Mask git password in module download

[fullykubed]

Describe the enhancement

Consider the case where a module is being sourced from a private git repository:

terraform {
   source = "git::https://fullykubed:${get_env("GIT_PASSWORD")}@github.com/panfactum/panfactum.git
}

The logs produced by terragrunt show the password in plaintext.

16:38:20.861 INFO   Downloading Terraform configurations from git::https://fullykubed:[email protected]/panfactum/panfactum.git into ../../../../.terragrunt-cache/q40DOeSY8IP8r8YJ00b42BMj8Yw/iOVvxDxcDQPcvGjxu4WXXm5WY44
16:38:21.429 ERROR  downloading source url git::https://fullykubed:[email protected]/panfactum/panfactum.git
error occurred:

I'd propose that the password component should be redacted.

16:38:20.861 INFO   Downloading Terraform configurations from git::https://fullykubed:[email protected]/panfactum/panfactum.git into ../../../../.terragrunt-cache/q40DOeSY8IP8r8YJ00b42BMj8Yw/iOVvxDxcDQPcvGjxu4WXXm5WY44
16:38:21.429 ERROR  downloading source url git::https://fullykubed:[email protected]/panfactum/panfactum.git
error occurred:

This already matches the behavior of git logs:

* error downloading 'https://fullykubed:[email protected]/panfactum/panfactum.git': /nix/store/pxpns5vm111i6j3r3wbygaj99wbrm6h1-git-2.47.0/bin/git exited with 128: Cloning into '../../../../.terragrunt-cache/q40DOeSY8IP8r8YJ00b42BMj8Yw/iOVvxDxcDQPcvGjxu4WXXm5WY44'...

Additional context

Obviously the issue could be avoided by using ssh keys or a credential helper rather than specifying the password directly as above. However, we are using Terragrunt in an environment where these solutions are not feasible (e.g., ssh is blocked and we do not have have the ability to specify a global git credential helper).

PoC (Proof of Concept)

Not that this is very helpful, but here is the bash wrapper around terragrunt that we are using temporarily to mask the values. Obviously you can see it is a bit of an ugly hack to preserve the streams and exit code.

{
      stdbuf -oL terragrunt "$@" 2> >(stdbuf -oL sed "s/$GIT_PASSWORD/redacted/g" >&2)
} | stdbuf -oL sed "s/$GIT_PASSWORD/redacted/g"

exit ${PIPESTATUS[0]}

RFC Not Needed

• I have evaluated the complexity of this enhancement, and I believe it does not require an RFC.

[yhakbar]

Most CI systems use their own credentials masking techniques to prevent secrets from ending up in logs, so I don't think this would be used by too many people. It's also tricky, as we don't want to blindly mask content in the source attribute of the terraform block, as it is used in many different places, and different ways, and there's a good chance we'll mask content that's useful, but not harmful to people in the URL.

It's a good idea though, and something we should pursue if we find time.

My ideal solution would be to add something like --log-mask that accepts a slice of strings (and maybe --log-mask-regex for regex) that should be masked in the Terragrunt logger, regardless of where the values are being used. Users would then run Terragrunt like this:

terragrunt plan --log-mask "$GIT_PASSWORD"

That way, regardless of how the source URL is logged, the password will be masked, even if running locally. Users could also use this to mask anything else in their configuration that's sensitive (from being logged via Terragrunt).

I don't think this would be a particularly difficult feature, so I've marked it as requesting contributions from the community, if anyone would like to get involved.

[fullykubed]

That seems like a very sensible solution.