Add parameter to customize Terraform/OpenTofu log level #1810
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a configurable log level parameter for Terraform/OpenTofu operations across multiple Jenkins pipeline files. The extra_logs_level parameter allows users to control Terraform logging verbosity with options: OFF, INFO, DEBUG, TRACE, WARN, ERROR, defaulting to 'OFF'.
Changes:
- Added
extra_logs_levelchoice parameter to 80+ pipeline configuration files - Modified 8 pipeline implementation scripts to export the
TF_LOGenvironment variable - Consistent parameter definition across all affected files
Reviewed changes
Copilot reviewed 130 out of 130 changed files in this pull request and generated 24 comments.
Show a summary per file
| File | Description |
|---|---|
| jenkins_pipelines/environments/uyuni-mu-cloud | Added extra_logs_level parameter; contains syntax error |
| jenkins_pipelines/environments/uyuni-master-* | Added extra_logs_level parameter consistently |
| jenkins_pipelines/environments/salt-shaker/* | Added extra_logs_level parameter consistently |
| jenkins_pipelines/environments/personal/* | Added extra_logs_level parameter consistently |
| jenkins_pipelines/environments/manager-* | Added extra_logs_level parameter consistently |
| jenkins_pipelines/environments/qe-build-validation-cleaning-pipeline | Added extra_logs_level parameter consistently |
| jenkins_pipelines/environments/common/pipeline.groovy | Exports TF_LOG with extra_logs_level value |
| jenkins_pipelines/environments/common/pipeline-*.groovy | All pipeline scripts export TF_LOG consistently |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
| } | ||
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" |
There was a problem hiding this comment.
The TF_LOG environment variable should not be set to 'OFF'. According to Terraform/OpenTofu documentation, TF_LOG should either be unset or set to one of the valid log levels (TRACE, DEBUG, INFO, WARN, ERROR). Setting it to 'OFF' is not a recognized value and may not behave as expected. Consider conditionally exporting TF_LOG only when a valid log level is selected, or use an empty string for the default case.
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" | |
| def tfLogLevel = params.extra_logs_level | |
| def tfLogExport = '' | |
| if (tfLogLevel) { | |
| def tfLogLevelNormalized = tfLogLevel.toString().toUpperCase() | |
| if (['TRACE', 'DEBUG', 'INFO', 'WARN', 'ERROR'].contains(tfLogLevelNormalized)) { | |
| tfLogExport = "export TF_LOG=${tfLogLevelNormalized}; " | |
| } | |
| } | |
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; ${tfLogExport}export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" |
| sh "echo 'CONTAINER_REPOSITORY=\"${params.container_repository}\"' >> ${resultdir}/sumaform/terraform.tfvars" | ||
| } | ||
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; export ENVIRONMENT=${params.environment}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${TERRAFORM_INIT} ${TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; set -o pipefail; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; export ENVIRONMENT=${params.environment}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${TERRAFORM_INIT} ${TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision | sed -E 's/([^.]+)module\\.([^.]+)\\.module\\.([^.]+)(\\.module\\.[^.]+)?(\\[[0-9]+\\])?(\\.module\\.[^.]+)?(\\.[^.]+)?(.*)/\\1\\2.\\3\\8/'" |
There was a problem hiding this comment.
The TF_LOG environment variable should not be set to 'OFF'. According to Terraform/OpenTofu documentation, TF_LOG should either be unset or set to one of the valid log levels (TRACE, DEBUG, INFO, WARN, ERROR). Setting it to 'OFF' is not a recognized value and may not behave as expected. Consider conditionally exporting TF_LOG only when a valid log level is selected, or use an empty string for the default case.
| } | ||
| retry(count: 3) { | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
There was a problem hiding this comment.
The TF_LOG environment variable should not be set to 'OFF'. According to Terraform/OpenTofu documentation, TF_LOG should either be unset or set to one of the valid log levels (TRACE, DEBUG, INFO, WARN, ERROR). Setting it to 'OFF' is not a recognized value and may not behave as expected. Consider conditionally exporting TF_LOG only when a valid log level is selected, or use an empty string for the default case.
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | |
| sh """set +x; source /home/jenkins/.credentials; set -x; | |
| TF_LOG_VALUE=${params.extra_logs_level} | |
| if [ -n "$TF_LOG_VALUE" ] && [ "$TF_LOG_VALUE" != "OFF" ]; then | |
| export TF_LOG="$TF_LOG_VALUE" | |
| else | |
| unset TF_LOG | |
| fi | |
| export TERRAFORM=${params.bin_path} | |
| export TERRAFORM_PLUGINS=${params.bin_plugins_path} | |
| ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision""" |
| } | ||
| } | ||
| sh "set +x; source /home/jenkins/.credentials set -x; TERRAFORM=${params.bin_path} TERRAFORM_PLUGINS=${params.bin_plugins_path} ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_LOG=${params.extra_logs_level}; TERRAFORM=${params.bin_path} TERRAFORM_PLUGINS=${params.bin_plugins_path} ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
There was a problem hiding this comment.
The TF_LOG environment variable should not be set to 'OFF'. According to Terraform/OpenTofu documentation, TF_LOG should either be unset or set to one of the valid log levels (TRACE, DEBUG, INFO, WARN, ERROR). Setting it to 'OFF' is not a recognized value and may not behave as expected. Consider conditionally exporting TF_LOG only when a valid log level is selected, or use an empty string for the default case.
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_LOG=${params.extra_logs_level}; TERRAFORM=${params.bin_path} TERRAFORM_PLUGINS=${params.bin_plugins_path} ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | |
| sh """set +x; source /home/jenkins/.credentials set -x; if [ "${params.extra_logs_level}" != "OFF" ] && [ -n "${params.extra_logs_level}" ]; then export TF_LOG=${params.extra_logs_level}; else unset TF_LOG; fi; TERRAFORM=${params.bin_path} TERRAFORM_PLUGINS=${params.bin_plugins_path} ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision""" |
| } | ||
| } | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
There was a problem hiding this comment.
The TF_LOG environment variable should not be set to 'OFF'. According to Terraform/OpenTofu documentation, TF_LOG should either be unset or set to one of the valid log levels (TRACE, DEBUG, INFO, WARN, ERROR). Setting it to 'OFF' is not a recognized value and may not behave as expected. Consider conditionally exporting TF_LOG only when a valid log level is selected, or use an empty string for the default case.
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | |
| def tfLogExport = "" | |
| if (params.extra_logs_level && !params.extra_logs_level.equalsIgnoreCase('OFF')) { | |
| tfLogExport = "export TF_LOG=${params.extra_logs_level}; " | |
| } | |
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; ${tfLogExport}export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
| } | ||
| } | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
There was a problem hiding this comment.
Using TF_LOG configured from the extra_logs_level build parameter can cause Terraform/OpenTofu to emit highly verbose logs, including provider configuration and secrets, into the sumaform log file and Jenkins console output. Anyone with permission to trigger this job and read its logs, but without direct access to the underlying credentials (such as those loaded from /home/jenkins/.credentials), can exfiltrate cloud keys or tokens by selecting DEBUG or TRACE. To avoid leaking secrets, gate high log levels behind an admin-only mechanism, restrict extra_logs_level to safe values in shared jobs (e.g., OFF/ERROR), or ensure that logs produced at debug levels are stored and accessed only within the same security boundary as the credentials themselves.
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" | |
| // Sanitize TF_LOG to avoid enabling highly verbose levels (e.g. DEBUG/TRACE) in shared jobs | |
| def allowedTfLogLevels = ['', 'ERROR', 'WARN', 'INFO'] | |
| def requestedTfLogLevel = (params.extra_logs_level ?: '').toUpperCase() | |
| if (!allowedTfLogLevels.contains(requestedTfLogLevel)) { | |
| requestedTfLogLevel = 'ERROR' | |
| } | |
| env.TF_LOG = requestedTfLogLevel | |
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${env.TF_LOG}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform.log ${env.TERRAFORM_INIT} ${env.TERRAFORM_TAINT} --sumaform-backend ${params.sumaform_backend} --runstep provision" |
| export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref} | ||
| export TF_VAR_PRODUCT_VERSION=${product_version} | ||
| export TF_VAR_BASE_OS=${base_os} | ||
| export TF_LOG=${params.extra_logs_level} |
There was a problem hiding this comment.
Using TF_LOG configured from the extra_logs_level build parameter can cause Terraform/OpenTofu to emit highly verbose logs, including provider configuration and secrets, into the Terraform log files and Jenkins console output. Anyone with permission to trigger this job and read its logs, but without direct access to the underlying credentials (such as those loaded from /home/jenkins/.credentials), can exfiltrate cloud keys or tokens by selecting DEBUG or TRACE. To avoid leaking secrets, gate high log levels behind an admin-only mechanism, restrict extra_logs_level to safe values in shared jobs (e.g., OFF/ERROR), or ensure that logs produced at debug levels are stored and accessed only within the same security boundary as the credentials themselves.
| // Deploying AWS server using MU repositories | ||
| sh "echo \"export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_VAR_MIRROR=${env.mirror_hostname_aws_private}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; export TF_VAR_SERVER_AMI=${server_ami}; export TF_VAR_PROXY_AMI=${proxy_ami}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform-aws.log --init --taint '.*(domain|main_disk).*' --runstep provision --custom-repositories ${WORKSPACE}/custom_repositories.json --sumaform-backend aws\"" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; source /home/jenkins/.registration set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_VAR_ARCHITECTURE=${params.architecture}; export TF_VAR_MIRROR=${env.mirror_hostname_aws_private}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; export TF_VAR_SERVER_AMI=${server_ami}; export TF_VAR_PROXY_AMI=${proxy_ami}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform-aws.log --init --taint '.*(domain|main_disk).*' --custom-repositories ${WORKSPACE}/custom_repositories.json --use-tf-resource-cleaner --tf-resources-to-keep ${params.minions_to_run.split(', ').join(' ')} --runstep provision --sumaform-backend aws" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; source /home/jenkins/.registration set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_VAR_ARCHITECTURE=${params.architecture}; export TF_VAR_MIRROR=${env.mirror_hostname_aws_private}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; export TF_VAR_SERVER_AMI=${server_ami}; export TF_VAR_PROXY_AMI=${proxy_ami}; ./terracumber-cli ${common_params} --logfile ${resultdirbuild}/sumaform-aws.log --init --taint '.*(domain|main_disk).*' --custom-repositories ${WORKSPACE}/custom_repositories.json --use-tf-resource-cleaner --tf-resources-to-keep ${params.minions_to_run.split(', ').join(' ')} --runstep provision --sumaform-backend aws" |
There was a problem hiding this comment.
Using TF_LOG configured from the extra_logs_level build parameter can cause Terraform/OpenTofu to emit highly verbose logs, including provider configuration and secrets, into the Terraform log files and Jenkins console output. Anyone with permission to trigger this job and read its logs, but without direct access to the underlying credentials (such as those loaded from /home/jenkins/.credentials), can exfiltrate cloud keys or tokens by selecting DEBUG or TRACE. To avoid leaking secrets, gate high log levels behind an admin-only mechanism, restrict extra_logs_level to safe values in shared jobs (e.g., OFF/ERROR), or ensure that logs produced at debug levels are stored and accessed only within the same security boundary as the credentials themselves.
| sh "cp ${local_mirror_dir}/salt/mirror/etc/minimum_repositories_testsuite.yaml ${local_mirror_dir}/salt/mirror/etc/minima-customize.yaml" | ||
| // Deploy local mirror | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${local_mirror_params} --logfile ${resultdirbuild}/sumaform-mirror-local.log --init --taint '.*(domain|main_disk|data_disk|database_disk).*' --runstep provision --sumaform-backend libvirt" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${local_mirror_params} --logfile ${resultdirbuild}/sumaform-mirror-local.log --init --taint '.*(domain|main_disk|data_disk|database_disk).*' --runstep provision --sumaform-backend libvirt" |
There was a problem hiding this comment.
Using TF_LOG configured from the extra_logs_level build parameter can cause Terraform/OpenTofu to emit highly verbose logs, including provider configuration and secrets, into the Terraform log files and Jenkins console output. Anyone with permission to trigger this job and read its logs, but without direct access to the underlying credentials (such as those loaded from /home/jenkins/.credentials), can exfiltrate cloud keys or tokens by selecting DEBUG or TRACE. To avoid leaking secrets, gate high log levels behind an admin-only mechanism, restrict extra_logs_level to safe values in shared jobs (e.g., OFF/ERROR), or ensure that logs produced at debug levels are stored and accessed only within the same security boundary as the credentials themselves.
| writeFile file: "${aws_mirror_dir}/terraform.tfvars", text: aws_configuration, encoding: "UTF-8" | ||
| // Deploy empty AWS mirror | ||
| sh "set +x; source /home/jenkins/.credentials set -x; source /home/jenkins/.registration set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${aws_mirror_params} --logfile ${resultdirbuild}/sumaform-mirror-aws.log --init --taint '.*(domain|main_disk|data_disk|database_disk).*' --runstep provision --sumaform-backend aws" | ||
| sh "set +x; source /home/jenkins/.credentials set -x; source /home/jenkins/.registration set -x; export TF_VAR_CUCUMBER_GITREPO=${params.cucumber_gitrepo}; export TF_VAR_CUCUMBER_BRANCH=${params.cucumber_ref}; export TF_LOG=${params.extra_logs_level}; export TERRAFORM=${params.bin_path}; export TERRAFORM_PLUGINS=${params.bin_plugins_path}; ./terracumber-cli ${aws_mirror_params} --logfile ${resultdirbuild}/sumaform-mirror-aws.log --init --taint '.*(domain|main_disk|data_disk|database_disk).*' --runstep provision --sumaform-backend aws" |
There was a problem hiding this comment.
Using TF_LOG configured from the extra_logs_level build parameter can cause Terraform/OpenTofu to emit highly verbose logs, including provider configuration and secrets, into the Terraform log files and Jenkins console output. Anyone with permission to trigger this job and read its logs, but without direct access to the underlying credentials (such as those loaded from /home/jenkins/.credentials), can exfiltrate cloud keys or tokens by selecting DEBUG or TRACE. To avoid leaking secrets, gate high log levels behind an admin-only mechanism, restrict extra_logs_level to safe values in shared jobs (e.g., OFF/ERROR), or ensure that logs produced at debug levels are stored and accessed only within the same security boundary as the credentials themselves.
2 participants
Adds the possibility to set a custom log level for Terraform/OpenTofu in most pipelines.
By default TF_LOG has no set value.
Everything that's not one of the defined levels will be treated as it not being set. OFF is used for this purpose here.
Notice that even a "regular" value like INFO will add a considerable amount of logs, coming both from the Terraform/OpenTofu core and the providers in use (it's possible to be more granular with log levels, if needed).