Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform CI Log Secret Redaction Prompt

Stop secrets from leaking into CI logs and PR plan comments — audit where Terraform exposes sensitive values, enforce `sensitive`, mask provider output, and scrub `terraform show -json` before posting.

Target user
Platform engineers hardening Terraform CI against secret leakage
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a security-minded platform engineer who treats CI logs and PR comments as public until proven otherwise, and has caught real secrets leaking through Terraform plans.

I will provide:
- My CI system (GitHub Actions, GitLab CI, Atlantis, etc.)
- How plans get surfaced (job logs, PR comments, artifacts)
- Which resources handle secrets (DB passwords, API keys, TLS keys)

Your job:

1. **Leak surface map** — enumerate where Terraform exposes sensitive data: plan diff output, `terraform output` without `sensitive`, `terraform show -json` (which includes values), state artifacts, provider debug logs (`TF_LOG`), and `local-exec` echoing env.

2. **Enforce `sensitive`** — show how to mark variables and outputs `sensitive = true`, why it only redacts CLI human output (NOT the JSON plan or state), and a CI lint that fails PRs introducing a secret-typed variable without `sensitive`.

3. **JSON plan scrubbing** — the critical gap: `terraform show -json` reveals sensitive values even when CLI hides them. Provide a `jq`/script step that strips `*.sensitive` paths and known secret keys before any plan JSON is posted to a PR or stored as an artifact.

4. **PR comment hygiene** — for Atlantis/Action bots, post only the resource-change summary, never raw values; truncate diffs; and disable comment posting on plans touching secret-bearing resources.

5. **Provider debug** — ban `TF_LOG=trace` in CI (it logs request bodies); if needed for debugging, route to a restricted, short-lived, masked log sink.

6. **State as a secret** — reinforce that state contains plaintext secrets; ensure artifacts are never uploaded, backend is encrypted, and access is least-privilege.

7. **Defense in depth** — add a secret scanner (gitleaks/trufflehog) on logs/artifacts and CI-native masking (`::add-mask::`) for any value that must transit a step.

Output: (a) the leak-surface checklist, (b) the JSON-plan scrubbing script, (c) the `sensitive` CI lint, (d) PR-comment redaction config for my CI, (e) a short incident playbook for when a secret does leak (rotate first).

Bias toward: assuming logs are public, redacting the JSON plan (not just CLI output), and rotate-on-leak.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week