From 1cc5e9e774d4eb17b954a71f9cd116e581c93340 Mon Sep 17 00:00:00 2001
From: halprin <halprin@users.noreply.github.com>
Date: Thu, 8 Feb 2024 10:53:59 -0700
Subject: [PATCH 1/2] 753: Mask the database hostname

---
 .github/workflows/terraform-deploy_reusable.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terraform-deploy_reusable.yml b/.github/workflows/terraform-deploy_reusable.yml
index dd8dc639e..75ad5e5d3 100644
--- a/.github/workflows/terraform-deploy_reusable.yml
+++ b/.github/workflows/terraform-deploy_reusable.yml
@@ -76,13 +76,18 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
+      - name: stuff
+        run: |
+          DATABASE_HOSTNAME=$(terraform output -raw database_hostname)
+          echo "::add-mask::$DATABASE_HOSTNAME"
+          echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV"
+
       - name: Run Db migration
         uses: liquibase-github-actions/update@v4.25.1
         with:
           changelogFile: ./etor/databaseMigrations/root.yml
-          url: "jdbc:postgresql://$(terraform output -raw database_hostname):5432/postgres"
+          url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres"
           username: cdcti-github
-          password: $(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)
           rollbackOnError: true
 
       - id: export-terraform-output

From 61d843087aceca70a21c2a8a7e8b1f39546e5aca Mon Sep 17 00:00:00 2001
From: halprin <halprin@users.noreply.github.com>
Date: Thu, 8 Feb 2024 11:01:02 -0700
Subject: [PATCH 2/2] 753: Extract database password into GitHub Env while
 masking it

---
 .github/workflows/terraform-deploy_reusable.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/terraform-deploy_reusable.yml b/.github/workflows/terraform-deploy_reusable.yml
index 75ad5e5d3..fc5fab6bd 100644
--- a/.github/workflows/terraform-deploy_reusable.yml
+++ b/.github/workflows/terraform-deploy_reusable.yml
@@ -76,11 +76,14 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: stuff
+      - name: Extract database hostname and password into GitHub Env
         run: |
           DATABASE_HOSTNAME=$(terraform output -raw database_hostname)
+          DATABASE_PASSWORD=$(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)
           echo "::add-mask::$DATABASE_HOSTNAME"
+          echo "::add-mask::$DATABASE_PASSWORD"
           echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV"
+          echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV"
 
       - name: Run Db migration
         uses: liquibase-github-actions/update@v4.25.1
@@ -88,6 +91,7 @@ jobs:
           changelogFile: ./etor/databaseMigrations/root.yml
           url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres"
           username: cdcti-github
+          password: ${{ env.DATABASE_PASSWORD }}
           rollbackOnError: true
 
       - id: export-terraform-output