Merge pull request hashicorp#4970 from hashicorp/4727_sensitive_vars

allow user to mark variables as sensitive for packer push
UnquietCode · Jun 8, 2017 · cd147e2 · cd147e2
2 parents 454a3a3 + a21870e
commit cd147e2
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 11 deletions.
diff --git a/command/push.go b/command/push.go
@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/atlas-go/archive"
 	"github.com/hashicorp/atlas-go/v1"
 	"github.com/hashicorp/packer/helper/flag-kv"
+	"github.com/hashicorp/packer/helper/flag-slice"
 	"github.com/hashicorp/packer/template"
 )
 
@@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int {
 	var message string
 	var name string
 	var create bool
+	var privVars []string
 
 	flags := c.Meta.FlagSet("push", FlagSetVars)
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
@@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int {
 	flags.StringVar(&message, "message", "", "message")
 	flags.StringVar(&name, "name", "", "name")
 	flags.BoolVar(&create, "create", false, "create (deprecated)")
+	flags.Var((*sliceflag.StringFlag)(&privVars), "private", "")
 	if err := flags.Parse(args); err != nil {
 		return 1
 	}
@@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int {
 	}
 
 	// Collect the variables from CLI args and any var files
+	if privs := flags.Lookup("private"); privs != nil {
+		pvf := privs.Value.(*sliceflag.StringFlag)
+		pvars := []string(*pvf)
+		uploadOpts.PrivVars = pvars
+	}
+
 	uploadOpts.Vars = make(map[string]string)
 	if vs := flags.Lookup("var"); vs != nil {
 		f := vs.Value.(*kvflag.Flag)
@@ -301,6 +310,8 @@ Options:
 
   -token=<token>           The access token to use to when uploading
 
+  -private='var1,var2'     List of variables to mark as sensitive in Atlas UI.
+
   -var 'key=value'         Variable for templates, can be used multiple times.
 
   -var-file=path           JSON file containing user variables.
@@ -346,12 +357,19 @@ func (c *PushCommand) upload(
 	}
 
 	// Build the BuildVars struct
-
 	buildVars := atlas.BuildVars{}
 	for k, v := range opts.Vars {
+		isSensitive := false
+		for _, sensitiveVar := range opts.PrivVars {
+			if string(sensitiveVar) == string(k) {
+				isSensitive = true
+				break
+			}
+		}
 		buildVars = append(buildVars, atlas.BuildVar{
-			Key:   k,
-			Value: v,
+			Key:       k,
+			Value:     v,
+			Sensitive: isSensitive,
 		})
 	}
 
@@ -384,6 +402,7 @@ type uploadOpts struct {
 	Builds   map[string]*uploadBuildInfo
 	Metadata map[string]interface{}
 	Vars     map[string]string
+	PrivVars []string
 }
 
 type uploadBuildInfo struct {

diff --git a/command/push_test.go b/command/push_test.go
@@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) {
 		"-var", "one=two",
 		"-var-file", filepath.Join(testFixture("push-vars"), "vars.json"),
 		"-var", "overridden=yes",
+		"-private", "super,secret",
 		filepath.Join(testFixture("push-vars"), "template.json"),
 	}
 	if code := c.Run(args); code != 0 {
@@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) {
 		"null":       "",
 		"one":        "two",
 		"overridden": "yes",
+		"super":      "this should be secret",
+		"secret":     "this one too",
 	}
 	if !reflect.DeepEqual(actualOpts.Vars, expected) {
 		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected)
 	}
+
+	expected_priv := []string{"super", "secret"}
+	if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) {
+		t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv)
+	}
 }
 
 func testArchive(t *testing.T, r io.Reader) []string {

diff --git a/command/test-fixtures/push-vars/vars.json b/command/test-fixtures/push-vars/vars.json
@@ -1,5 +1,7 @@
 {
   "null": null,
   "bar": "baz",
-  "overridden": "no"
+  "overridden": "no",
+  "super": "this should be secret",
+  "secret": "this one too"
 }
diff --git a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go
diff --git a/vendor/github.com/hashicorp/go-checkpoint/README.md b/vendor/github.com/hashicorp/go-checkpoint/README.md
diff --git a/vendor/vendor.json b/vendor/vendor.json
@@ -497,11 +497,11 @@
 			"revisionTime": "2016-11-07T20:49:10Z"
 		},
 		{
-			"checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=",
+			"checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=",
 			"comment": "20141209094003-92-g95fa852",
 			"path": "github.com/hashicorp/atlas-go/v1",
-			"revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62",
-			"revisionTime": "2016-11-07T20:49:10Z"
+			"revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190",
+			"revisionTime": "2017-06-08T19:44:05Z"
 		},
 		{
 			"checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=",

diff --git a/website/source/docs/commands/push.html.md b/website/source/docs/commands/push.html.md
@@ -44,6 +44,11 @@ configuration using the options below.
   `hashicorp/precise64`, which follows the form `<username>/<buildname>`. This
   must be specified here or in your template.
 
+- `-private` - A comma-separated list of variables that should be marked as
+  sensitive in the Terraform Enterprise ui. These variables' keys will be 
+  visible, but their values will be redacted. example usage:
+  `-var 'supersecretpassword=mypassword' -private=supersecretpassword1`
+
 - `-var` - Set a variable in your packer template. This option can be used
   multiple times. This is useful for setting version numbers for your build.