Skip to main content

Terraform Decision Masking

The Styra DAS Terraform system type supports defining decision masking policies, allowing you to remove potentially sensitive values from decisions before they are logged in Styra DAS, including from Terraform plan input data. Refer to the Decision Masking documentation for full details on OPA decision masking support in Styra DAS.

Masking Sensitive Terraform Variables

If your Terraform root module defines input variables which contain sensitive values (e.g., an API key) and the variables include sensitive = true in their definition, those values may be present in cleartext in your Terraform plan that is passed to the embedded OPA in the Styra CLI or to Styra DAS as part of the Terraform Cloud or Terraform Enterprise run task integration. For example, the following variable's value is considered sensitive by Terraform:

variable "PROVIDER_TOKEN" {
  description = "Token for the default provider"
  type        = string
  sensitive   = true
}

To mask these sensitive values in each decision's input in the decision log, define a decision mask at the Terraform system or stack level. For example, the system-level decision mask policy below will replace the cleartext value of any sensitive variable with **REDACTED**:

package system.log

import future.keywords

mask[{"op": "upsert", "path": path, "value": "**REDACTED**"}] {
     some key, val in input.input.configuration.root_module.variables
     
     # Check if the variable has sensitive set to true
     val.sensitive
    
     path := sprintf("/input/variables/%s", [key])
}