Refactor org to hide AWS account IDs #27
Assignees
Labels
Comments
chris3ware
added
enhancement
|
Using the sensitive function on the aws_caller_id data source has masked the value on parts of the plan, when the policy is "known after apply" - for example in an iam policy. But on a bucket policy, using the same sensitive function doesn't work because the policy document has already been read so is "known before apply" I've tried using the global condition key: aws:PrincipalAccount in the bucket policy, but this fails to apply. Next is to replace the data source with an input variable marked as sensitive. |
|
Using a variable with |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While working on the pipeline, the plan output contains a number of policy documents that contain the full arn, which includes the AWS account ID. Try and mask these if possible.
The text was updated successfully, but these errors were encountered: