From fdca364f4b4cadc71b649e401a110f55025bb9b7 Mon Sep 17 00:00:00 2001 From: Megan Marsh Date: Mon, 5 Jun 2017 15:27:34 -0700 Subject: [PATCH 1/4] allow user to mark variables as sensitive for packer push --- command/meta.go | 3 +++ command/push.go | 21 ++++++++++++++++--- command/push_test.go | 8 +++++++ command/test-fixtures/push-vars/vars.json | 4 +++- .../hashicorp/atlas-go/v1/build_config.go | 5 +++-- .../hashicorp/go-checkpoint/README.md | 4 ++-- vendor/vendor.json | 11 +++++----- 7 files changed, 43 insertions(+), 13 deletions(-) diff --git a/command/meta.go b/command/meta.go index b8dfdfbf5..584d87e88 100644 --- a/command/meta.go +++ b/command/meta.go @@ -33,6 +33,7 @@ type Meta struct { // These are set by command-line flags flagBuildExcept []string flagBuildOnly []string + flagPrivVars []string flagVars map[string]string } @@ -119,6 +120,8 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet { if fs&FlagSetVars != 0 { f.Var((*kvflag.Flag)(&m.flagVars), "var", "") f.Var((*kvflag.FlagJSON)(&m.flagVars), "var-file", "") + // designate any of the above variables that are private + f.Var((*sliceflag.StringFlag)(&m.flagPrivVars), "private", "") } // Create an io.Writer that writes to our Ui properly for errors. diff --git a/command/push.go b/command/push.go index a0edd6b84..e2d898134 100644 --- a/command/push.go +++ b/command/push.go @@ -12,6 +12,7 @@ import ( "github.com/hashicorp/atlas-go/archive" "github.com/hashicorp/atlas-go/v1" "github.com/hashicorp/packer/helper/flag-kv" + "github.com/hashicorp/packer/helper/flag-slice" "github.com/hashicorp/packer/template" ) @@ -190,6 +191,12 @@ func (c *PushCommand) Run(args []string) int { } // Collect the variables from CLI args and any var files + if privs := flags.Lookup("private"); privs != nil { + pvf := privs.Value.(*sliceflag.StringFlag) + pvars := []string(*pvf) + uploadOpts.PrivVars = pvars + } + uploadOpts.Vars = make(map[string]string) if vs := flags.Lookup("var"); vs != nil { f := vs.Value.(*kvflag.Flag) @@ -334,12 +341,19 @@ func (c *PushCommand) upload( } // Build the BuildVars struct - buildVars := atlas.BuildVars{} for k, v := range opts.Vars { + isSensitive := false + for _, sensitiveVar := range opts.PrivVars { + if string(sensitiveVar) == string(k) { + isSensitive = true + break + } + } buildVars = append(buildVars, atlas.BuildVar{ - Key: k, - Value: v, + Key: k, + Value: v, + Sensitive: isSensitive, }) } @@ -372,6 +386,7 @@ type uploadOpts struct { Builds map[string]*uploadBuildInfo Metadata map[string]interface{} Vars map[string]string + PrivVars []string } type uploadBuildInfo struct { diff --git a/command/push_test.go b/command/push_test.go index 35dd27050..b1af61799 100644 --- a/command/push_test.go +++ b/command/push_test.go @@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) { "-var", "one=two", "-var-file", filepath.Join(testFixture("push-vars"), "vars.json"), "-var", "overridden=yes", + "-private", "super,secret", filepath.Join(testFixture("push-vars"), "template.json"), } if code := c.Run(args); code != 0 { @@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) { "null": "", "one": "two", "overridden": "yes", + "super": "this should be secret", + "secret": "this one too", } if !reflect.DeepEqual(actualOpts.Vars, expected) { t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected) } + + expected_priv := []string{"super", "secret"} + if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) { + t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv) + } } func testArchive(t *testing.T, r io.Reader) []string { diff --git a/command/test-fixtures/push-vars/vars.json b/command/test-fixtures/push-vars/vars.json index 4d5c9cc27..44edd612c 100644 --- a/command/test-fixtures/push-vars/vars.json +++ b/command/test-fixtures/push-vars/vars.json @@ -1,5 +1,7 @@ { "null": null, "bar": "baz", - "overridden": "no" + "overridden": "no", + "super": "this should be secret", + "secret": "this one too" } diff --git a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go index b8eda1fde..fbcd91270 100644 --- a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go +++ b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go @@ -15,8 +15,9 @@ type bcWrapper struct { // Atlas expects a list of key/value vars type BuildVar struct { - Key string `json:"key"` - Value string `json:"value"` + Key string `json:"key"` + Value string `json:"value"` + Sensitive bool `json:"sensitive"` } type BuildVars []BuildVar diff --git a/vendor/github.com/hashicorp/go-checkpoint/README.md b/vendor/github.com/hashicorp/go-checkpoint/README.md index ab8ebc0d3..e717b6ad3 100644 --- a/vendor/github.com/hashicorp/go-checkpoint/README.md +++ b/vendor/github.com/hashicorp/go-checkpoint/README.md @@ -1,7 +1,7 @@ # Go Checkpoint Client [Checkpoint](http://checkpoint.hashicorp.com) is an internal service at -Hashicorp that we use to check version information, broadcoast security +Hashicorp that we use to check version information, broadcast security bulletins, etc. We understand that software making remote calls over the internet @@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source of this client to see that we're not sending any private information. Each Hashicorp application has it's specific configuration option -to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes +to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes the underlying checkpoint component itself disabled. For example in the case of packer: ``` diff --git a/vendor/vendor.json b/vendor/vendor.json index d4b22dac6..a2307178e 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -461,11 +461,11 @@ "revisionTime": "2016-11-07T20:49:10Z" }, { - "checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=", + "checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=", "comment": "20141209094003-92-g95fa852", "path": "github.com/hashicorp/atlas-go/v1", - "revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62", - "revisionTime": "2016-11-07T20:49:10Z" + "revision": "047827faf4f20cc74f1a420fdf679d59162a09c7", + "revisionTime": "2017-06-05T23:14:32Z" }, { "checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=", @@ -473,9 +473,10 @@ "revision": "7554cd9344cec97297fa6649b055a8c98c2a1e55" }, { - "checksumSHA1": "nd3S1qkFv7zZxA9be0bw4nT0pe0=", + "checksumSHA1": "SF8aIBEMV6/MXLFTgErdONaX8f0=", "path": "github.com/hashicorp/go-checkpoint", - "revision": "e4b2dc34c0f698ee04750bf2035d8b9384233e1b" + "revision": "f8cfd20c53506d1eb3a55c2c43b84d009fab39bd", + "revisionTime": "2016-08-16T19:50:56Z" }, { "checksumSHA1": "fSe5y1UgTDeYlnFfUcDA1zzcw+U=", From e81cc7d890e691e10b3e653ab8dbc7cf5a002944 Mon Sep 17 00:00:00 2001 From: Megan Marsh Date: Thu, 8 Jun 2017 12:49:35 -0700 Subject: [PATCH 2/4] documentation update to use atlas/go master with newly merged changes for govendor --- vendor/vendor.json | 9 ++++----- website/source/docs/commands/push.html.md | 5 +++++ website/source/docs/templates/user-variables.html.md | 3 +++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/vendor/vendor.json b/vendor/vendor.json index a2307178e..7c1edeea3 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -464,8 +464,8 @@ "checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=", "comment": "20141209094003-92-g95fa852", "path": "github.com/hashicorp/atlas-go/v1", - "revision": "047827faf4f20cc74f1a420fdf679d59162a09c7", - "revisionTime": "2017-06-05T23:14:32Z" + "revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190", + "revisionTime": "2017-06-08T19:44:05Z" }, { "checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=", @@ -473,10 +473,9 @@ "revision": "7554cd9344cec97297fa6649b055a8c98c2a1e55" }, { - "checksumSHA1": "SF8aIBEMV6/MXLFTgErdONaX8f0=", + "checksumSHA1": "nd3S1qkFv7zZxA9be0bw4nT0pe0=", "path": "github.com/hashicorp/go-checkpoint", - "revision": "f8cfd20c53506d1eb3a55c2c43b84d009fab39bd", - "revisionTime": "2016-08-16T19:50:56Z" + "revision": "e4b2dc34c0f698ee04750bf2035d8b9384233e1b" }, { "checksumSHA1": "fSe5y1UgTDeYlnFfUcDA1zzcw+U=", diff --git a/website/source/docs/commands/push.html.md b/website/source/docs/commands/push.html.md index bf7b1aa00..f8a36ba8c 100644 --- a/website/source/docs/commands/push.html.md +++ b/website/source/docs/commands/push.html.md @@ -44,6 +44,11 @@ configuration using the options below. `hashicorp/precise64`, which follows the form `/`. This must be specified here or in your template. +- `-private` - A comma-separated list of variables that should be marked as + sensitive in the Terraform Enterprise ui. These variables' keys will be + visible, but their values will be redacted. example usage: + `-private=supersecretpassword1,anothersecretysecret` + - `-var` - Set a variable in your packer template. This option can be used multiple times. This is useful for setting version numbers for your build. diff --git a/website/source/docs/templates/user-variables.html.md b/website/source/docs/templates/user-variables.html.md index 88e562edd..e775dfc99 100644 --- a/website/source/docs/templates/user-variables.html.md +++ b/website/source/docs/templates/user-variables.html.md @@ -166,6 +166,9 @@ Results in the following variables: | aws_access_key | foo | | aws_secret_key | baz | +The `-private` flag will mark as sensitive any variable, regardless of whether +the variable has been specified via `-var` or via `-var-file` + # Recipes ## Making a provisioner step conditional on the value of a variable From 7ac429b9ca3c39eb54fc0bbc8af85b598415cc47 Mon Sep 17 00:00:00 2001 From: Megan Marsh Date: Thu, 8 Jun 2017 13:04:40 -0700 Subject: [PATCH 3/4] add private to help function --- command/push.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/command/push.go b/command/push.go index e2d898134..4341a954d 100644 --- a/command/push.go +++ b/command/push.go @@ -296,6 +296,8 @@ Options: -token= The access token to use to when uploading + -private='var1,var2' List of variables to mark as sensitive in Atlas UI. + -var 'key=value' Variable for templates, can be used multiple times. -var-file=path JSON file containing user variables. From a21870e614d42cee7e035af69107f351696a1454 Mon Sep 17 00:00:00 2001 From: Megan Marsh Date: Thu, 8 Jun 2017 13:24:07 -0700 Subject: [PATCH 4/4] addressing PR comments --- command/meta.go | 3 --- command/push.go | 2 ++ website/source/docs/commands/push.html.md | 2 +- website/source/docs/templates/user-variables.html.md | 3 --- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/command/meta.go b/command/meta.go index 584d87e88..b8dfdfbf5 100644 --- a/command/meta.go +++ b/command/meta.go @@ -33,7 +33,6 @@ type Meta struct { // These are set by command-line flags flagBuildExcept []string flagBuildOnly []string - flagPrivVars []string flagVars map[string]string } @@ -120,8 +119,6 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet { if fs&FlagSetVars != 0 { f.Var((*kvflag.Flag)(&m.flagVars), "var", "") f.Var((*kvflag.FlagJSON)(&m.flagVars), "var-file", "") - // designate any of the above variables that are private - f.Var((*sliceflag.StringFlag)(&m.flagPrivVars), "private", "") } // Create an io.Writer that writes to our Ui properly for errors. diff --git a/command/push.go b/command/push.go index 4341a954d..f6a45903b 100644 --- a/command/push.go +++ b/command/push.go @@ -43,6 +43,7 @@ func (c *PushCommand) Run(args []string) int { var message string var name string var create bool + var privVars []string flags := c.Meta.FlagSet("push", FlagSetVars) flags.Usage = func() { c.Ui.Error(c.Help()) } @@ -51,6 +52,7 @@ func (c *PushCommand) Run(args []string) int { flags.StringVar(&message, "message", "", "message") flags.StringVar(&name, "name", "", "name") flags.BoolVar(&create, "create", false, "create (deprecated)") + flags.Var((*sliceflag.StringFlag)(&privVars), "private", "") if err := flags.Parse(args); err != nil { return 1 } diff --git a/website/source/docs/commands/push.html.md b/website/source/docs/commands/push.html.md index f8a36ba8c..8f9d57bd6 100644 --- a/website/source/docs/commands/push.html.md +++ b/website/source/docs/commands/push.html.md @@ -47,7 +47,7 @@ configuration using the options below. - `-private` - A comma-separated list of variables that should be marked as sensitive in the Terraform Enterprise ui. These variables' keys will be visible, but their values will be redacted. example usage: - `-private=supersecretpassword1,anothersecretysecret` + `-var 'supersecretpassword=mypassword' -private=supersecretpassword1` - `-var` - Set a variable in your packer template. This option can be used multiple times. This is useful for setting version numbers for your build. diff --git a/website/source/docs/templates/user-variables.html.md b/website/source/docs/templates/user-variables.html.md index e775dfc99..88e562edd 100644 --- a/website/source/docs/templates/user-variables.html.md +++ b/website/source/docs/templates/user-variables.html.md @@ -166,9 +166,6 @@ Results in the following variables: | aws_access_key | foo | | aws_secret_key | baz | -The `-private` flag will mark as sensitive any variable, regardless of whether -the variable has been specified via `-var` or via `-var-file` - # Recipes ## Making a provisioner step conditional on the value of a variable