When providers write logs, there may be sensitive data which should not be present in log messages or structured log fields. The tflog package supports masking data or omitting log entries entirely before they are output via the provider root logger or provider-defined subsystem loggers.
NOTE: While log filtering can help hide sensitive data, it is important to ensure the provider implementation works as expected before creating production provider releases.
Masking data in log messages or structured log fields is the process of replacing a sensitive piece of data with a placeholder piece of data. The tflog package uses *** as the replacement.
tflog.MaskMessageStrings(ctx,"my-sensitive-data")// Will output a message of: example message with *** masked
tflog.Trace(ctx,"example message with my-sensitive-data masked")
tflog.MaskMessageStrings(ctx,"my-sensitive-data")// Will output a message of: example message with *** maskedtflog.Trace(ctx,"example message with my-sensitive-data masked")
tflog.MaskMessageRegexes(ctx, regexp.MustCompile(`[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}`))// Will output a message of: example message with *** masked
tflog.Trace(ctx,"example message with 1234-1234-1234-1234 masked")
tflog.MaskMessageRegexes(ctx, regexp.MustCompile(`[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}`))// Will output a message of: example message with *** maskedtflog.Trace(ctx,"example message with 1234-1234-1234-1234 masked")
tflog.MaskFieldValuesWithFieldKeys(ctx,"my-sensitive-field")// Will output: example message: my-sensitive-field=***
tflog.Trace(ctx,"example message",map[string]interface{}{"my-sensitive-field":"some-sensitive-data"})
tflog.MaskFieldValuesWithFieldKeys(ctx,"my-sensitive-field")// Will output: example message: my-sensitive-field=***tflog.Trace(ctx,"example message",map[string]interface{}{"my-sensitive-field":"some-sensitive-data"})
tflog.MaskAllFieldValuesRegexes(ctx, regexp.MustCompile(`(\w{3}_SECRET)`))// Will output: example message: contains-secret=my-super-***
tflog.Trace(ctx,"example message",map[string]interface{}{"contains-secret":"my-super-TOP_SECRET"})
tflog.MaskAllFieldValuesRegexes(ctx, regexp.MustCompile(`(\w{3}_SECRET)`))// Will output: example message: contains-secret=my-super-***tflog.Trace(ctx,"example message",map[string]interface{}{"contains-secret":"my-super-TOP_SECRET"})
tflog.MaskAllFieldValuesStrings(ctx,"TOP_SECRET")// Will output: example message: contains-secret=my-super-***
tflog.Trace(ctx,"example message",map[string]interface{}{"contains-secret":"my-super-TOP_SECRET"})
tflog.MaskAllFieldValuesStrings(ctx,"TOP_SECRET")// Will output: example message: contains-secret=my-super-***tflog.Trace(ctx,"example message",map[string]interface{}{"contains-secret":"my-super-TOP_SECRET"})
Both functions can accept multiple string values at once to simplify filtering implementations.
»Masking Messages and Field Values via Regular Expressions
Use the tflog.MaskLogRegexes() function to
obtain the same configuration and behaviour as if you had used the same input on tflog.MaskMessageRegexes() and tflog.MaskAllFieldValuesRegexes().
The same applies, respectively, for tflog.SubsystemMaskLogRegexes() function,
and the functions tflog.SubsystemMaskMessageRegexes() and tflog.SubsystemMaskAllFieldValuesRegexes().
»Masking Messages and Field Values via Exact Strings
Use the tflog.MaskLogStrings() function to
obtain the same configuration and behaviour as if you had used the same input on tflog.MaskMessageStrings() and tflog.MaskAllFieldValuesStrings().
The same applies, respectively, for tflog.SubsystemMaskLogStrings() function,
and the functions tflog.SubsystemMaskMessageStrings() and tflog.SubsystemMaskAllFieldValuesStrings().
tflog.OmitLogWithMessageRegexes(ctx, regexp.MustCompile(`[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}`))// Will not be output
tflog.Trace(ctx,"example message with 1234-1234-1234-1234 masked")
tflog.OmitLogWithMessageRegexes(ctx, regexp.MustCompile(`[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}`))// Will not be outputtflog.Trace(ctx,"example message with 1234-1234-1234-1234 masked")
tflog.OmitLogWithFieldKeys(ctx,"my-sensitive-field")// Will not be output
tflog.Trace(ctx,"example message",map[string]interface{}{"my-sensitive-field":"some-sensitive-data"})
tflog.OmitLogWithFieldKeys(ctx,"my-sensitive-field")// Will not be outputtflog.Trace(ctx,"example message",map[string]interface{}{"my-sensitive-field":"some-sensitive-data"})