Search code examples
terraformterraform-cdk

How to hide rendering of strings in output of cdktf?


I'm managing my infrastructure using CDKTF. I use Helm to install charts into my kubernetes cluster. I render the values for these helm charts using EJS like so

import { Construct } from "constructs";
import * as ejs from "ejs";
import * as fs from "fs";
import { Release } from "../../.gen/providers/helm/release";

export interface VectorConfig {}

export class Atlantis extends Construct {
  constructor(scope: Construct, name: string, _config: VectorConfig) {
    super(scope, name);

    const renderedValues = ejs.render(
      fs.readFileSync(`./constructs/atlantis/values.yaml.ejs`, "utf-8"),
      {
        atlantisGithubAppPrivateKey:
          process.env.ATLANTIS_GITHUB_APP_PRIVATE_KEY,
        atlantisGithubAppWebhookSecret:
          process.env.ATLANTIS_GITHUB_APP_WEBHOOK_SECRET,
        tfeToken: process.env.ATLANTIS_TFE_TOKEN,
        dopplerToken: process.env.ATLANTIS_DOPPLER_TOKEN,
        awsCredentials: process.env.ATLANTIS_AWS_CREDENTIALS,
      }
    );

    new Release(this, "atlantis", {
      repository: "https://runatlantis.github.io/helm-charts",
      chart: "atlantis",
      name: "atlantis",
      version: "5.4.4",
      values: [renderedValues],
    });
  }
}

With a values file that looks like the following

githubApp:
    id: 963113
    installationId: "53537338"
    slug: "atlantis-for-atlantis-goldsky-com"
    secret: <%= atlantisGithubAppWebhookSecret %>
    key: |
        <%= atlantisGithubAppPrivateKey %>
readinessProbe:
  enabled: true
  periodSeconds: 5
  initialDelaySeconds: 5
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 5
  scheme: HTTP
environment:
    ATLANTIS_GH_ORG: goldsky-io
    ATLANTIS_TFE_TOKEN: <%= tfeToken %>
    ATLANTIS_AUTOPLAN_FILE_LIST: "**/*.tf,**/*.tfvars,**/*.tfvars.json,**/cdk.tf.json"
    DOPPLER_TOKEN: <%= dopplerToken %>
aws:
  credentials: |
    <%= awsCredentials %>

When I make any changes to this setup, the entire values file gets printed to stdout during cdktf deploy and cdktf diff like so

                                    githubApp:
                                        id: 963113
                                        installationId: "53537338"
                                        slug: "atlantis-for-atlantis-goldsky-com"
                                        secret: <secret stuff>
                                        key: |
                                            -----BEGIN RSA PRIVATE KEY-----
                                            <secret stuff>
                                            -----END RSA PRIVATE KEY-----
                                    environment:
                                  -     ATLANTIS_GH_ORG: goldsky-io
                                        ATLANTIS_TFE_TOKEN: <secret stuff>
                                        ATLANTIS_AUTOPLAN_FILE_LIST: "**/*.tf,**/*.tfvars,**/*.tfvars.json,**/cdk.tf.json"
                                        DOPPLER_TOKEN: <secret stuff>
                                  ...

Is there a way to instruct terraform to hide the entire value of the config (or parts of it) when rendering the diff?


Solution

  • Turns out helm has a set_sensitive field where sensitive fields can be set and thus hidden from the output