Merge pull request #4970 from hashicorp/4727_sensitive_vars

allow user to mark variables as sensitive for packer push

command/push.go

@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/atlas-go/archive"
 	"github.com/hashicorp/atlas-go/v1"
 	"github.com/hashicorp/packer/helper/flag-kv"
+	"github.com/hashicorp/packer/helper/flag-slice"
 	"github.com/hashicorp/packer/template"
 )
 
@@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int {
 	var message string
 	var name string
 	var create bool
+	var privVars []string
 
 	flags := c.Meta.FlagSet("push", FlagSetVars)
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
@@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int {
 	flags.StringVar(&message, "message", "", "message")
 	flags.StringVar(&name, "name", "", "name")
 	flags.BoolVar(&create, "create", false, "create (deprecated)")
+	flags.Var((*sliceflag.StringFlag)(&privVars), "private", "")
 	if err := flags.Parse(args); err != nil {
 		return 1
 	}
@@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int {
 	}
 
 	// Collect the variables from CLI args and any var files
+	if privs := flags.Lookup("private"); privs != nil {
+		pvf := privs.Value.(*sliceflag.StringFlag)
+		pvars := []string(*pvf)
+		uploadOpts.PrivVars = pvars
+	}
+
 	uploadOpts.Vars = make(map[string]string)
 	if vs := flags.Lookup("var"); vs != nil {
 		f := vs.Value.(*kvflag.Flag)
@@ -301,6 +310,8 @@ Options:
 
   -token=<token>           The access token to use to when uploading
 
+  -private='var1,var2'     List of variables to mark as sensitive in Atlas UI.
+
   -var 'key=value'         Variable for templates, can be used multiple times.
 
   -var-file=path           JSON file containing user variables.
@@ -346,12 +357,19 @@ func (c *PushCommand) upload(
 	}
 
 	// Build the BuildVars struct
-
 	buildVars := atlas.BuildVars{}
 	for k, v := range opts.Vars {
+		isSensitive := false
+		for _, sensitiveVar := range opts.PrivVars {
+			if string(sensitiveVar) == string(k) {
+				isSensitive = true
+				break
+			}
+		}
 		buildVars = append(buildVars, atlas.BuildVar{
-			Key:   k,
+			Key:       k,
-			Value: v,
+			Value:     v,
+			Sensitive: isSensitive,
 		})
 	}
 
@@ -384,6 +402,7 @@ type uploadOpts struct {
 	Builds   map[string]*uploadBuildInfo
 	Metadata map[string]interface{}
 	Vars     map[string]string
+	PrivVars []string
 }
 
 type uploadBuildInfo struct {

command/push_test.go

@@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
 		"-var", "one=two",
 		"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
 		"-var", "overridden=yes",
+		"-private", "super,secret",
 		filepath.Join(testFixture("push-vars"), "template.json"),
 	}
 	if code := c.Run(args); code != 0 {
@@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
 		"null":       "",
 		"one":        "two",
 		"overridden": "yes",
+		"super":      "this should be secret",
+		"secret":     "this one too",
 	}
 	if !reflect.DeepEqual(actualOpts.Vars, expected) {
 		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
 	}
+
+	expected_priv := []string{"super", "secret"}
+	if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
+		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
+	}
 }
 
 func testArchive(t *testing.T, r io.Reader) []string {

command/test-fixtures/push-vars/vars.json

@@ -1,5 +1,7 @@
 {
   "null": null,
   "bar": "baz",
-  "overridden": "no"
+  "overridden": "no",
+  "super": "this should be secret",
+  "secret": "this one too"
 }

vendor/github.com/hashicorp/atlas-go/v1/build_config.go

@@ -15,8 +15,9 @@ type bcWrapper struct {
 
 // Atlas expects a list of key/value vars
 type BuildVar struct {
-	Key   string `json:"key"`
+	Key       string `json:"key"`
-	Value string `json:"value"`
+	Value     string `json:"value"`
+	Sensitive bool   `json:"sensitive"`
 }
 type BuildVars []BuildVar
 

vendor/github.com/hashicorp/go-checkpoint/README.md

@@ -1,7 +1,7 @@
 # Go Checkpoint Client
 
 [Checkpoint](http://checkpoint.hashicorp.com) is an internal service at
-Hashicorp that we use to check version information, broadcoast security
+Hashicorp that we use to check version information, broadcast security
 bulletins, etc.
 
 We understand that software making remote calls over the internet
@@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source
 of this client to see that we're not sending any private information.
 
 Each Hashicorp application has it's specific configuration option
-to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes
+to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes
 the underlying checkpoint component itself disabled. For example
 in the case of packer:
 ```

vendor/vendor.json

@@ -497,11 +497,11 @@
 			"revisionTime": "2016-11-07T20:49:10Z"
 		},
 		{
-			"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
+			"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
 			"comment": "20141209094003-92-g95fa852",
 			"path": "github.com/hashicorp/atlas-go/v1",
-			"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
+			"revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190",
-			"revisionTime": "2016-11-07T20:49:10Z"
+			"revisionTime": "2017-06-08T19:44:05Z"
 		},
 		{
 			"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",

website/source/docs/commands/push.html.md

@@ -44,6 +44,11 @@ configuration using the options below.
   `hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
   must be specified here or in your template.
 
+- `-private` - A comma-separated list of variables that should be marked as
+  sensitive in the Terraform Enterprise ui. These variables' keys will be 
+  visible, but their values will be redacted. example usage:
+  `-var 'supersecretpassword=mypassword' -private=supersecretpassword1`
+
 - `-var` - Set a variable in your packer template. This option can be used
   multiple times. This is useful for setting version numbers for your build.