Consider Support for Masking Portions of a Field Value

[bflad]

terraform-plugin-log version

v0.6.0

Use cases

Version 0.6.0 introduced some excellent filtering capabilities, but here's another potential use case we have. There is currently the tflog.MaskFieldValuesWithFieldKeys() function which allows you to specify field keys which the entire value will be redacted, however there is no way to mask only a selective portion of the field value.

Downstream in terraform-plugin-sdk, we are looking at whether a new HTTP request/response logging mechanism should put the body in the message or put the body in a field. Ideally it seems, it would be best placed in a field so developers can choose to redact the whole body if they wish (either for security or to save log size), but then there's no way to mask only certain portions of the body data.

Proposal

Create new functions, maybe something like MaskFieldValueRegexes(key, ...regexp.Regexp)/MaskFieldValueStrings(key, ...string) which works like the MaskMessage* equivalents. If specifying it per-key is too much, maybe having MaskAllFieldValue* variants could solve that by doing the same thing, but looping through all field keys.

References

• Introduce NewLoggingHTTPTransport and deprecate NewTransport terraform-plugin-sdk#1006

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.