Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

builder: don't log requests/responses by default #368

Merged
merged 1 commit into from
Feb 9, 2024
Merged

builder: don't log requests/responses by default #368

merged 1 commit into from
Feb 9, 2024

Conversation

lbajolet-hashicorp
Copy link
Contributor

The logs of the Azure builder are very verbose by default, as they log the contents of every request/response to/from the Azure APIs.

For regular debugging of a template, this is not necessary, as just looking at the errors returned by the calls will generally give enough information to proceed with fixing the template.

These logs may be relevant when attempting to debug the plugin itself however, so we add one extra environment variable to allow the plugin to print them out, PACKER_AZURE_DEBUG_LOGS.
If it is defined, and non empty, the requests and responses will be dumped to stderr, otherwise, they are silent.

@lbajolet-hashicorp lbajolet-hashicorp requested a review from a team as a code owner February 1, 2024 16:55
nywilken
nywilken reviewed Feb 1, 2024
View reviewed changes
Copy link
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the approach is sound and I see why we want to keep and not just get rid of them. Where should this information be documented?

builder/azure/common/inspector.go Outdated Show resolved Hide resolved
builder/azure/common/env.go Outdated Show resolved Hide resolved
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the dont_inspect_all_requests_by_default branch from 39437df to a9e4d7c Compare February 1, 2024 20:42
@lbajolet-hashicorp
Copy link
Contributor Author

I think the approach is sound and I see why we want to keep and not just get rid of them. Where should this information be documented?

That's a good question. This is probably something we should detail in the main README for the plugin.
Or we could leave it undocumented and only share about it if needed; I'm not sure this is the kind of capability we want to make every user aware of because of the risk of dumping that traffic on stderr.
What do you think?

@nywilken
Copy link
Contributor

nywilken commented Feb 5, 2024

Or we could leave it undocumented and only share about it if needed; I'm not sure this is the kind of capability we want to make every user aware of because of the risk of dumping that traffic on stderr.

I don't think leaving it undocumented helps the situation. I would rather inform users of the potential risk as opposed to having say I didn't know that was possible. In this case, I think the right thing to do is add a section to the integration README for Troubleshooting.

In this section, we can explain the use of PACKER_LOG and PACKER_AZURE_DEBUG_LOG for gaining greater visibility into the API calls made by the plugin.

Setting PACKER_AZURE_DEBUG_LOG will enable logging of all HTTP requests made to Azure API endpoints to stdout, which may contain sensitive information such as passwords or access keys as raw text. As a security precaution, Azure debug logging is not available by default. Users wishing to enable such granular logging are encouraged to do so on an as-needed basis and only on trusted hosts.

@lbajolet-hashicorp lbajolet-hashicorp force-pushed the dont_inspect_all_requests_by_default branch from a9e4d7c to f54593f Compare February 7, 2024 19:22
@lbajolet-hashicorp
Copy link
Contributor Author

@nywilken good call; I like the Troubleshooting section idea.

I've just pushed docs update for this, when you have time please let me know what you think about it.

nywilken
nywilken approved these changes Feb 8, 2024
View reviewed changes
Copy link
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes to the text but otherwise good to go.

docs/README.md Outdated Show resolved Hide resolved
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the dont_inspect_all_requests_by_default branch from f54593f to 0d83598 Compare February 9, 2024 15:00
@lbajolet-hashicorp
builder: don't log requests/responses by default
cbeb24e 
The logs of the Azure builder are very verbose by default, as they log
the contents of every request/response to/from the Azure APIs.

For regular debugging of a template, this is not necessary, as just
looking at the errors returned by the calls will generally give enough
information to proceed with fixing the template.

These logs may be relevant when attempting to debug the plugin itself
however, so we add one extra environment variable to allow the plugin to
print them out, PACKER_AZURE_DEBUG_LOGS.
If it is defined, and non empty, the requests and responses will be
dumped to stderr, otherwise, they are silent.
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the dont_inspect_all_requests_by_default branch from 0d83598 to cbeb24e Compare February 9, 2024 15:01
@lbajolet-hashicorp lbajolet-hashicorp merged commit 02f2453 into main Feb 9, 2024
12 checks passed
@lbajolet-hashicorp lbajolet-hashicorp deleted the dont_inspect_all_requests_by_default branch February 9, 2024 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nywilken nywilken nywilken approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lbajolet-hashicorp @nywilken