Merge pull request #1 from RepublicServicesRepository/US50654-enhanced-masking

US50654: Enhanced Masking

Author: caseyrayl

.github/workflows/test-aws-param-to-env.yml

@@ -30,6 +30,7 @@ jobs:
           param-store-base-paths: /test
           decrypt-secure-strings: true
           debug-logging: true
+          mask-values: true
 
       # Test the outcome in the GITHUB env.
       # Be careful with this, as the values will end up in your Action logs.

actions/aws-param-to-env/action.yml

@@ -7,6 +7,9 @@ inputs:
   decrypt-secure-strings:
     description: 'Optional flag to decrypt SecureString values. Set to true if desired and the value will cascade to the AWS call.'
     required: false
+  mask-values:
+    description: 'Optional flag to mask all values retrieved within Github logs.'
+    required: false
   debug-logging:
     description: 'Optional flag to output debug logging. If set to true Param Store values will be output to the console.'
     required: false

actions/aws-param-to-env/index.js

@@ -1,4 +1,3 @@
-const execSync = require("child_process").execSync;
 const core = require("@actions/core");
 const aws = require("aws-sdk");
 const ssm = new aws.SSM();
@@ -7,7 +6,8 @@ async function main() {
   try {
     console.log("Begin AWS Param To Env");
 
-    const debuLogging = core.getInput("debug-logging") === "true";
+    const debuLogging = core.getInput("debug-logging") === "true";    
+    const maskValues = (core.getInput("mask-values") === "false") ? false : true; // default to masking everything
     const decryptSecureStrings =
       core.getInput("decrypt-secure-strings") === "true";
     const paramStoreBasePathInput = core.getInput("param-store-base-paths", {
@@ -20,7 +20,7 @@ async function main() {
         decryptSecureStrings,
         debuLogging
       );
-      setParamsInEnvironment(basePath, parameters);
+      setParamsInEnvironment(basePath, parameters, maskValues);
     }
 
     console.log("End AWS Param To Env");
@@ -36,7 +36,7 @@ async function getParamsByPath(path, decrypt, log) {
 
   do {
     if (log) {
-      console.log(`Begin getParametersByPath: ${JSON.stringify(NextToken)}`);
+      console.log(`Begin getParametersByPath continued: ${!!NextToken}`);
     }
 
     ssmResult = await ssm
@@ -49,7 +49,18 @@ async function getParamsByPath(path, decrypt, log) {
       .promise();
 
     if (log) {
-      console.log(`End getParametersByPath: ${JSON.stringify(ssmResult)}`);
+      if (!decrypt) {
+        console.log(`End getParametersByPath: ${JSON.stringify(ssmResult)}`);
+      } else {
+        const safeToLogResults = ssmResult.Parameters.map(parameter => {
+          let loggableParam = Object.assign({}, parameter);
+          if (loggableParam.Type === 'SecureString') {
+            loggableParam.Value = '***';
+          }
+          return loggableParam;
+        });
+        console.log(`End getParametersByPath: ${JSON.stringify({ Parameters: safeToLogResults })}`);
+      }
     }
 
     if (ssmResult.Parameters.length) {
@@ -59,7 +70,7 @@ async function getParamsByPath(path, decrypt, log) {
   } while (NextToken);
 
   if (log) {
-    console.log(`Loaded parameters: ${JSON.stringify(parameters)}`);
+    console.log("Parameter path load complete.");
   }
 
   return parameters;
@@ -69,17 +80,21 @@ async function getParamsByPath(path, decrypt, log) {
  * Convert the heirarchical param name to a unix-style param name.
  * e.g. /test/api/key -> API_KEY
  */
-async function setParamsInEnvironment(path, params) {
+async function setParamsInEnvironment(path, params, maskValues) {
   for (const param of params) {
     const shortName = param.Name.replace(path, "");
     const unixName = shortName
       .replace(/^\//, "")
       .replace(/\//g, "_")
       .toUpperCase();
 
-    // write the value out to the environment and register it as a secret, so github logs will mask it
+    // write the value out to the environment 
     core.exportVariable(unixName, param.Value);
-    core.setSecret(param.Value);
+
+    // register it as a secret, so github logs will mask it
+    if (maskValues) {
+      core.setSecret(param.Value);
+    }
   }
 }