1702-add censor to secret (#3)

* add censor to secret

.github/workflows/build.yml

@@ -28,11 +28,11 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.14.7'
+          go-version: '>=1.17.0'
       - name: Install dependencies
         run: |
           go version
-          go get -u golang.org/x/lint/golint
+          go install golang.org/x/lint/golint@latest
       - name: Run build
         run: go build .
         working-directory: diff

.github/workflows/release.yml

@@ -13,11 +13,11 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.14.7'
+          go-version: '>=1.17.0'
       - name: Install dependencies
         run: |
           go version
-          go get -u golang.org/x/lint/golint
+          go install golang.org/x/lint/golint@latest
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@master
         with:

.gitignore

@@ -1,3 +1,4 @@
 .terraform
 diff/diff
 *.log
+terraform.tfstate

diff/cmd/cmd.go

@@ -2,7 +2,7 @@ package cmd
 
 import (
     "flag"
-    "github.com/FinalCAD/terraform-diff-module/diff/internal/diff"
+    "github.com/FinalCAD/terraform-diff-module/diff/internal/change"
 )
 
 func Execute() {
@@ -13,6 +13,6 @@ func Execute() {
     flag.StringVar(&updated, "u", "{}", "Specify updated json")
     printJson := flag.Bool("json", false, "Output to json format")
     flag.Parse()
-    var r = diff.Diff(initial, updated)
-    r.Print(*printJson)
+    var change = change.Change(initial, updated)
+    change.Print(*printJson)
 }

diff/go.mod

@@ -1,15 +1,11 @@
 module github.com/FinalCAD/terraform-diff-module/diff
 
-go 1.14
+go 1.17
 
-replace github.com/FinalCAD/terraform-diff-module/diff/cmd => ./cmd
-
-replace github.com/FinalCAD/terraform-diff-module/diff/internal/diff => ./internal/diff
-
-replace github.com/FinalCAD/terraform-diff-module/diff/internal/types => ./internal/types
+require github.com/fatih/color v1.13.0
 
 require (
-	github.com/FinalCAD/terraform-diff-module/diff/cmd v0.0.0-00010101000000-000000000000
-	github.com/FinalCAD/terraform-diff-module/diff/internal/diff v0.0.0-00010101000000-000000000000 // indirect
-	github.com/FinalCAD/terraform-diff-module/diff/internal/types v0.0.0-00010101000000-000000000000 // indirect
+	github.com/mattn/go-colorable v0.1.9 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
 )

diff/go.sum

@@ -1,9 +1,17 @@
 github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc=
 github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
+github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
 github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U=
+github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

diff/internal/diff/diff.go → diff/internal/change/change.go

@@ -1,4 +1,4 @@
-package diff
+package change
 
 import (
     "fmt"
@@ -14,7 +14,7 @@ func ProtectString(data string) (res string) {
     return strings.Replace(data, "\"", "\\\"", -1)
 }
 
-func TransToString(data interface{}) (res string) {
+func TransformToString(data interface{}) (res string) {
     switch v := data.(type) {
     case float64:
         res = strconv.FormatFloat(data.(float64), 'g', 6, 64)
@@ -54,25 +54,25 @@ func Compare(jsonOldData Secrets, jsonNewData Secrets) types.Results {
     }
 
     for key, _ := range results {
-        value, ok := jsonOldData.(map[string]interface{})[key]
-        value2, ok2 := jsonNewData.(map[string]interface{})[key]
+        oldvalue, old := jsonOldData.(map[string]interface{})[key]
+        newvalue, new := jsonNewData.(map[string]interface{})[key]
 
-        strValue := TransToString(value)
-        strValue2 := TransToString(value2)
+        strValue := TransformToString(oldvalue)
+        strValue2 := TransformToString(newvalue)
 
-        if (!ok) {
-            results[key].UpdateResult(types.ChangeStatus.ADD, ProtectString(strValue2))
-        } else if (!ok2) {
-            results[key].UpdateResult(types.ChangeStatus.REMOVE, ProtectString(strValue))
+        if (!old) {
+            results[key].UpdateResult(types.ChangeStatus.ADD, ProtectString(strValue2), "")
+        } else if (!new) {
+            results[key].UpdateResult(types.ChangeStatus.REMOVE, ProtectString(strValue), "")
         } else if (strValue != strValue2) {
-            results[key].UpdateResult(types.ChangeStatus.CHANGE, ProtectString(strValue) + " -> " + ProtectString(strValue2))
+            results[key].UpdateResult(types.ChangeStatus.CHANGE, ProtectString(strValue), ProtectString(strValue2))
         }
     }
 
     return results
 }
 
-func Unmarshal(data string) Secrets{
+func UnMarshal(data string) Secrets{
 	var jsonData interface{}
     err := json.Unmarshal([]byte(data), &jsonData)
     if err != nil {
@@ -81,6 +81,6 @@ func Unmarshal(data string) Secrets{
     return jsonData
 }
 
-func Diff(original string, updated string) types.Results {
-    return Compare(Unmarshal(original), Unmarshal(updated))
+func Change(original string, updated string) types.Results {
+    return Compare(UnMarshal(original), UnMarshal(updated))
 }

diff/internal/types/results.go

@@ -3,24 +3,69 @@ package types
 import (
     "fmt"
     "sort"
+    "strings"
     "github.com/fatih/color"
 )
 
+var ProtectedKeys = []string{
+    "accesskey",
+    "secretkey",
+    "projectkey",
+    "database",
+    "_key",
+    "password",
+    "apikey",
+    "clientid",
+    "roleid",
+    "token",
+    "connectionstring",
+}
+
 type Result struct {
     Change StatusType
     Diff string
+    NewValue string
 }
 
+type Results map[string]*Result
+
 func NewResult() *Result {
-    return &Result{Change: ChangeStatus.SAME, Diff: ""}
+    return &Result{Change: ChangeStatus.SAME, Diff: "", NewValue: ""}
 }
 
-func (r *Result) UpdateResult(change StatusType, diff string) {
+func (r *Result) UpdateResult(change StatusType, diff string, newvalue string) {
     r.Change = change
     r.Diff = diff
+    r.NewValue = newvalue
 }
 
-type Results map[string]*Result
+func isSensible(key string) bool {
+    for _, substring := range ProtectedKeys {
+        if strings.Contains(strings.ToLower(key), substring) {
+            return true
+        }
+    }
+    return false
+}
+
+func CensorValue(key string, r *Result) string {
+    showdiff := r.Diff
+    shownewvalue := r.NewValue
+    if isSensible(key) {
+        showdiff = "*****"
+        shownewvalue = "*****"
+        if len(r.Diff) > 4 {
+            showdiff = fmt.Sprintf("%s*****%s", r.Diff[0:2], r.Diff[len(r.Diff)-2:len(r.Diff)])
+        }
+        if len(r.NewValue) > 4 {
+            shownewvalue = fmt.Sprintf("%s*****%s", r.NewValue[0:2], r.NewValue[len(r.NewValue)-2:len(r.NewValue)])
+        }
+    }
+    if r.Change == ChangeStatus.CHANGE {
+        showdiff = fmt.Sprintf("%s ~> %s", showdiff, shownewvalue)
+    }
+    return fmt.Sprintf("%s : %s", key, showdiff)
+}
 
 func (r Results) Print(jsonFlag bool) {
     keys := make([]string, 0, len(r))
@@ -39,7 +84,7 @@ func PrintFmt(keys []string, r Results) {
     color.Unset()
     for _, key := range keys {
         if (r[key].Change > 0) {
-            fmt.Printf("%s %s: %s", r[key].Change, key, r[key].Diff)
+            fmt.Printf("%s %s", r[key].Change, CensorValue(key, r[key]))
         }
     }
     color.Unset()
@@ -54,7 +99,7 @@ func PrintJson(keys []string, r Results) {
             if i != 0 {
                 fmt.Print(", ")
             }
-            fmt.Printf("\"change %d\": \"%s %s: %s\"", i, r[key].Change, key, r[key].Diff)
+            fmt.Printf("\"change %d\": \"%s %s\"", i, r[key].Change, CensorValue(key, r[key]))
             i += 1
         }
     }

module/README.md

@@ -2,29 +2,40 @@
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12 |
-| external | >= 2.1 |
-| null | >= 3.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_external"></a> [external](#requirement\_external) | >= 2.1 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
-| external | >= 2.1 |
-| null | >= 3.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_external"></a> [external](#provider\_external) | >= 2.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret_version.secret_manager_current_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+| [external_external.diff_secret](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| aws\_allowed\_account\_ids | Allowed accounts ids | `list(string)` | `[]` | no |
-| aws\_assume\_role | AWS role to use | `string` | `""` | no |
-| aws\_region | AWS region to deploy to (e.g. eu-central-1) | `string` | `""` | no |
-| aws\_secret\_id\_current | AWS Secret Id | `string` | `""` | no |
-| secret\_manager\_new\_version | Updated secret value as a map of value | `map(any)` | `{}` | no |
+| <a name="input_aws_allowed_account_ids"></a> [aws\_allowed\_account\_ids](#input\_aws\_allowed\_account\_ids) | Allowed accounts ids | `list(string)` | `[]` | no |
+| <a name="input_aws_assume_role"></a> [aws\_assume\_role](#input\_aws\_assume\_role) | AWS role to use | `string` | `""` | no |
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region to deploy to (e.g. eu-central-1) | `string` | `""` | no |
+| <a name="input_aws_secret_id_current"></a> [aws\_secret\_id\_current](#input\_aws\_secret\_id\_current) | AWS Secret Id | `string` | `""` | no |
+| <a name="input_secret_manager_new_version"></a> [secret\_manager\_new\_version](#input\_secret\_manager\_new\_version) | Updated secret value as a map of value | `map(any)` | `{}` | no |
 
 ## Outputs
 
-No output.
-
+| Name | Description |
+|------|-------------|
+| <a name="output_env_vars_change"></a> [env\_vars\_change](#output\_env\_vars\_change) | n/a |

module/main.tf

@@ -13,9 +13,3 @@ data "external" "diff_secret" {
     jsonencode(var.secret_manager_new_version)
   ]
 }
-
-resource "null_resource" "deploy_info" {
-  triggers = {
-    env_change = join("\n", [for key, value in data.external.diff_secret.result : "${key} -> ${value}"])
-  }
-}

module/output.tf

@@ -0,0 +1,3 @@
+output "env_vars_change" {
+  value = data.external.diff_secret.result
+}

module/scripts/diff.sh

@@ -4,4 +4,6 @@ OS=$(uname | tr '[:upper:]' '[:lower:]')
 CMD_PATH=$(echo "https://github.com/FinalCAD/terraform-diff-module/releases/download/$1/diff_$1_${OS}_amd64.tar.gz")
 RM=$(rm -f /tmp/diff)
 DIFF=$(wget -qO- $CMD_PATH | tar xvzf - -C /tmp &>/dev/null)
+# for testing purpose
+#./diff/diff -i "$2" -u "$3" -json
 /tmp/diff -i "$2" -u "$3" -json

module/version.txt

@@ -1 +1 @@
-1.0.2
+2.0.0

test.tf

@@ -47,3 +47,7 @@ module "diff_secret" {
   aws_assume_role            = local.aws_assume_role
   aws_allowed_account_ids    = local.aws_allowed_account_ids
 }
+
+output "env_vars_change" {
+  value = values(module.diff_secret.env_vars_change)
+}