RepoJournal
HashiCorp

@hashicorp

Terraform, Vault, Consul — infra-as-code for ops teams

Pick a date

Topics: Go Infrastructure Full archive →

The Wire · Showcase

CONSUL PLUGS TOKEN LEAK, AWS PROVIDER EXPANDS AI AND BEDROCK SUPPORT

By RepoJournal · Filed · About HashiCorp

Consul's debug logs were exposing ACL tokens in plaintext, a critical flaw now patched before it reaches production.

The Consul team caught and fixed a token leak in debug logging where the full request URL, including plaintext ACL tokens in query parameters, was being logged [1] [2]. This is the kind of credential exposure that bypasses your security controls entirely, so patch immediately. On the AWS provider front, the team is shipping three meaningful expansions: Bedrock now supports managed knowledge bases [3], GuardDuty detectors can configure the new AI_PROTECTION and AI_ANALYST features [4], and S3 bucket notifications gain list operation support [5]. The secretsmanager_secret resource also underwent a refactor to remove the Read function from its List operation [6] [7], a subtle but important change for how the provider handles resource enumeration. Over in consul-k8s, the team implemented a deterministic patch-coverage merge gate that enforces 90% test coverage on new code in PRs [8] [9], removing the dependency on Codecov and making coverage decisions repeatable. This is the kind of CI hardening that prevents coverage regressions from slipping through.

Action items

References

  1. [1] fix debug token leak. (#23731) hashicorp/consul
  2. [2] fix debug token leak. ↗ hashicorp/consul
  3. [3] feat(bedrockagent): add Managed Knowledge Base support (type=MANAGED) ↗ hashicorp/terraform-provider-aws
  4. [4] guardduty: Add support for AI_PROTECTION and AI_ANALYST feature names ↗ hashicorp/terraform-provider-aws
  5. [5] aws_s3_bucket_notification: Add list support ↗ hashicorp/terraform-provider-aws
  6. [6] list resource/aws_secretsmanager_secret: Removes resource Read function from List ↗ hashicorp/terraform-provider-aws
  7. [7] Merge pull request #48856 from hashicorp/td-no-read-in-list-secretsmanager-secret hashicorp/terraform-provider-aws
  8. [8] ci: gate PR merges on >=90% patch coverage ↗ hashicorp/consul-k8s
  9. [9] ci: gate PR merges on >=90% patch coverage (#5424) hashicorp/consul-k8s

Quick answers

What shipped in HashiCorp on July 17, 2026?
Consul's debug logs were exposing ACL tokens in plaintext, a critical flaw now patched before it reaches production. In total, 17 commits and 12 pull requests landed.
Who contributed to HashiCorp on July 17, 2026?
7 developers shipped this update, including Paras Gupta, gdavison, sbldevnet, DanyStinson, subham-ibmhc, Surabhi-1605, and pajay-rao.
What were the notable HashiCorp updates?
fix debug token leak. (#23731), fix debug token leak, and feat(bedrockagent): add Managed Knowledge Base support (type=MANAGED).

More from @hashicorp

Daily updates, in your inbox

Follow HashiCorp

Terraform, Vault, Consul — infra-as-code for ops teams We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire