AWS ECS Container definition environments do not get masked

[monemihir]

Environment variables passed to AWS ECS container definition do not get masked

export TFMASK_CHAR="#"
export TFMASK_VALUES_REGEX="(?i)^.*[^a-zA-Z](oauth|password|pass_for_service|pass_|passwd|key|result|id).*$"

Actual

[2021-10-21T07:03:02Z]   + resource "aws_ecs_task_definition" "main_task" {
--
  | [2021-10-21T07:03:02Z]       + arn                   = (known after apply)
  | [2021-10-21T07:03:02Z]       + container_definitions = jsonencode(
  | [2021-10-21T07:03:02Z]             [
  | [2021-10-21T07:03:02Z]               + {
  | [2021-10-21T07:03:02Z]                   + cpu               = 192
  | [2021-10-21T07:03:02Z]                   + environment       = [
  | [2021-10-21T07:03:02Z]                       + {
  | [2021-10-21T07:03:02Z]                           + name  = "ENVIRONMENT"
  | [2021-10-21T07:03:02Z]                           + value = "sandpit"
  | [2021-10-21T07:03:02Z]                         },
  | [2021-10-21T07:03:02Z]                       + {
  | [2021-10-21T07:03:02Z]                           + name  = "PASS_FOR_SERVICE"
  | [2021-10-21T07:03:02Z]                           + value = "abkjcdksj3892jjw"
  | [2021-10-21T07:03:02Z]                         },
 | [2021-10-21T07:03:02Z]                     ]
...

Expected

[2021-10-21T07:03:02Z]   + resource "aws_ecs_task_definition" "main_task" {
--
  | [2021-10-21T07:03:02Z]       + arn                   = (known after apply)
  | [2021-10-21T07:03:02Z]       + container_definitions = jsonencode(
  | [2021-10-21T07:03:02Z]             [
  | [2021-10-21T07:03:02Z]               + {
  | [2021-10-21T07:03:02Z]                   + cpu               = 192
  | [2021-10-21T07:03:02Z]                   + environment       = [
  | [2021-10-21T07:03:02Z]                       + {
  | [2021-10-21T07:03:02Z]                           + name  = "ENVIRONMENT"
  | [2021-10-21T07:03:02Z]                           + value = "sandpit"
  | [2021-10-21T07:03:02Z]                         },
  | [2021-10-21T07:03:02Z]                       + {
  | [2021-10-21T07:03:02Z]                           + name  = "PASS_FOR_SERVICE"
  | [2021-10-21T07:03:02Z]                           + value = "#################"
  | [2021-10-21T07:03:02Z]                         },
 | [2021-10-21T07:03:02Z]                     ]
...

I am using the latest version of tfmask

[hablutzel1]

Have you tried with the Terraform -no-color option?

[vishnu-techprescient-teika]

Hi, I am also getting a similar issue. I am trying to test with kubectl manifest, but tfmask is not working.

Without tfmask

Terraform will perform the following actions:

  # kubectl_manifest.test will be updated in-place
  ~ resource "kubectl_manifest" "test" {
        id                      = "/api/v1/namespaces/default/configmaps/vishnu-test-demo"
        name                    = "vishnu-test-demo"
      ~ yaml_body               = (sensitive value)
      ~ yaml_body_parsed        = <<-EOT
            apiVersion: v1
            data:
          -   password: ijMmsd1piZwz
          +   password: ijMms1piZwz_paa
            kind: ConfigMap
            metadata:
              name: vishnu-test-demo
        EOT
        # (12 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

With tfmask

Terraform will perform the following actions:

  # kubectl_manifest.test will be updated in-place
  ~ resource "kubectl_manifest" "test" {
        id                      = "######################################################"
        name                    = "vishnu-test-demo"
      ~ yaml_body               = (sensitive value)
      ~ yaml_body_parsed        = <<-EOT
            apiVersion: v1
            data:
          -   password: ijMmsd1piZwz
          +   password: ijMms1piZwz_paa
            kind: ConfigMap
            metadata:
              name: vishnu-test-demo
        EOT
        # (12 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

My env params:

export TFMASK_CHAR="#"                                                                                                       
export TFMASK_VALUES_REGEX="(?i)^.*(oauth|secret|token|password|key|result|id).*$"

command :
terraform plan -var-file=staging.tfvars -no-color | tfmask

Expected was to also mask the password section