From 6886573fcf63d367f718beb8a85bef9a4a00ce39 Mon Sep 17 00:00:00 2001 From: magodo Date: Fri, 9 Aug 2024 12:00:30 +0800 Subject: [PATCH] New option: `-mask-sensitive` to allow masking sensitive attributes (#551) --- flag.go | 5 +++++ go.mod | 2 +- go.sum | 4 ++-- internal/meta/base_meta.go | 41 ++++++++++++++++++++++---------------- main.go | 7 +++++++ pkg/config/config.go | 2 ++ 6 files changed, 41 insertions(+), 20 deletions(-) diff --git a/flag.go b/flag.go index f84f662..2967354 100644 --- a/flag.go +++ b/flag.go @@ -35,6 +35,7 @@ type FlagSet struct { flagBackendType string flagBackendConfig cli.StringSlice flagFullConfig bool + flagMaskSensitive bool flagParallelism int flagContinue bool flagNonInteractive bool @@ -133,6 +134,9 @@ func (flag FlagSet) DescribeCLI(mode string) string { if flag.flagFullConfig { args = append(args, "--full-properties=true") } + if flag.flagMaskSensitive { + args = append(args, "--mask-sensitive=true") + } if flag.flagParallelism != 0 { args = append(args, fmt.Sprintf("--parallelism=%d", flag.flagParallelism)) } @@ -409,6 +413,7 @@ func (f FlagSet) BuildCommonConfig() (config.CommonConfig, error) { BackendType: f.flagBackendType, BackendConfig: f.flagBackendConfig.Value(), FullConfig: f.flagFullConfig, + MaskSensitive: f.flagMaskSensitive, Parallelism: f.flagParallelism, HCLOnly: f.flagHCLOnly, ModulePath: f.flagModulePath, diff --git a/go.mod b/go.mod index b18762e..72b6d8f 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/magodo/spinner v0.0.0-20240524082745-3a2305db1bdc github.com/magodo/terraform-client-go v0.0.0-20230323074119-02ceb732dd25 github.com/magodo/textinput v0.0.0-20210913072708-7d24f2b4b0c0 - github.com/magodo/tfadd v0.10.1-0.20240412023810-79ace00fe84d + github.com/magodo/tfadd v0.10.1-0.20240809033926-59efddadfd95 github.com/magodo/tfmerge v0.0.0-20221214062955-f52e46d03402 github.com/magodo/tfstate v0.0.0-20220409052014-9b9568dda918 github.com/magodo/workerpool v0.0.0-20240524082508-11838001bc35 diff --git a/go.sum b/go.sum index 3ca0de0..23ebef6 100644 --- a/go.sum +++ b/go.sum @@ -241,8 +241,8 @@ github.com/magodo/terraform-client-go v0.0.0-20230323074119-02ceb732dd25 h1:V4R1 github.com/magodo/terraform-client-go v0.0.0-20230323074119-02ceb732dd25/go.mod h1:L12osIvZuDH0/UzrWn3+kiBRXDFTuoYaqF7UfTsbbQA= github.com/magodo/textinput v0.0.0-20210913072708-7d24f2b4b0c0 h1:aNtr4iNv/tex2t8W1u3scAoNHEnFlTKhNNHOpYStqbs= github.com/magodo/textinput v0.0.0-20210913072708-7d24f2b4b0c0/go.mod h1:MqYhNP+PC386Bjsx5piZe7T4vDm5QIPv8b1RU0prVnU= -github.com/magodo/tfadd v0.10.1-0.20240412023810-79ace00fe84d h1:NPzZgU+4udgbPuGmwqXuxgdK7f8y86GydHHlXw5KSk0= -github.com/magodo/tfadd v0.10.1-0.20240412023810-79ace00fe84d/go.mod h1:6W2btqbRymCIrUhOlqrBgr/CyCa6lzNvs6fypoveye0= +github.com/magodo/tfadd v0.10.1-0.20240809033926-59efddadfd95 h1:940RtdDfXxJu0AUL0jFw8rMIRcUsOxDVp2sWg41YIlc= +github.com/magodo/tfadd v0.10.1-0.20240809033926-59efddadfd95/go.mod h1:6W2btqbRymCIrUhOlqrBgr/CyCa6lzNvs6fypoveye0= github.com/magodo/tfmerge v0.0.0-20221214062955-f52e46d03402 h1:RyaR4VE7hoR9AyoVH414cpM8V63H4rLe2aZyKdoDV1w= github.com/magodo/tfmerge v0.0.0-20221214062955-f52e46d03402/go.mod h1:ssV++b4DH33rsD592bvpS4Peng3ZfdGNZbFgCDkCfj8= github.com/magodo/tfpluginschema v0.0.0-20220905090502-2d6a05ebaefd h1:L0kTduNwpx60EdBPYOVF9oUY7jdfZHIncvQN490qWd4= diff --git a/internal/meta/base_meta.go b/internal/meta/base_meta.go index f3bc748..ce6004b 100644 --- a/internal/meta/base_meta.go +++ b/internal/meta/base_meta.go @@ -83,21 +83,25 @@ type BaseMeta interface { var _ BaseMeta = &baseMeta{} type baseMeta struct { - logger *slog.Logger - subscriptionId string - azureSDKCred azcore.TokenCredential - azureSDKClientOpt arm.ClientOptions - outdir string - outputFileNames config.OutputFileNames - tf *tfexec.Terraform - resourceClient *armresources.Client - providerVersion string - devProvider bool - providerName string - backendType string - backendConfig []string - providerConfig map[string]cty.Value - fullConfig bool + logger *slog.Logger + subscriptionId string + azureSDKCred azcore.TokenCredential + azureSDKClientOpt arm.ClientOptions + outdir string + outputFileNames config.OutputFileNames + tf *tfexec.Terraform + resourceClient *armresources.Client + providerVersion string + devProvider bool + providerName string + backendType string + backendConfig []string + providerConfig map[string]cty.Value + + // tfadd options + fullConfig bool + maskSensitive bool + parallelism int preImportHook config.ImportCallback postImportHook config.ImportCallback @@ -281,6 +285,7 @@ func NewBaseMeta(cfg config.CommonConfig) (*baseMeta, error) { providerConfig: providerConfig, providerName: cfg.ProviderName, fullConfig: cfg.FullConfig, + maskSensitive: cfg.MaskSensitive, parallelism: cfg.Parallelism, preImportHook: cfg.PreImportHook, postImportHook: cfg.PostImportHook, @@ -1009,7 +1014,9 @@ func (meta baseMeta) stateToConfig(ctx context.Context, list ImportList) (Config ProviderName: providerName, Value: item.State, }, - meta.fullConfig) + tfadd.Full(meta.fullConfig), + tfadd.MaskSenstitive(meta.maskSensitive), + ) if err != nil { return nil, fmt.Errorf("generating state for resource %s: %v", item.TFAddr, err) } @@ -1026,7 +1033,7 @@ func (meta baseMeta) stateToConfig(ctx context.Context, list ImportList) (Config } var err error - bs, err = tfadd.StateForTargets(ctx, meta.tf, addrs, tfadd.Full(meta.fullConfig)) + bs, err = tfadd.StateForTargets(ctx, meta.tf, addrs, tfadd.Full(meta.fullConfig), tfadd.MaskSenstitive(meta.maskSensitive)) if err != nil { return nil, fmt.Errorf("converting terraform state to config: %w", err) } diff --git a/main.go b/main.go index f17ebe4..bb3167d 100644 --- a/main.go +++ b/main.go @@ -161,6 +161,13 @@ func main() { Value: false, Destination: &flagset.flagFullConfig, }, + &cli.BoolFlag{ + Name: "mask-sensitive", + EnvVars: []string{"AZTFEXPORT_MASK_SENSITIVE"}, + Usage: "Mask sensitive attributes in the Terraform configuration. This may require manual modifications to produce a valid config", + Value: false, + Destination: &flagset.flagMaskSensitive, + }, &cli.IntFlag{ Name: "parallelism", EnvVars: []string{"AZTFEXPORT_PARALLELISM"}, diff --git a/pkg/config/config.go b/pkg/config/config.go index 054785f..2004886 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -75,6 +75,8 @@ type CommonConfig struct { ProviderConfig map[string]cty.Value // FullConfig specifies whether to export all (non computed-only) Terarform properties when generating TF configs. FullConfig bool + // MaskSensitive specifies whether to mask sensitive attributes when generating TF configs. + MaskSensitive bool // Parallelism specifies the parallelism for the process Parallelism int // PreImportHook is called before each resource is imported during ParallelImport