Merge pull request #4970 from hashicorp/4727_sensitive_vars

allow user to mark variables as sensitive for packer push
This commit is contained in:
Matthew Hooker 2017-06-08 15:27:37 -07:00 committed by GitHub
commit cd147e2da4
7 changed files with 46 additions and 11 deletions

View File

@ -12,6 +12,7 @@ import (
"github.com/hashicorp/atlas-go/archive"
"github.com/hashicorp/atlas-go/v1"
"github.com/hashicorp/packer/helper/flag-kv"
"github.com/hashicorp/packer/helper/flag-slice"
"github.com/hashicorp/packer/template"
)
@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int {
var message string
var name string
var create bool
var privVars []string
flags := c.Meta.FlagSet("push", FlagSetVars)
flags.Usage = func() { c.Ui.Error(c.Help()) }
@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int {
flags.StringVar(&message, "message", "", "message")
flags.StringVar(&name, "name", "", "name")
flags.BoolVar(&create, "create", false, "create (deprecated)")
flags.Var((*sliceflag.StringFlag)(&privVars), "private", "")
if err := flags.Parse(args); err != nil {
return 1
}
@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int {
}
// Collect the variables from CLI args and any var files
if privs := flags.Lookup("private"); privs != nil {
pvf := privs.Value.(*sliceflag.StringFlag)
pvars := []string(*pvf)
uploadOpts.PrivVars = pvars
}
uploadOpts.Vars = make(map[string]string)
if vs := flags.Lookup("var"); vs != nil {
f := vs.Value.(*kvflag.Flag)
@ -301,6 +310,8 @@ Options:
-token=<token> The access token to use to when uploading
-private='var1,var2' List of variables to mark as sensitive in Atlas UI.
-var 'key=value' Variable for templates, can be used multiple times.
-var-file=path JSON file containing user variables.
@ -346,12 +357,19 @@ func (c *PushCommand) upload(
}
// Build the BuildVars struct
buildVars := atlas.BuildVars{}
for k, v := range opts.Vars {
isSensitive := false
for _, sensitiveVar := range opts.PrivVars {
if string(sensitiveVar) == string(k) {
isSensitive = true
break
}
}
buildVars = append(buildVars, atlas.BuildVar{
Key: k,
Value: v,
Key: k,
Value: v,
Sensitive: isSensitive,
})
}
@ -384,6 +402,7 @@ type uploadOpts struct {
Builds map[string]*uploadBuildInfo
Metadata map[string]interface{}
Vars map[string]string
PrivVars []string
}
type uploadBuildInfo struct {

View File

@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
"-var", "one=two",
"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
"-var", "overridden=yes",
"-private", "super,secret",
filepath.Join(testFixture("push-vars"), "template.json"),
}
if code := c.Run(args); code != 0 {
@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
"null": "",
"one": "two",
"overridden": "yes",
"super": "this should be secret",
"secret": "this one too",
}
if !reflect.DeepEqual(actualOpts.Vars, expected) {
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
}
expected_priv := []string{"super", "secret"}
if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
}
}
func testArchive(t *testing.T, r io.Reader) []string {

View File

@ -1,5 +1,7 @@
{
"null": null,
"bar": "baz",
"overridden": "no"
"overridden": "no",
"super": "this should be secret",
"secret": "this one too"
}

View File

@ -15,8 +15,9 @@ type bcWrapper struct {
// Atlas expects a list of key/value vars
type BuildVar struct {
Key string `json:"key"`
Value string `json:"value"`
Key string `json:"key"`
Value string `json:"value"`
Sensitive bool `json:"sensitive"`
}
type BuildVars []BuildVar

View File

@ -1,7 +1,7 @@
# Go Checkpoint Client
[Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
Hashicorp that we use to check version information, broadcoast security
Hashicorp that we use to check version information, broadcast security
bulletins, etc.
We understand that software making remote calls over the internet
@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source
of this client to see that we're not sending any private information.
Each Hashicorp application has it's specific configuration option
to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes
to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes
the underlying checkpoint component itself disabled. For example
in the case of packer:
```

6
vendor/vendor.json vendored
View File

@ -497,11 +497,11 @@
"revisionTime": "2016-11-07T20:49:10Z"
},
{
"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
"comment": "20141209094003-92-g95fa852",
"path": "github.com/hashicorp/atlas-go/v1",
"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
"revisionTime": "2016-11-07T20:49:10Z"
"revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190",
"revisionTime": "2017-06-08T19:44:05Z"
},
{
"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",

View File

@ -44,6 +44,11 @@ configuration using the options below.
`hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
must be specified here or in your template.
- `-private` - A comma-separated list of variables that should be marked as
sensitive in the Terraform Enterprise ui. These variables' keys will be
visible, but their values will be redacted. example usage:
`-var 'supersecretpassword=mypassword' -private=supersecretpassword1`
- `-var` - Set a variable in your packer template. This option can be used
multiple times. This is useful for setting version numbers for your build.