · 3 comments
Open

Masking sensitive data in tarraform parameters #45

apielasa opened this issue Mar 22, 2023 · 3 comments
Labels
enhancement

Comments

@apielasa
Copy link
Contributor

apielasa commented Mar 22, 2023
edited
Loading

Some values that need to be defined as terraform variables are sensitive and in my opinion, should not be printed out in StackStorm GUI and logs in a plain text. For example, client_secret is required in backend configuration or any sensitive data we want to set as terraform variable.

Is there any way of defining sensitive data in the current setup?

If there is no option of doing it, in my opinion, we should consider changing "backend" object in the "init" action and "variable_dict" object in other actions like "plan", "apply" and "destroy"

change proposal:

  variable_dict:
    type: "object"
    description: "Terraform variable object (variables in here will overwrite any that are in files)"
    required: false
    secret: true

  backend:
    type: "object"
    description: "Key-Value pairs of backend configuration options."
    required: false
    secret: true

Let me know please what you think about it.
I can make a pull request if you do agree with this proposal.
@arm4b
Copy link
Member

arm4b commented Mar 22, 2023
edited
Loading

Yes, please add secret: true where you think it makes sense.
That would be vert helpful as a PR 👍

@apielasa
Copy link
Contributor Author

I found that enabling the “secret” flag for terraform variables does not solve all security challenges.

For example, when using private repositories, I have passed a git token as a system variable.
The default stackstorm “env” dictionary is not secured and there is no “secret” flag that can be enabled, so the required git token is also displayed in plain text.

To enhance security for sensitive terraform variables and environment variables I decided to add an additional parameter called “env_variable_dict” to the “terraform” packs.

Using this single parameter we can pass sensitive terraform variables by setting “TF_VAR_ values and also use private git repositories by setting git token environment variable that will be masked in the UI and logs.

Please check out my PR and let me know if you find this feature useful for the community. 

#46

@apielasa
Copy link
Contributor Author

apielasa commented Apr 3, 2023

@armab - could you please take a look at this please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arm4b @apielasa