Potential fix for https://github.com/awslabs/amazon-documentdb-tools/security/code-scanning/1

In general, the fix is to avoid logging secrets or other sensitive values, especially those retrieved from secret stores. You can still log non-sensitive context (like the cluster name or that a secret was fetched) without including the secret value itself. If some visibility is required for debugging, a safe alternative is to log a redacted or hashed version, or to enable more detailed secret logging only in tightly controlled debug environments—though even that should be done carefully.

For this specific code, the minimal and safest change is to modify get_cluster_connection_string so that it no longer logs the actual connection_string. Line 128 currently logs both the cluster name and the full connection string. We should keep the informative part (that the secret was fetched for the given cluster) but remove the secret from the message. For example, change:

logger.info("Successfully fetched the connection string of the cluster_name: %s. Connection string: %s", cluster_name, connection_string)

to:

logger.info("Successfully fetched the connection string of the cluster_name: %s.", cluster_name)

No new imports or helper methods are required. This change is fully backward compatible with functional behavior (no effect on business logic), only reducing the amount of sensitive data written to logs. It will also address all alert variants pointing to this logging statement, since they all stem from the same sink.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.