fix(cli): logs entire environment (#623)

Right now the CLI logs the entire environment to debug logging. This is
a lot of data, and potentially also includes tokens we'd rather don't
end up in logging.

Instead, just log our additions to the existing environment.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: rix0rrr

packages/@aws-cdk/cli-lib-alpha/lib/cli.ts

@@ -137,7 +137,7 @@ export class AwsCdkCli implements IAwsCdkCli {
           ...params.env,
         };
 
-        const cleanupContext = await writeContextToEnv(env, fullCtx);
+        const cleanupContext = await writeContextToEnv(env, fullCtx, 'env-is-complete');
         try {
           return await withEnv(async() => createAssembly(await producer.produce(fullCtx)), env);
         } finally {

packages/@aws-cdk/toolkit-lib/lib/api/cloud-assembly/private/prepare-source.ts

@@ -179,15 +179,21 @@ export class ExecutionEnvironment implements AsyncDisposable {
  * This *would* have returned an `IAsyncDisposable` but that requires messing
  * with TypeScript type definitions to use it in aws-cdk, so returning an
  * explicit cleanup function is easier.
+ *
+ * `completeness` indicates whether this `env` block represents the full `env`
+ * that will be passed to a subprocess, or whether it will be mixed into
+ * `process.env` later.
  */
-export function writeContextToEnv(env: Env, context: Context) {
+export function writeContextToEnv(env: Env, context: Context, completeness: 'add-process-env-later' | 'env-is-complete') {
   let contextOverflowLocation = null;
 
   // On Windows, all envvars together must fit in a 32k block (<https://devblogs.microsoft.com/oldnewthing/20100203-00>)
   // On Linux, a single entry may not exceed 131k; but we're treating it as all together because that's safe
   // and it's a single execution path for both platforms.
   const envVariableSizeLimit = os.platform() === 'win32' ? 32760 : 131072;
-  const [smallContext, overflow] = splitBySize(context, spaceAvailableForContext(env, envVariableSizeLimit));
+
+  const completeEnv = { ...completeness === 'add-process-env-later' ? process.env : {}, ...env };
+  const [smallContext, overflow] = splitBySize(context, spaceAvailableForContext(completeEnv, envVariableSizeLimit));
 
   // Store the safe part in the environment variable
   env[cxapi.CONTEXT_ENV] = JSON.stringify(smallContext);

packages/@aws-cdk/toolkit-lib/lib/api/cloud-assembly/source-builder.ts

@@ -342,7 +342,7 @@ export abstract class CloudAssemblySourceBuilder {
             ...synthParams.env,
           });
 
-          const cleanupContextTemp = writeContextToEnv(env, fullContext);
+          const cleanupContextTemp = writeContextToEnv(env, fullContext, 'env-is-complete');
           using _cleanupEnv = (props.clobberEnv ?? true) ? temporarilyWriteEnv(env) : undefined;
           let assembly;
           try {
@@ -498,7 +498,7 @@ export abstract class CloudAssemblySourceBuilder {
             // Environment variables derived from settings
             ...synthParams.env,
           });
-          const cleanupTemp = writeContextToEnv(env, fullContext);
+          const cleanupTemp = writeContextToEnv(env, fullContext, 'env-is-complete');
           try {
             await execInChildProcess(commandLine.join(' '), {
               eventPublisher: async (type, line) => {

packages/aws-cdk/lib/cxapp/exec.ts

@@ -29,14 +29,12 @@ export async function execProgram(aws: SdkProvider, ioHelper: IoHelper, config:
   await debugFn(format('context:', context));
 
   const env: Record<string, string> = noUndefined({
-    // Need to start with full env of `writeContextToEnv` will not be able to do the size
-    // calculation correctly.
-    ...process.env,
     // Versioning, outdir, default account and region
     ...await prepareDefaultEnvironment(aws, debugFn),
     // Environment variables derived from settings
     ...params.env,
   });
+
   const build = config.settings.get(['build']);
   if (build) {
     await exec(build);
@@ -73,6 +71,7 @@ export async function execProgram(aws: SdkProvider, ioHelper: IoHelper, config:
   }
 
   await debugFn(`outdir: ${outdir}`);
+
   env[cxapi.OUTDIR_ENV] = outdir;
 
   // Acquire a lock on the output directory
@@ -84,7 +83,7 @@ export async function execProgram(aws: SdkProvider, ioHelper: IoHelper, config:
 
   await debugFn(format('env:', env));
 
-  const cleanupTemp = writeContextToEnv(env, context);
+  const cleanupTemp = writeContextToEnv(env, context, 'add-process-env-later');
   try {
     await exec(commandLine.join(' '));
 

packages/aws-cdk/test/cxapp/exec.test.ts

@@ -164,6 +164,34 @@ test('the application set in --app is executed', async () => {
   await lock.release();
 });
 
+test('execProgram will not log existing environment variables', async () => {
+  const varName = 'SOME_BOGUS_VAR';
+
+  // GIVEN
+  ioHost.level = 'debug';
+  config.settings.set(['app'], 'cloud-executable');
+  mockSpawn({
+    commandLine: 'cloud-executable',
+    sideEffect: () => writeOutputAssembly(),
+  });
+
+  // WHEN
+  process.env[varName] = 'hello';
+  const { lock } = await execProgram(sdkProvider, ioHelper, config);
+  await lock.release();
+  delete process.env[varName];
+
+  // THEN
+  const envMessage = (ioHost.notifySpy.mock.calls as Array<{ message: string }[]>)
+    .map(([arg0]) => arg0)
+    .find((arg0) => arg0.message.includes('env:'));
+
+  expect(envMessage).toBeDefined();
+  expect(envMessage!.message).not.toContain(varName);
+
+  ioHost.level = 'info';
+});
+
 test('the application set in --app is executed as-is if it contains a filename that does not exist', async () => {
   // GIVEN
   config.settings.set(['app'], 'does-not-exist');