From bb22cfcf3497c74523060c5f98649b307291534b Mon Sep 17 00:00:00 2001
From: Adrien Delorme <adrien.delorme@icloud.com>
Date: Fri, 2 Oct 2020 10:17:07 +0200
Subject: [PATCH] HCL2: pass sensitive variables to packer.LogSecretFilter

Co-Authored-By: Megan Marsh <1008838+SwampDragons@users.noreply.github.com>
---
 hcl2template/parser.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/hcl2template/parser.go b/hcl2template/parser.go
index 776d6abec..a22008147 100644
--- a/hcl2template/parser.go
+++ b/hcl2template/parser.go
@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/hcl/v2/ext/dynblock"
 	"github.com/hashicorp/hcl/v2/hclparse"
 	"github.com/hashicorp/packer/packer"
+	"github.com/zclconf/go-cty/cty"
 )
 
 const (
@@ -177,6 +178,22 @@ func (cfg *PackerConfig) Initialize() hcl.Diagnostics {
 	diags = append(diags, moreDiags...)
 	diags = append(diags, cfg.evaluateLocalVariables(cfg.LocalBlocks)...)
 
+	for _, variable := range cfg.InputVariables {
+		if !variable.Sensitive {
+			continue
+		}
+		value, _ := variable.Value()
+		if !value.IsWhollyKnown() && value.IsNull() && !value.Type().Equals(cty.String) {
+			continue
+		}
+		cty.Walk(value, func(_ cty.Path, nested cty.Value) (bool, error) {
+			if nested.IsWhollyKnown() && !nested.IsNull() && nested.Type().Equals(cty.String) {
+				packer.LogSecretFilter.Set(nested.AsString())
+			}
+			return true, nil
+		})
+	}
+
 	// decode the actual content
 	for _, file := range cfg.files {
 		diags = append(diags, cfg.parser.decodeConfig(file, cfg)...)