I'm managing my infrastructure using CDKTF. I use Helm to install charts into my kubernetes cluster. I render the values for these helm charts using EJS like so
import { Construct } from "constructs";
import * as ejs from "ejs";
import * as fs from "fs";
import { Release } from "../../.gen/providers/helm/release";
export interface VectorConfig {}
export class Atlantis extends Construct {
constructor(scope: Construct, name: string, _config: VectorConfig) {
super(scope, name);
const renderedValues = ejs.render(
fs.readFileSync(`./constructs/atlantis/values.yaml.ejs`, "utf-8"),
{
atlantisGithubAppPrivateKey:
process.env.ATLANTIS_GITHUB_APP_PRIVATE_KEY,
atlantisGithubAppWebhookSecret:
process.env.ATLANTIS_GITHUB_APP_WEBHOOK_SECRET,
tfeToken: process.env.ATLANTIS_TFE_TOKEN,
dopplerToken: process.env.ATLANTIS_DOPPLER_TOKEN,
awsCredentials: process.env.ATLANTIS_AWS_CREDENTIALS,
}
);
new Release(this, "atlantis", {
repository: "https://runatlantis.github.io/helm-charts",
chart: "atlantis",
name: "atlantis",
version: "5.4.4",
values: [renderedValues],
});
}
}
With a values file that looks like the following
githubApp:
id: 963113
installationId: "53537338"
slug: "atlantis-for-atlantis-goldsky-com"
secret: <%= atlantisGithubAppWebhookSecret %>
key: |
<%= atlantisGithubAppPrivateKey %>
readinessProbe:
enabled: true
periodSeconds: 5
initialDelaySeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
scheme: HTTP
environment:
ATLANTIS_GH_ORG: goldsky-io
ATLANTIS_TFE_TOKEN: <%= tfeToken %>
ATLANTIS_AUTOPLAN_FILE_LIST: "**/*.tf,**/*.tfvars,**/*.tfvars.json,**/cdk.tf.json"
DOPPLER_TOKEN: <%= dopplerToken %>
aws:
credentials: |
<%= awsCredentials %>
When I make any changes to this setup, the entire values file gets printed to stdout during cdktf deploy
and cdktf diff
like so
githubApp:
id: 963113
installationId: "53537338"
slug: "atlantis-for-atlantis-goldsky-com"
secret: <secret stuff>
key: |
-----BEGIN RSA PRIVATE KEY-----
<secret stuff>
-----END RSA PRIVATE KEY-----
environment:
- ATLANTIS_GH_ORG: goldsky-io
ATLANTIS_TFE_TOKEN: <secret stuff>
ATLANTIS_AUTOPLAN_FILE_LIST: "**/*.tf,**/*.tfvars,**/*.tfvars.json,**/cdk.tf.json"
DOPPLER_TOKEN: <secret stuff>
...
Is there a way to instruct terraform to hide the entire value of the config (or parts of it) when rendering the diff?
Turns out helm has a set_sensitive
field where sensitive fields can be set and thus hidden from the output