Security implications of invoking os.ExpandEnv()?

The API I’m working with has a “commit” feature, which is leading me to create an api_commit resource.

It’s a little clunky, but I imagine end users grouping their resources into a module and invoking api_commit resource with depends_on and possibly a null_resource with triggers. I think it’ll work out okay.

Anyway, the “commit” API has a comment field (think: “commit message”).

I’m tempted to use text/template with these comments to expose some terraform and provider context (versions, provider build number, etc…) and maybe even run the end-user-supplied commit message through os.ExpandEnv(), thereby making it possible to further enhance these comments with elements from the environment like the terraform username, CI system job number and whatnot.

This feels reasonable from a security standpoint in the sense that “at least I haven’t made things any worse than is already possible with a local-exec provisioner…”

I recognize that I’m opening the door to bad ideas like exposing secrets found in the environment via these commit messages, but I’m not looking to eliminate every possible foot gun. (Ben Parker quote here)

My concern is more along the lines of: “If an attacker has access to the repo of TF configurations, can they do something new with this string which wouldn’t have been otherwise possible?”