Adding redaction to plan and apply workflows (#1082)

* Adding redaction to plan and apply workflows * changed file permissions * path changed
ministryofjustice · Jan 24, 2025 · 1735331 · 1735331
1 parent a6d88fb
commit 1735331
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 7 deletions.
diff --git a/.github/workflows/management-account-apply.yml b/.github/workflows/management-account-apply.yml
@@ -33,8 +33,8 @@ jobs:
         continue-on-error: true
       - run: terraform init
       - run: terraform validate -no-color
-      - run: terraform plan -no-color
-      - run: terraform apply -auto-approve
+      - run: terraform plan -no-color | ../../scripts/redaction.sh
+      - run: terraform apply -auto-approve | ../../scripts/redaction.sh
         if: github.event.ref == 'refs/heads/main'
 
       - name: Slack failure notification

diff --git a/.github/workflows/management-account-plan.yml b/.github/workflows/management-account-plan.yml
@@ -32,5 +32,5 @@ jobs:
         continue-on-error: true
       - run: terraform init
       - run: terraform validate -no-color
-      - run: terraform plan -no-color
+      - run: terraform plan -no-color | ../../scripts/redaction.sh
 
diff --git a/.github/workflows/organisation-security-apply.yml b/.github/workflows/organisation-security-apply.yml
@@ -33,8 +33,8 @@ jobs:
         continue-on-error: true
       - run: terraform init
       - run: terraform validate -no-color
-      - run: terraform plan -no-color
-      - run: terraform apply -auto-approve
+      - run: terraform plan -no-color | ../../scripts/redaction.sh
+      - run: terraform apply -auto-approve | ../../scripts/redaction.sh
         if: github.event.ref == 'refs/heads/main'
 
       - name: Slack failure notification

diff --git a/.github/workflows/organisation-security-plan.yml b/.github/workflows/organisation-security-plan.yml
@@ -32,5 +32,4 @@ jobs:
         continue-on-error: true
       - run: terraform init
       - run: terraform validate -no-color
-      - run: terraform plan -no-color
-
+      - run: terraform plan -no-color | ../../scripts/redaction.sh
diff --git a/scripts/redaction.sh b/scripts/redaction.sh
@@ -0,0 +1,10 @@
+# Based on: https://github.com/ministryofjustice/opg-org-infra/blob/main/scripts/redact_output.sh
+
+sed -u -E \
+    -e "s/AWS_SECRET_ACCESS_KEY=.*/AWS_SECRET_ACCESS_KEY=<REDACTED>/g" \
+    -e "s/AWS_ACCESS_KEY_ID=.*/AWS_ACCESS_KEY_ID=<REDACTED>/g" \
+    -e "s/\$(AWS_SECRET_ACCESS_KEY)=.*/\$(AWS_SECRET_ACCESS_KEY)=<REDACTED>/g" \
+    -e "s/\$(AWS_ACCESS_KEY_ID)=.*/\$(AWS_ACCESS_KEY_ID)=<REDACTED>/g" \
+    -e "s/\[id=[^]]*\]/\[id=<REDACTED>]/g" \
+    -e "s/::[0-9]{12}:/::REDACTED:/g" \
+    -e "s/:[0-9]{12}:/:REDACTED:/g"