We are building a tool for security analysis of Terraform code and have an interesting issue.
In order to do the analysis, we need data from the Terraform plan to be uploaded to our SaaS (specifically, the zip file generated by passing “-out”). However, that plan has a lot of confidential information, such as secrets/passwords, certificates, etc.
So, we’ve devised a method where the calculation on the plan file will be done locally on the user’s side, and it will only upload the data needed for our security analysis. I’ve attached a sample TF file and a resulting context file. It’s only the context file that is uploaded to us. (sorry for the “.txt”, it’s a requirement in this forum)
I would ask for this community’s feedback - is this level of reduction of information acceptable and allows for the adoption of a tool like the one I mentioned?
main.tf.txt (2.3 KB)
Converts to this:
cloudrail_context.json.txt (39.5 KB)
(and only the latter file is uploaded to the service)