Skip to content

Webhook secret is printed out in the terraform logs #4012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jizi opened this issue Jul 26, 2024 · 0 comments · Fixed by #4013
Closed

Webhook secret is printed out in the terraform logs #4012

jizi opened this issue Jul 26, 2024 · 0 comments · Fixed by #4013

Comments

@jizi
Copy link
Contributor

jizi commented Jul 26, 2024

Expected Behavior

Plaintext webhook secret is not present in the terraform logs. Example

  # null_resource.update_app will be created
  + resource "null_resource" "update_app" {
      + id       = (known after apply)
      + triggers = {
          + "webhook_endpoint" = "https://xxxxxxxxx.execute-api.eu-central-1.amazonaws.com/webhook"
          + "webhook_secret"   = (sensitive value)
        }
    }

Current Behavior

Plaintext webhook secret is printed out in the terraform logs. Example

  # null_resource.update_app will be created
  + resource "null_resource" "update_app" {
      + id       = (known after apply)
      + triggers = {
          + "webhook_endpoint" = "https://xxxxxxxxx.execute-api.eu-central-1.amazonaws.com/webhook"
          + "webhook_secret"   = "not_so_secret"
        }
    }

Module version: 5.12.2

Possible Solution

It should be enough to mark the github_app variable as sensitive in modules/webhook-github-app/variables.tf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: mark github_app variable as sensitive jizi/terraform-aws-github-runner
1 participant
@jizi