Merge pull request #4970 from hashicorp/4727_sensitive_vars
allow user to mark variables as sensitive for packer push
This commit is contained in:
commit
cd147e2da4
|
@ -12,6 +12,7 @@ import (
|
|||
"github.com/hashicorp/atlas-go/archive"
|
||||
"github.com/hashicorp/atlas-go/v1"
|
||||
"github.com/hashicorp/packer/helper/flag-kv"
|
||||
"github.com/hashicorp/packer/helper/flag-slice"
|
||||
"github.com/hashicorp/packer/template"
|
||||
)
|
||||
|
||||
|
@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int {
|
|||
var message string
|
||||
var name string
|
||||
var create bool
|
||||
var privVars []string
|
||||
|
||||
flags := c.Meta.FlagSet("push", FlagSetVars)
|
||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||
|
@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int {
|
|||
flags.StringVar(&message, "message", "", "message")
|
||||
flags.StringVar(&name, "name", "", "name")
|
||||
flags.BoolVar(&create, "create", false, "create (deprecated)")
|
||||
flags.Var((*sliceflag.StringFlag)(&privVars), "private", "")
|
||||
if err := flags.Parse(args); err != nil {
|
||||
return 1
|
||||
}
|
||||
|
@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int {
|
|||
}
|
||||
|
||||
// Collect the variables from CLI args and any var files
|
||||
if privs := flags.Lookup("private"); privs != nil {
|
||||
pvf := privs.Value.(*sliceflag.StringFlag)
|
||||
pvars := []string(*pvf)
|
||||
uploadOpts.PrivVars = pvars
|
||||
}
|
||||
|
||||
uploadOpts.Vars = make(map[string]string)
|
||||
if vs := flags.Lookup("var"); vs != nil {
|
||||
f := vs.Value.(*kvflag.Flag)
|
||||
|
@ -301,6 +310,8 @@ Options:
|
|||
|
||||
-token=<token> The access token to use to when uploading
|
||||
|
||||
-private='var1,var2' List of variables to mark as sensitive in Atlas UI.
|
||||
|
||||
-var 'key=value' Variable for templates, can be used multiple times.
|
||||
|
||||
-var-file=path JSON file containing user variables.
|
||||
|
@ -346,12 +357,19 @@ func (c *PushCommand) upload(
|
|||
}
|
||||
|
||||
// Build the BuildVars struct
|
||||
|
||||
buildVars := atlas.BuildVars{}
|
||||
for k, v := range opts.Vars {
|
||||
isSensitive := false
|
||||
for _, sensitiveVar := range opts.PrivVars {
|
||||
if string(sensitiveVar) == string(k) {
|
||||
isSensitive = true
|
||||
break
|
||||
}
|
||||
}
|
||||
buildVars = append(buildVars, atlas.BuildVar{
|
||||
Key: k,
|
||||
Value: v,
|
||||
Key: k,
|
||||
Value: v,
|
||||
Sensitive: isSensitive,
|
||||
})
|
||||
}
|
||||
|
||||
|
@ -384,6 +402,7 @@ type uploadOpts struct {
|
|||
Builds map[string]*uploadBuildInfo
|
||||
Metadata map[string]interface{}
|
||||
Vars map[string]string
|
||||
PrivVars []string
|
||||
}
|
||||
|
||||
type uploadBuildInfo struct {
|
||||
|
|
|
@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
|
|||
"-var", "one=two",
|
||||
"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
|
||||
"-var", "overridden=yes",
|
||||
"-private", "super,secret",
|
||||
filepath.Join(testFixture("push-vars"), "template.json"),
|
||||
}
|
||||
if code := c.Run(args); code != 0 {
|
||||
|
@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
|
|||
"null": "",
|
||||
"one": "two",
|
||||
"overridden": "yes",
|
||||
"super": "this should be secret",
|
||||
"secret": "this one too",
|
||||
}
|
||||
if !reflect.DeepEqual(actualOpts.Vars, expected) {
|
||||
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
|
||||
}
|
||||
|
||||
expected_priv := []string{"super", "secret"}
|
||||
if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
|
||||
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
|
||||
}
|
||||
}
|
||||
|
||||
func testArchive(t *testing.T, r io.Reader) []string {
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
{
|
||||
"null": null,
|
||||
"bar": "baz",
|
||||
"overridden": "no"
|
||||
"overridden": "no",
|
||||
"super": "this should be secret",
|
||||
"secret": "this one too"
|
||||
}
|
||||
|
|
|
@ -15,8 +15,9 @@ type bcWrapper struct {
|
|||
|
||||
// Atlas expects a list of key/value vars
|
||||
type BuildVar struct {
|
||||
Key string `json:"key"`
|
||||
Value string `json:"value"`
|
||||
Key string `json:"key"`
|
||||
Value string `json:"value"`
|
||||
Sensitive bool `json:"sensitive"`
|
||||
}
|
||||
type BuildVars []BuildVar
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Go Checkpoint Client
|
||||
|
||||
[Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
|
||||
Hashicorp that we use to check version information, broadcoast security
|
||||
Hashicorp that we use to check version information, broadcast security
|
||||
bulletins, etc.
|
||||
|
||||
We understand that software making remote calls over the internet
|
||||
|
@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source
|
|||
of this client to see that we're not sending any private information.
|
||||
|
||||
Each Hashicorp application has it's specific configuration option
|
||||
to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes
|
||||
to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes
|
||||
the underlying checkpoint component itself disabled. For example
|
||||
in the case of packer:
|
||||
```
|
||||
|
|
|
@ -497,11 +497,11 @@
|
|||
"revisionTime": "2016-11-07T20:49:10Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
|
||||
"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
|
||||
"comment": "20141209094003-92-g95fa852",
|
||||
"path": "github.com/hashicorp/atlas-go/v1",
|
||||
"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
|
||||
"revisionTime": "2016-11-07T20:49:10Z"
|
||||
"revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190",
|
||||
"revisionTime": "2017-06-08T19:44:05Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",
|
||||
|
|
|
@ -44,6 +44,11 @@ configuration using the options below.
|
|||
`hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
|
||||
must be specified here or in your template.
|
||||
|
||||
- `-private` - A comma-separated list of variables that should be marked as
|
||||
sensitive in the Terraform Enterprise ui. These variables' keys will be
|
||||
visible, but their values will be redacted. example usage:
|
||||
`-var 'supersecretpassword=mypassword' -private=supersecretpassword1`
|
||||
|
||||
- `-var` - Set a variable in your packer template. This option can be used
|
||||
multiple times. This is useful for setting version numbers for your build.
|
||||
|
||||
|
|
Loading…
Reference in New Issue