feat: allow masking output on comments

Author: GMartinez-Sisti

runatlantis.io/docs/custom-workflows.md

@@ -40,7 +40,7 @@ workflows:
           extra_args: ["-var-file", "staging.tfvars"]
     # NOTE: no need to define the apply stage because it will default
     # to the normal apply stage.
-    
+
   production:
     plan:
       steps:
@@ -147,11 +147,11 @@ workflows:
       - run:
           command: terraform init -input=false
           output: hide
-      
+
       # If you're using workspaces you need to select the workspace using the
       # $WORKSPACE environment variable.
       - run: terraform workspace select $WORKSPACE
-      
+
       # You MUST output the plan using -out $PLANFILE because Atlantis expects
       # plans to be in a specific location.
       - run: terraform plan -input=false -refresh -out $PLANFILE
@@ -234,7 +234,7 @@ $ tree --gitignore
 
 1. Container orchestrator (k8s/fargate/ecs/etc) uses the custom docker image of atlantis with `cdktf` installed with
 the `--autoplan-file-list` to trigger on `cdk.tf.json` files and `--include-git-untracked-files` set to include the
-CDKTF dynamically generated Terraform files in the Atlantis plan. 
+CDKTF dynamically generated Terraform files in the Atlantis plan.
 1. PR branch is pushed up containing `cdktf` code changes.
 1. Atlantis checks out the branch in the repo.
 1. Atlantis runs the `npm i && cdktf get && cdktf synth` command in the repo root as a step in `pre_workflow_hooks`,
@@ -335,7 +335,10 @@ workflows:
           value: 'true'
       - run:
           command: terragrunt plan -input=false -out=$PLANFILE
-          output: strip_refreshing
+          output: strip_refreshing_with_custom_regex
+          # Filters text matching 'mySecret: "aaa"' -> 'mySecret: "<redacted>"'
+          regex_filter: "((?i)secret:\\s\")[^\"]*"
+
     apply:
       steps:
       - env:
@@ -380,7 +383,7 @@ isn't set, Atlantis will use the default plan workflow which is what we want in
 * A custom command will only terminate if all output file descriptors are closed.
 Therefore a custom command can only be sent to the background (e.g. for an SSH tunnel during
 the terraform run) when its output is redirected to a different location. For example, Atlantis
-will execute a custom script containing the following code to create a SSH tunnel correctly: 
+will execute a custom script containing the following code to create a SSH tunnel correctly:
 `ssh -f -M -S /tmp/ssh_tunnel -L 3306:database:3306 -N bastion 1>/dev/null 2>&1`. Without
 the redirect, the script would block the Atlantis workflow.
 :::
@@ -501,20 +504,22 @@ Compact:
 
 Full
 ```yaml
-- run: 
+- run:
     command: custom-command arg1 arg2
     output: show
+    custom_regex: .*
 ```
-| Key | Type                                                         | Default | Required | Description                                                                                                                                                                                                                                                                                                                                                                                             |
-|-----|--------------------------------------------------------------|---------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| run | map[string -> string] | none    | no       | Run a custom command                                                                                                                                                                                                                                                                                                                                                                                    |
-| run.command | string                                                       | none | yes      | Shell command to run                                                                                                                                                                                                                                                                                                                                                                                    |
-| run.output | string                                                       | "show" | no       | How to post-process the output of this command when posted in the PR comment. The options are<br/>* `show` - preserve the full output<br/>* `hide` - hide output from comment (still visible in the real-time streaming output)<br/> * `strip_refreshing` - hide all output up until and including the last line containing "Refreshing...". This matches the behavior of the built-in `plan` command |
+| Key               | Type                  | Default | Required  | Description           |
+|-------------------|-----------------------|---------|-----------|-----------------------|
+| run               | map[string -> string] | none    | no        | Run a custom command  |
+| run.command       | string                | none    | yes       | Shell command to run  |
+| run.output        | string                | "show"  | no        | How to post-process the output of this command when posted in the PR comment. The options are<br/>* `show` - preserve the full output<br/>* `hide` - hide output from comment (still visible in the real-time streaming output)<br/> * `strip_refreshing` - hide all output up until and including the last line containing "Refreshing...". This matches the behavior of the built-in `plan` command<br/> * `custom_regex` - filters the comment output based on the regex specified on `run.regex_filter` by replacing matched patterns with the text `<redacted`. Note: this filter only applies to the comments posted by Atlantis, the plan output on the URL job is untouched <br/> * `strip_refreshing_with_custom_regex` - applies `strip_refreshing` and `custom_regex` to the output |
+| run.custom_regex  | string                | none    | no        | Regex filter to be applied to output. Required when `run.output` is `custom_regex` or `strip_refreshing_with_custom_regex` |
 
 ::: tip Notes
-* `run` steps in the main `workflow` are executed with the following environment variables:  
+* `run` steps in the main `workflow` are executed with the following environment variables:
   note: these variables are not available to `pre` or `post` workflows
-    * `WORKSPACE` - The Terraform workspace used for this project, ex. `default`.  
+    * `WORKSPACE` - The Terraform workspace used for this project, ex. `default`.
       NOTE: if the step is executed before `init` then Atlantis won't have switched to this workspace yet.
     * `ATLANTIS_TERRAFORM_VERSION` - The version of Terraform used for this project, ex. `0.11.0`.
     * `DIR` - Absolute path to the current directory.
@@ -544,10 +549,10 @@ Full
 * A custom command will only terminate if all output file descriptors are closed.
 Therefore a custom command can only be sent to the background (e.g. for an SSH tunnel during
 the terraform run) when its output is redirected to a different location. For example, Atlantis
-will execute a custom script containing the following code to create a SSH tunnel correctly: 
+will execute a custom script containing the following code to create a SSH tunnel correctly:
 `ssh -f -M -S /tmp/ssh_tunnel -L 3306:database:3306 -N bastion 1>/dev/null 2>&1`. Without
 the redirect, the script would block the Atlantis workflow.
-* If a workflow step returns a non-zero exit code, the workflow will stop. 
+* If a workflow step returns a non-zero exit code, the workflow will stop.
 :::
 
 #### Environment Variable `env` Command
@@ -574,7 +579,7 @@ as the environment variable value.
 
 ::: tip Notes
 * `env` `command`'s can use any of the built-in environment variables available
-  to `run` commands. 
+  to `run` commands.
 :::
 
 #### Multiple Environment Variables `multienv` Command
@@ -594,5 +599,5 @@ The name-value pairs in the result are added as environment variables if success
 
 ::: tip Notes
 * `multienv` `command`'s can use any of the built-in environment variables available
-  to `run` commands. 
+  to `run` commands.
 :::

server/core/config/raw/step.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"regexp"
 	"sort"
 	"strings"
 
@@ -12,21 +13,22 @@ import (
 )
 
 const (
-	ExtraArgsKey        = "extra_args"
-	NameArgKey          = "name"
-	CommandArgKey       = "command"
-	ValueArgKey         = "value"
-	OutputArgKey        = "output"
-	RunStepName         = "run"
-	PlanStepName        = "plan"
-	ShowStepName        = "show"
-	PolicyCheckStepName = "policy_check"
-	ApplyStepName       = "apply"
-	InitStepName        = "init"
-	EnvStepName         = "env"
-	MultiEnvStepName    = "multienv"
-	ImportStepName      = "import"
-	StateRmStepName     = "state_rm"
+	ExtraArgsKey         = "extra_args"
+	NameArgKey           = "name"
+	CommandArgKey        = "command"
+	ValueArgKey          = "value"
+	OutputArgKey         = "output"
+	OutputRegexFilterKey = "regex_filter"
+	RunStepName          = "run"
+	PlanStepName         = "plan"
+	ShowStepName         = "show"
+	PolicyCheckStepName  = "policy_check"
+	ApplyStepName        = "apply"
+	InitStepName         = "init"
+	EnvStepName          = "env"
+	MultiEnvStepName     = "multienv"
+	ImportStepName       = "import"
+	StateRmStepName      = "state_rm"
 )
 
 // Step represents a single action/command to perform. In YAML, it can be set as
@@ -43,6 +45,10 @@ const (
 //   - run:
 //     command: my custom command
 //     output: hide
+//   - run:
+//     command: my custom command
+//     output: custom_regex
+//     regex_filter: .*
 //
 // 3. A map for a built-in command and extra_args:
 //   - plan:
@@ -203,8 +209,19 @@ func (s Step) Validate() error {
 			}
 			delete(args, CommandArgKey)
 			if v, ok := args[OutputArgKey]; ok {
-				if !(v == valid.PostProcessRunOutputShow || v == valid.PostProcessRunOutputHide || v == valid.PostProcessRunOutputStripRefreshing) {
-					return fmt.Errorf("run step %q option must be one of %q, %q, or %q", OutputArgKey, valid.PostProcessRunOutputShow, valid.PostProcessRunOutputHide, valid.PostProcessRunOutputStripRefreshing)
+				if !valid.MatchesAnyPostProcessRunOutputOptions(v) {
+					return fmt.Errorf("run step %q option must be one of %q", OutputArgKey, strings.Join(valid.PostProcessRunOutputOptions(), ","))
+				}
+				// When output requires regex option
+				if v == valid.PostProcessRunOutputCustomRegex || v == valid.PostProcessRunOutputStripRefreshingWithCustomRegex {
+					if regex, ok := args[OutputRegexFilterKey]; ok {
+						if _, err := regexp.Compile(regex); err != nil {
+							return fmt.Errorf("run step %q option with expression %q is not a valid regex: %w", OutputRegexFilterKey, regex, err)
+						}
+						delete(args, OutputRegexFilterKey)
+					} else {
+						return fmt.Errorf("run step %q option requires %q to be set", OutputArgKey, OutputRegexFilterKey)
+					}
 				}
 			}
 			delete(args, OutputArgKey)
@@ -274,11 +291,12 @@ func (s Step) ToValid() valid.Step {
 		// step name so we just use the first one.
 		for stepName, stepArgs := range s.EnvOrRun {
 			step := valid.Step{
-				StepName:    stepName,
-				EnvVarName:  stepArgs[NameArgKey],
-				RunCommand:  stepArgs[CommandArgKey],
-				EnvVarValue: stepArgs[ValueArgKey],
-				Output:      valid.PostProcessRunOutputOption(stepArgs[OutputArgKey]),
+				StepName:          stepName,
+				EnvVarName:        stepArgs[NameArgKey],
+				RunCommand:        stepArgs[CommandArgKey],
+				EnvVarValue:       stepArgs[ValueArgKey],
+				Output:            valid.PostProcessRunOutputOption(stepArgs[OutputArgKey]),
+				OutputRegexFilter: stepArgs[OutputRegexFilterKey],
 			}
 			if step.StepName == RunStepName && step.Output == "" {
 				step.Output = valid.PostProcessRunOutputShow

server/core/config/raw/step_test.go

@@ -574,6 +574,24 @@ func TestStep_ToValid(t *testing.T) {
 				Output:     "hide",
 			},
 		},
+		{
+			description: "run step with regex",
+			input: raw.Step{
+				EnvOrRun: EnvOrRunType{
+					"run": {
+						"command":      "my 'run command'",
+						"output":       "regex_filter",
+						"regex_filter": ".*",
+					},
+				},
+			},
+			exp: valid.Step{
+				StepName:          "run",
+				RunCommand:        "my 'run command'",
+				Output:            "regex_filter",
+				OutputRegexFilter: ".*",
+			},
+		},
 	}
 	for _, c := range cases {
 		t.Run(c.description, func(t *testing.T) {

server/core/config/valid/repo_cfg.go

@@ -177,11 +177,35 @@ type Autoplan struct {
 type PostProcessRunOutputOption string
 
 const (
-	PostProcessRunOutputShow            = "show"
-	PostProcessRunOutputHide            = "hide"
-	PostProcessRunOutputStripRefreshing = "strip_refreshing"
+	PostProcessRunOutputShow                           = "show"
+	PostProcessRunOutputHide                           = "hide"
+	PostProcessRunOutputStripRefreshing                = "strip_refreshing"
+	PostProcessRunOutputCustomRegex                    = "custom_regex"
+	PostProcessRunOutputStripRefreshingWithCustomRegex = "strip_refreshing_with_custom_regex"
 )
 
+// PostProcessRunOutputOptions returns the available post processing options
+// This list needs to be manually updated
+func PostProcessRunOutputOptions() []string {
+	return []string{
+		PostProcessRunOutputShow,
+		PostProcessRunOutputHide,
+		PostProcessRunOutputStripRefreshing,
+		PostProcessRunOutputCustomRegex,
+		PostProcessRunOutputStripRefreshingWithCustomRegex,
+	}
+}
+
+// MatchesAnyPostProcessRunOutputOptions returns true when the input matches any of the available post processing options
+func MatchesAnyPostProcessRunOutputOptions(option string) bool {
+	for _, c := range PostProcessRunOutputOptions() {
+		if option == c {
+			return true
+		}
+	}
+	return false
+}
+
 type Stage struct {
 	Steps []Step
 }
@@ -194,6 +218,8 @@ type Step struct {
 	RunCommand string
 	// Output is option for post-processing a RunCommand output
 	Output PostProcessRunOutputOption
+	// OutputRegexFilter is a required option when post-processing uses a regex filter output
+	OutputRegexFilter string
 	// EnvVarName is the name of the
 	// environment variable that should be set by this step.
 	EnvVarName string

server/core/runtime/env_step_runner.go

@@ -21,7 +21,7 @@ func (r *EnvStepRunner) Run(ctx command.ProjectContext, command string, value st
 	}
 	// Pass `false` for streamOutput because this isn't interesting to the user reading the build logs
 	// in the web UI.
-	res, err := r.RunStepRunner.Run(ctx, command, path, envs, false, valid.PostProcessRunOutputShow)
+	res, err := r.RunStepRunner.Run(ctx, command, path, envs, false, valid.PostProcessRunOutputShow, "")
 	// Trim newline from res to support running `echo env_value` which has
 	// a newline. We don't recommend users run echo -n env_value to remove the
 	// newline because -n doesn't work in the sh shell which is what we use

server/core/runtime/mocks/mock_pull_approved_checker.go

@@ -17,7 +17,7 @@ type MultiEnvStepRunner struct {
 // Run runs the multienv step command.
 // The command must return a json string containing the array of name-value pairs that are being added as extra environment variables
 func (r *MultiEnvStepRunner) Run(ctx command.ProjectContext, command string, path string, envs map[string]string) (string, error) {
-	res, err := r.RunStepRunner.Run(ctx, command, path, envs, false, valid.PostProcessRunOutputShow)
+	res, err := r.RunStepRunner.Run(ctx, command, path, envs, false, valid.PostProcessRunOutputShow, "")
 	if err != nil {
 		return "", err
 	}

server/core/runtime/multienv_step_runner.go

@@ -265,6 +265,15 @@ func StripRefreshingFromPlanOutput(output string, tfVersion *version.Version) st
 	return output
 }
 
+func CustomRegexFromPlanOutput(output string, outputFilterRegex string) string {
+	if outputFilterRegex == "" {
+		return output
+	}
+	// Regex was validated previously
+	r := regexp.MustCompile(outputFilterRegex)
+	return r.ReplaceAllString(output, "${1}<redacted>$2")
+}
+
 // remoteOpsErr01114 is the error terraform plan will return if this project is
 // using TFE remote operations in TF 0.11.15.
 var remoteOpsErr01114 = `Error: Saving a generated plan is currently not supported!