Feedback needed: TF plan security

Hi everyone,

We are building a tool for security analysis of Terraform code and have an interesting issue.

In order to do the analysis, we need data from the Terraform plan to be uploaded to our SaaS (specifically, the zip file generated by passing “-out”). However, that plan has a lot of confidential information, such as secrets/passwords, certificates, etc.

So, we’ve devised a method where the calculation on the plan file will be done locally on the user’s side, and it will only upload the data needed for our security analysis. I’ve attached a sample TF file and a resulting context file. It’s only the context file that is uploaded to us. (sorry for the “.txt”, it’s a requirement in this forum)

I would ask for this community’s feedback - is this level of reduction of information acceptable and allows for the adoption of a tool like the one I mentioned?

This:
main.tf.txt (2.3 KB)

Converts to this:
cloudrail_context.json.txt (39.5 KB)
(and only the latter file is uploaded to the service)

Hi,

Did you try setting the sensitive=true flag in your resources with password in main.tf?
That way the confidential information would not be captured in output.

Thanks,

Sensitive output is still recorded in the state (even if it’s not presented in the textual output of the “plan” command). The state is included in the plan zip file (terraform plan -out=plan.zip)

You’re gonna have an easier time maintaining a list of resources which may contain secret values, and scrubbing those values out before uploading the plan output to your servers.
You will need to convince prospective clients that uploading the plan output to your servers is secure and does not expose their sensitive data to the outside world. The simpler the solution to the above problem, the easier it will be to convince your clients that their data is secure.