diff --git a/command/push.go b/command/push.go index 7a54a87dc..bff54ece7 100644 --- a/command/push.go +++ b/command/push.go @@ -12,6 +12,7 @@ import ( "github.com/hashicorp/atlas-go/archive" "github.com/hashicorp/atlas-go/v1" "github.com/hashicorp/packer/helper/flag-kv" + "github.com/hashicorp/packer/helper/flag-slice" "github.com/hashicorp/packer/template" ) @@ -42,6 +43,7 @@ func (c *PushCommand) Run(args []string) int { var message string var name string var create bool + var privVars []string flags := c.Meta.FlagSet("push", FlagSetVars) flags.Usage = func() { c.Ui.Error(c.Help()) } @@ -50,6 +52,7 @@ func (c *PushCommand) Run(args []string) int { flags.StringVar(&message, "message", "", "message") flags.StringVar(&name, "name", "", "name") flags.BoolVar(&create, "create", false, "create (deprecated)") + flags.Var((*sliceflag.StringFlag)(&privVars), "private", "") if err := flags.Parse(args); err != nil { return 1 } @@ -202,6 +205,12 @@ func (c *PushCommand) Run(args []string) int { } // Collect the variables from CLI args and any var files + if privs := flags.Lookup("private"); privs != nil { + pvf := privs.Value.(*sliceflag.StringFlag) + pvars := []string(*pvf) + uploadOpts.PrivVars = pvars + } + uploadOpts.Vars = make(map[string]string) if vs := flags.Lookup("var"); vs != nil { f := vs.Value.(*kvflag.Flag) @@ -301,6 +310,8 @@ Options: -token= The access token to use to when uploading + -private='var1,var2' List of variables to mark as sensitive in Atlas UI. + -var 'key=value' Variable for templates, can be used multiple times. -var-file=path JSON file containing user variables. @@ -346,12 +357,19 @@ func (c *PushCommand) upload( } // Build the BuildVars struct - buildVars := atlas.BuildVars{} for k, v := range opts.Vars { + isSensitive := false + for _, sensitiveVar := range opts.PrivVars { + if string(sensitiveVar) == string(k) { + isSensitive = true + break + } + } buildVars = append(buildVars, atlas.BuildVar{ - Key: k, - Value: v, + Key: k, + Value: v, + Sensitive: isSensitive, }) } @@ -384,6 +402,7 @@ type uploadOpts struct { Builds map[string]*uploadBuildInfo Metadata map[string]interface{} Vars map[string]string + PrivVars []string } type uploadBuildInfo struct { diff --git a/command/push_test.go b/command/push_test.go index 35dd27050..b1af61799 100644 --- a/command/push_test.go +++ b/command/push_test.go @@ -208,6 +208,7 @@ func TestPush_vars(t *testing.T) { "-var", "one=two", "-var-file", filepath.Join(testFixture("push-vars"), "vars.json"), "-var", "overridden=yes", + "-private", "super,secret", filepath.Join(testFixture("push-vars"), "template.json"), } if code := c.Run(args); code != 0 { @@ -224,10 +225,17 @@ func TestPush_vars(t *testing.T) { "null": "", "one": "two", "overridden": "yes", + "super": "this should be secret", + "secret": "this one too", } if !reflect.DeepEqual(actualOpts.Vars, expected) { t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.Vars, expected) } + + expected_priv := []string{"super", "secret"} + if !reflect.DeepEqual(actualOpts.PrivVars, expected_priv) { + t.Fatalf("bad vars: got %#v\n expected %#v\n", actualOpts.PrivVars, expected_priv) + } } func testArchive(t *testing.T, r io.Reader) []string { diff --git a/command/test-fixtures/push-vars/vars.json b/command/test-fixtures/push-vars/vars.json index 4d5c9cc27..44edd612c 100644 --- a/command/test-fixtures/push-vars/vars.json +++ b/command/test-fixtures/push-vars/vars.json @@ -1,5 +1,7 @@ { "null": null, "bar": "baz", - "overridden": "no" + "overridden": "no", + "super": "this should be secret", + "secret": "this one too" } diff --git a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go index b8eda1fde..fbcd91270 100644 --- a/vendor/github.com/hashicorp/atlas-go/v1/build_config.go +++ b/vendor/github.com/hashicorp/atlas-go/v1/build_config.go @@ -15,8 +15,9 @@ type bcWrapper struct { // Atlas expects a list of key/value vars type BuildVar struct { - Key string `json:"key"` - Value string `json:"value"` + Key string `json:"key"` + Value string `json:"value"` + Sensitive bool `json:"sensitive"` } type BuildVars []BuildVar diff --git a/vendor/github.com/hashicorp/go-checkpoint/README.md b/vendor/github.com/hashicorp/go-checkpoint/README.md index ab8ebc0d3..e717b6ad3 100644 --- a/vendor/github.com/hashicorp/go-checkpoint/README.md +++ b/vendor/github.com/hashicorp/go-checkpoint/README.md @@ -1,7 +1,7 @@ # Go Checkpoint Client [Checkpoint](http://checkpoint.hashicorp.com) is an internal service at -Hashicorp that we use to check version information, broadcoast security +Hashicorp that we use to check version information, broadcast security bulletins, etc. We understand that software making remote calls over the internet @@ -10,7 +10,7 @@ disabled in all of our software that includes it. You can view the source of this client to see that we're not sending any private information. Each Hashicorp application has it's specific configuration option -to disable chekpoint calls, but the `CHECKPOINT_DISABLE` makes +to disable checkpoint calls, but the `CHECKPOINT_DISABLE` makes the underlying checkpoint component itself disabled. For example in the case of packer: ``` diff --git a/vendor/vendor.json b/vendor/vendor.json index be8d8fea5..dc1ac8e85 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -497,11 +497,11 @@ "revisionTime": "2016-11-07T20:49:10Z" }, { - "checksumSHA1": "lrfddRS4/LDKnF0sAbyZ59eUSjo=", + "checksumSHA1": "IR7S+SOsSUnPnLxgRrfemXfCqNM=", "comment": "20141209094003-92-g95fa852", "path": "github.com/hashicorp/atlas-go/v1", - "revision": "1792bd8de119ba49b17fd8d3c3c1f488ec613e62", - "revisionTime": "2016-11-07T20:49:10Z" + "revision": "0885342d5643b7a412026596f2f3ebb3c9b4c190", + "revisionTime": "2017-06-08T19:44:05Z" }, { "checksumSHA1": "cdOCt0Yb+hdErz8NAQqayxPmRsY=", diff --git a/website/source/docs/commands/push.html.md b/website/source/docs/commands/push.html.md index bf7b1aa00..8f9d57bd6 100644 --- a/website/source/docs/commands/push.html.md +++ b/website/source/docs/commands/push.html.md @@ -44,6 +44,11 @@ configuration using the options below. `hashicorp/precise64`, which follows the form `/`. This must be specified here or in your template. +- `-private` - A comma-separated list of variables that should be marked as + sensitive in the Terraform Enterprise ui. These variables' keys will be + visible, but their values will be redacted. example usage: + `-var 'supersecretpassword=mypassword' -private=supersecretpassword1` + - `-var` - Set a variable in your packer template. This option can be used multiple times. This is useful for setting version numbers for your build.