feat: allow masking output on comments #4331
Conversation
GMartinez-Sisti
requested review from
jamengual,
lukemassa and
X-Guardian
and removed request for
a team
github-actions
bot
added
docs
|
did you test tfmask? or any other tool? |
I did, also terrahelp and even plain sed. The problem is that we are sending the output straight to the $planfile, so we can’t act on it. I even tried to change the $showfile, and while that works, Atlantis doesn’t use it for the comment. |
|
I see ok, it make sense on doing the pre-processing |
jamengual
added
feature
|
I like the feature and find it very useful. However, IMHO, the API could be better. workflows:
terragrunt:
plan:
steps:
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing|show|hide
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output:
- show
- strip_refreshing
- filter_regex: "((?i)secret:\\s\")[^\"]*"This would allow us to support previous |
Hi, thanks for the feedback 😃 I've been using this to support terraform for 100+ environments on the three major clouds with zero issues so far. I adjusted the regex to I have to rebase this soon, I'll take a stab at making it work the way you suggested and see how it behaves. |
GMartinez-Sisti
force-pushed
the
add-regex-filter
branch
from
4a4b5b6 to
d4742ae
Compare
|
Hi @GMartinez-Sisti, are you able to look at the suggestions from @anryko. It would be great to get this merged. |
X-Guardian
added
waiting-on-response
|
I've been thinking about the suggested API, the suggested
I think this is not ideal and might create some confusion, we can support multiple types but only one at a time and act accordingly. This is my suggestion: workflows:
terragrunt:
plan:
steps:
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output: strip_refreshing|show|hide
- run:
command: terragrunt plan -input=false -out=$PLANFILE
output:
- show
- strip_refreshing
- filter_regex
regex_expression: "((?i)secret:\\s\")[^\"]*"
WDYT @anryko and @X-Guardian ? |
|
The api I suggested would provide an option to apply a sequence of simple regexps one after another. It would make your feature more powerful. I understand the added implementation complexity you are referring to and believe that this would be a bit easier to implement on top of the changes done for this feature, which "loosens" the config unmarshaling. |
I see it, while being more verbose it will be more flexible indeed. I'll wait for #5024 to be merged then so I can leverage the new |
|
Hi @GMartinez-Sisti, #5024 is now merged. Can you resolve the conflicts on this? |
GMartinez-Sisti
force-pushed
the
add-regex-filter
branch
2 times, most recently
from
fd73789 to
dd862aa
Compare
I've fixed the conflicts, but haven't updated the logic to match the suggestions. |
|
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
|
Will still work on this! |
|
@GMartinez-Sisti still working on this? Thanks. |
Yes! Just haven't add the time to focus and update it. But not forgotten. |
|
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
|
I'll pick this up this weekend. Sorry for the delay. |
GMartinez-Sisti
force-pushed
the
add-regex-filter
branch
5 times, most recently
from
34e6093 to
0a039ba
Compare
|
@X-Guardian @jamengual @anryko I finally got some time to work on this! Please take a look when possible :) 🙏 |
| ) | ||
|
|
||
| // ParseRegex validates and returns a [Regexp] object | ||
| func ParseRegex(pattern string) (*regexp.Regexp, error) { |
There was a problem hiding this comment.
I don't think this warrants a "utility" function. Its purpose seems to be just to change the zero object from the empty string regex to a nil. I'd prefer this happens at the call site, since it's not a "general" behavior we have. Additionally this would allow
testRegexDotStar, _ := utils.ParseRegex(".*")
to be written in the simpler and more idiomatic
testRegexDotStar := regexp.MustCompile(".*")
If we have to have this utility function, I'd prefer its name be changed to reflect the way its semantics differ from that of the standard library regexp.Compile, or at the very least its godoc comment updated to explain the difference.
There was a problem hiding this comment.
Moving it closer to the call site makes sense. When I started this I thought it would have to be reused across multiple packages, but in the end it didn't so I can move it.
Regarding MustCompile, this will panic if it fails to parse, it's true that we already validated it when we parsed the configs so we can change it, was just trying to play it safe 😅 .
There was a problem hiding this comment.
Oh yeah sorry to be clear, I'm only recommending MustCompile() in cases where you pass a literal string to it, like in tests.
There was a problem hiding this comment.
This func is used in multiple in the raw package:
→ ag ParseRegex
server/core/config/raw/step.go
311: _, err := utils.ParseRegex(v)
450: r, _ := utils.ParseRegex(t)
454: r, _ := utils.ParseRegex(e)
server/core/config/raw/step_test.go
508: testRegexDotStar, _ := utils.ParseRegex(".*")
509: testRegexSecret, _ := utils.ParseRegex("((?i)secret:\\s\")[^\"]*")
server/core/runtime/run_step_runner_test.go
26: testRegexSecret, _ := utils.ParseRegex(`((?i)Secret:\s")[^"]*`)
server/core/runtime/plan_step_runner_test.go
654: r, err := utils.ParseRegex(c.regex)
server/utils/regex.go
7:// ParseRegex validates and returns a [Regexp] object
8:func ParseRegex(pattern string) (*regexp.Regexp, error) {
What is your suggestion here? Just move the regex.go file to the raw package? Or add the func to a random file from that package?
| return output | ||
| } | ||
|
|
||
| return filterRegex.ReplaceAllString(output, "${1}<redacted>$2") |
There was a problem hiding this comment.
It seems like the logic here is that we keep the first and second capture group, if they exist, and put them before and after <redacted>. I don't see this in the documentation, can this be added?
What happens if there are zero, one, or more than two capture groups? We should have test cases in TestCustomRegexFromPlanOutputFromPlanOutput to show the expectations here.
There was a problem hiding this comment.
It will just match everything and return it without any change.
Also if it helps I have been running this in production since I made the PR :) And also already deployed this latest version and it's working fine.
Signed-off-by: Gabriel Martinez <[email protected]>
GMartinez-Sisti
force-pushed
the
add-regex-filter
branch
from
f325dd1 to
7a61e6c
Compare
|
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
what
Part of #163 (comment).
why
I have the requirements to mask some values that are passed to the comments posted by Atlantis, building up on
strip_refreshingI added two new output configurations that will allow this via a regex configured on the step. There is an assumption that users that shouldn't see secrets/sensitive values won't have access to the URL jobs, where the plan outputs are shown untouched.The
outputkey can now contain astring,[]stringor[]any`, this was we ensure compatibility while adding new possibilities to it.Example (added to the docs):
Note that the changes related to mocks were made manually since
make go-generateis currently broken (#4664).tests
atlantis planprovides the desired masked output on GitHub 😄references
Possibly solves #163.