fix: make AWS SDK debug logging configurable (issue #2270)
This PR fixes issue #2270 where AWS SDK debug logs expose sensitive
credentials in helmfile output, by adding flexible, configurable AWS SDK
logging with secure defaults.
Problem:
--------
Despite PR #2288's fix, AWS SDK debug logs still appeared in helmfile
output, exposing sensitive information:
- AWS tokens and authorization headers
- Request/response bodies containing credentials
- Secret metadata from vals providers
Root Cause:
-----------
1. PR #2288 only suppressed vals' own logging via LogOutput: io.Discard
2. AWS SDK v2 uses separate logging (AWS_SDK_GO_LOG_LEVEL, WithClientLogMode)
3. Vals library defaulted to verbose logging (aws.LogRetries | aws.LogRequest)
4. No programmatic way to control AWS SDK logging
Solution:
---------
Two-part fix in conjunction with vals PR #893:
1. Vals library enhancement (helmfile/vals#893):
- Added Options.AWSLogLevel field for programmatic control
- Changed default from verbose to secure (no logging)
- Added preset levels: off, minimal, standard, verbose
- Maintains AWS_SDK_GO_LOG_LEVEL precedence
2. Helmfile changes (this PR):
- Added HELMFILE_AWS_SDK_LOG_LEVEL environment variable
- Enhanced vals configuration to use new AWSLogLevel field
- Added conditional AWS SDK log suppression in remote.go (3 locations)
- Comprehensive unit tests (15 test cases)
Configuration:
--------------
Preset levels via HELMFILE_AWS_SDK_LOG_LEVEL:
- "off" (default) - No logging, secure, prevents credential leakage
- "minimal" - Log retries only
- "standard" - Log retries + requests (previous default behavior)
- "verbose" - Log everything (requests, responses, bodies, signing)
- Custom - Comma-separated values (e.g., "request,response")
Priority order:
1. AWS_SDK_GO_LOG_LEVEL env var (highest)
2. HELMFILE_AWS_SDK_LOG_LEVEL env var
3. Secure default ("off")
Testing:
--------
Added comprehensive unit tests:
- pkg/plugins/vals_test.go: 9 test cases
* TestAWSSDKLogLevelConfiguration - all preset levels
* TestEnvironmentVariableReading - env var parsing
- pkg/remote/remote_test.go: 6 test cases
* TestAWSSDKLogLevelInit - init() logic
All tests passing:
- pkg/plugins: PASS (3/3 test suites)
- pkg/remote: PASS (all test suites)
- golangci-lint: 0 issues
Files changed: 7 files, 271 insertions(+), 31 deletions(-)
Security:
---------
Before: Credentials exposed by default (aws.LogRetries | aws.LogRequest)
After: Credentials protected by default (no logging unless explicitly enabled)
Follows security principles:
- Secure by default
- Principle of least privilege
- Explicit opt-in for sensitive logging
- Defense in depth
Dependency:
-----------
Depends on: helmfile/vals#893
Currently using: aditmeno/vals@a97336ce2b (via go.mod replace)
After vals PR merges: Update to official release
Fixes: #2270
Related: #2288, #2289, helmfile/vals#893
Signed-off-by: Aditya Menon <amenon@canarytechnologies.com>
637dbdf426