Merge pull request #4970 from hashicorp/4727_sensitive_vars
allow user to mark variables as sensitive for packer push
This commit is contained in:
commit
cd147e2da4
|
@ -12,6 +12,7 @@ import (
|
||||||
"github.com/hashicorp/atlas-go/archive"
|
"github.com/hashicorp/atlas-go/archive"
|
||||||
"github.com/hashicorp/atlas-go/v1"
|
"github.com/hashicorp/atlas-go/v1"
|
||||||
"github.com/hashicorp/packer/helper/flag-kv"
|
"github.com/hashicorp/packer/helper/flag-kv"
|
||||||
|
"github.com/hashicorp/packer/helper/flag-slice"
|
||||||
"github.com/hashicorp/packer/template"
|
"github.com/hashicorp/packer/template"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int {
|
||||||
var message string
|
var message string
|
||||||
var name string
|
var name string
|
||||||
var create bool
|
var create bool
|
||||||
|
var privVars []string
|
||||||
|
|
||||||
flags := c.Meta.FlagSet("push", FlagSetVars)
|
flags := c.Meta.FlagSet("push", FlagSetVars)
|
||||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||||
|
@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int {
|
||||||
flags.StringVar(&message, "message", "", "message")
|
flags.StringVar(&message, "message", "", "message")
|
||||||
flags.StringVar(&name, "name", "", "name")
|
flags.StringVar(&name, "name", "", "name")
|
||||||
flags.BoolVar(&create, "create", false, "create (deprecated)")
|
flags.BoolVar(&create, "create", false, "create (deprecated)")
|
||||||
|
flags.Var((*sliceflag.StringFlag)(&privVars), "private", "")
|
||||||
if err := flags.Parse(args); err != nil {
|
if err := flags.Parse(args); err != nil {
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Collect the variables from CLI args and any var files
|
// Collect the variables from CLI args and any var files
|
||||||
|
if privs := flags.Lookup("private"); privs != nil {
|
||||||
|
pvf := privs.Value.(*sliceflag.StringFlag)
|
||||||
|
pvars := []string(*pvf)
|
||||||
|
uploadOpts.PrivVars = pvars
|
||||||
|
}
|
||||||
|
|
||||||
uploadOpts.Vars = make(map[string]string)
|
uploadOpts.Vars = make(map[string]string)
|
||||||
if vs := flags.Lookup("var"); vs != nil {
|
if vs := flags.Lookup("var"); vs != nil {
|
||||||
f := vs.Value.(*kvflag.Flag)
|
f := vs.Value.(*kvflag.Flag)
|
||||||
|
@ -301,6 +310,8 @@ Options:
|
||||||
|
|
||||||
-token=<token> The access token to use to when uploading
|
-token=<token> The access token to use to when uploading
|
||||||
|
|
||||||
|
-private='var1,var2' List of variables to mark as sensitive in Atlas UI.
|
||||||
|
|
||||||
-var 'key=value' Variable for templates, can be used multiple times.
|
-var 'key=value' Variable for templates, can be used multiple times.
|
||||||
|
|
||||||
-var-file=path JSON file containing user variables.
|
-var-file=path JSON file containing user variables.
|
||||||
|
@ -346,12 +357,19 @@ func (c *PushCommand) upload(
|
||||||
}
|
}
|
||||||
|
|
||||||
// Build the BuildVars struct
|
// Build the BuildVars struct
|
||||||
|
|
||||||
buildVars := atlas.BuildVars{}
|
buildVars := atlas.BuildVars{}
|
||||||
for k, v := range opts.Vars {
|
for k, v := range opts.Vars {
|
||||||
|
isSensitive := false
|
||||||
|
for _, sensitiveVar := range opts.PrivVars {
|
||||||
|
if string(sensitiveVar) == string(k) {
|
||||||
|
isSensitive = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
buildVars = append(buildVars, atlas.BuildVar{
|
buildVars = append(buildVars, atlas.BuildVar{
|
||||||
Key: k,
|
Key: k,
|
||||||
Value: v,
|
Value: v,
|
||||||
|
Sensitive: isSensitive,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -384,6 +402,7 @@ type uploadOpts struct {
|
||||||
Builds map[string]*uploadBuildInfo
|
Builds map[string]*uploadBuildInfo
|
||||||
Metadata map[string]interface{}
|
Metadata map[string]interface{}
|
||||||
Vars map[string]string
|
Vars map[string]string
|
||||||
|
PrivVars []string
|
||||||
}
|
}
|
||||||
|
|
||||||
type uploadBuildInfo struct {
|
type uploadBuildInfo struct {
|
||||||
|
|
|
@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
|
||||||
"-var", "one=two",
|
"-var", "one=two",
|
||||||
"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
|
"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
|
||||||
"-var", "overridden=yes",
|
"-var", "overridden=yes",
|
||||||
|
"-private", "super,secret",
|
||||||
filepath.Join(testFixture("push-vars"), "template.json"),
|
filepath.Join(testFixture("push-vars"), "template.json"),
|
||||||
}
|
}
|
||||||
if code := c.Run(args); code != 0 {
|
if code := c.Run(args); code != 0 {
|
||||||
|
@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
|
||||||
"null": "",
|
"null": "",
|
||||||
"one": "two",
|
"one": "two",
|
||||||
"overridden": "yes",
|
"overridden": "yes",
|
||||||
|
"super": "this should be secret",
|
||||||
|
"secret": "this one too",
|
||||||
}
|
}
|
||||||
if !reflect.DeepEqual(actualOpts.Vars, expected) {
|
if !reflect.DeepEqual(actualOpts.Vars, expected) {
|
||||||
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
|
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
expected_priv := []string{"super", "secret"}
|
||||||
|
if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
|
||||||
|
t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func testArchive(t *testing.T, r io.Reader) []string {
|
func testArchive(t *testing.T, r io.Reader) []string {
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
{
|
{
|
||||||
"null": null,
|
"null": null,
|
||||||
"bar": "baz",
|
"bar": "baz",
|
||||||
"overridden": "no"
|
"overridden": "no",
|
||||||
|
"super": "this should be secret",
|
||||||
|
"secret": "this one too"
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,7 @@ type bcWrapper struct {
|
||||||
type BuildVar struct {
|
type BuildVar struct {
|
||||||
Key string `json:"key"`
|
Key string `json:"key"`
|
||||||
Value string `json:"value"`
|
Value string `json:"value"`
|
||||||
|
Sensitive bool `json:"sensitive"`
|
||||||
}
|
}
|
||||||
type BuildVars []BuildVar
|
type BuildVars []BuildVar
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Go Checkpoint Client
|
# Go Checkpoint Client
|
||||||
|
|
||||||
[Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
|
[Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
|
||||||
Hashicorp that we use to check version information, broadcoast security
|
Hashicorp that we use to check version information, broadcast security
|
||||||
bulletins, etc.
|
bulletins, etc.
|
||||||
|
|
||||||
We understand that software making remote calls over the internet
|
We understand that software making remote calls over the internet
|
||||||
|
@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source
|
||||||
of this client to see that we're not sending any private information.
|
of this client to see that we're not sending any private information.
|
||||||
|
|
||||||
Each Hashicorp application has it's specific configuration option
|
Each Hashicorp application has it's specific configuration option
|
||||||
to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes
|
to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes
|
||||||
the underlying checkpoint component itself disabled. For example
|
the underlying checkpoint component itself disabled. For example
|
||||||
in the case of packer:
|
in the case of packer:
|
||||||
```
|
```
|
||||||
|
|
|
@ -497,11 +497,11 @@
|
||||||
"revisionTime": "2016-11-07T20:49:10Z"
|
"revisionTime": "2016-11-07T20:49:10Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
|
"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
|
||||||
"comment": "20141209094003-92-g95fa852",
|
"comment": "20141209094003-92-g95fa852",
|
||||||
"path": "github.com/hashicorp/atlas-go/v1",
|
"path": "github.com/hashicorp/atlas-go/v1",
|
||||||
"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
|
"revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190",
|
||||||
"revisionTime": "2016-11-07T20:49:10Z"
|
"revisionTime": "2017-06-08T19:44:05Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",
|
"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",
|
||||||
|
|
|
@ -44,6 +44,11 @@ configuration using the options below.
|
||||||
`hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
|
`hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
|
||||||
must be specified here or in your template.
|
must be specified here or in your template.
|
||||||
|
|
||||||
|
- `-private` - A comma-separated list of variables that should be marked as
|
||||||
|
sensitive in the Terraform Enterprise ui. These variables' keys will be
|
||||||
|
visible, but their values will be redacted. example usage:
|
||||||
|
`-var 'supersecretpassword=mypassword' -private=supersecretpassword1`
|
||||||
|
|
||||||
- `-var` - Set a variable in your packer template. This option can be used
|
- `-var` - Set a variable in your packer template. This option can be used
|
||||||
multiple times. This is useful for setting version numbers for your build.
|
multiple times. This is useful for setting version numbers for your build.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue