Merge pull request #12 from manheim/sensitive_vars

Add ``tf_sensitive_vars`` option

ChangeLog.md

@@ -1,3 +1,7 @@
+Version 0.6.2
+
+  - Add ``tf_sensitive_vars`` option.
+
 Version 0.6.1
 
   - Add ``allowed_empty_vars`` option.

README.md

@@ -330,6 +330,26 @@ $ consul kv get terraform/inputs/foo
 {"FOO":"one", "BAR":"two"}
 ```
 
+### Sensitive Environment Variables
+If you wish for certain variables to be marked as "redacted", use the ``tf_sensitive_vars`` option. This is an array of variables that will not be printed.
+
+Note: ``aws_access_key`` and ``aws_secret_key`` will always be redacted without requiring configuration.
+
+
+Example to redact the vaule for ``secret``:
+
+Rakefile:
+
+```ruby
+require 'tfwrapper/raketasks'
+
+TFWrapper::RakeTasks.install_tasks(
+  '.',
+  tf_vars_from_env: {'foo' => 'FOO', 'bar' => 'BAR', 'secret' => 'abc'},
+  tf_sensitive_vars: ['secret']
+)
+```
+
 ## Development
 
 1. ``bundle install --path vendor``

lib/tfwrapper/raketasks.rb

@@ -59,6 +59,8 @@ def min_tf_version
     #   names (specified in :tf_vars_from_env) to allow to be empty or missing.
     # @option opts [Hash] :tf_extra_vars hash of Terraform variables to their
     #   values; overrides any same-named keys in ``tf_vars_from_env``
+    # @option opts [Array] :tf_sensitive_vars list of Terraform variables
+    #   which should not be printed
     # @option opts [String] :consul_url URL to access Consul at, for the
     #   ``:consul_env_vars_prefix`` option.
     # @option opts [String] :consul_env_vars_prefix if specified and not nil,
@@ -99,6 +101,7 @@ def initialize(tf_dir, opts = {})
       @consul_env_vars_prefix = opts.fetch(:consul_env_vars_prefix, nil)
       @tf_vars_from_env = opts.fetch(:tf_vars_from_env, {})
       @allowed_empty_vars = opts.fetch(:allowed_empty_vars, [])
+      @tf_sensitive_vars = opts.fetch(:tf_sensitive_vars, [])
       @tf_extra_vars = opts.fetch(:tf_extra_vars, {})
       @backend_config = opts.fetch(:backend_config, {})
       @consul_url = opts.fetch(:consul_url, nil)
@@ -319,7 +322,9 @@ def install_write_tf_vars
           tf_vars = terraform_vars
           puts 'Terraform vars:'
           tf_vars.sort.map do |k, v|
-            if %w[aws_access_key aws_secret_key].include?(k)
+            redacted_list = (%w[aws_access_key aws_secret_key] +
+                             @tf_sensitive_vars)
+            if redacted_list.include?(k)
               puts "#{k} => (redacted)"
             else
               puts "#{k} => #{v}"

lib/tfwrapper/version.rb

@@ -4,5 +4,5 @@ module TFWrapper
   # version of the Gem/module; used in the gemspec and in messages.
   # NOTE: When updating this, also update the version in the "Installation"
   # section of README.md
-  VERSION = '0.6.1'
+  VERSION = '0.6.2'
 end

spec/unit/raketasks_spec.rb

@@ -60,6 +60,7 @@
       expect(cls.instance_variable_get('@consul_env_vars_prefix')).to eq(nil)
       expect(cls.instance_variable_get('@tf_vars_from_env')).to eq({})
       expect(cls.instance_variable_get('@allowed_empty_vars')).to eq([])
+      expect(cls.instance_variable_get('@tf_sensitive_vars')).to eq([])
       expect(cls.instance_variable_get('@tf_extra_vars')).to eq({})
       expect(cls.instance_variable_get('@backend_config')).to eq({})
       expect(cls.instance_variable_get('@consul_url')).to eq(nil)
@@ -89,6 +90,7 @@
         consul_env_vars_prefix: 'cvprefix',
         tf_vars_from_env: { 'foo' => 'bar' },
         allowed_empty_vars: %w[bar blam],
+        tf_sensitive_vars: %w[secret],
         tf_extra_vars: { 'baz' => 'blam' },
         consul_url: 'foobar',
         before_proc: bproc,
@@ -104,6 +106,8 @@
         .to eq('foo' => 'bar')
       expect(cls.instance_variable_get('@allowed_empty_vars'))
         .to eq(%w[bar blam])
+      expect(cls.instance_variable_get('@tf_sensitive_vars'))
+        .to eq(%w[secret])
       expect(cls.instance_variable_get('@tf_extra_vars'))
         .to eq('baz' => 'blam')
       expect(cls.instance_variable_get('@backend_config')).to eq({})
@@ -832,6 +836,7 @@
         Rake.application = rake_application
       end
       before do
+        subject.instance_variable_set('@tf_sensitive_vars', ['secret'])
         subject.install_write_tf_vars
       end
 
@@ -844,7 +849,8 @@
         vars = {
           'foo' => 'bar',
           'baz' => 'blam',
-          'aws_access_key' => 'ak'
+          'aws_access_key' => 'ak',
+          'secret' => 'abc'
         }
         allow(subject).to receive(:terraform_vars).and_return(vars)
         allow(subject).to receive(:var_file_path).and_return('file.tfvars.json')
@@ -856,6 +862,8 @@
         expect(STDOUT).to receive(:puts).once.with('Terraform vars:')
         expect(STDOUT).to receive(:puts)
           .once.with('aws_access_key => (redacted)')
+        expect(STDOUT).to receive(:puts)
+          .once.with('secret => (redacted)')
         expect(STDOUT).to receive(:puts).once.with('baz => blam')
         expect(STDOUT).to receive(:puts).once.with('foo => bar')
         expect(File).to receive(:open).once.with('file.tfvars.json', 'w')
@@ -917,6 +925,7 @@
         Rake.application = rake_application
       end
       before do
+        subject.instance_variable_set('@tf_sensitive_vars', ['secret'])
         subject.instance_variable_set('@ns_prefix', 'foo')
         subject.install_write_tf_vars
       end
@@ -930,7 +939,8 @@
         vars = {
           'foo' => 'bar',
           'baz' => 'blam',
-          'aws_access_key' => 'ak'
+          'aws_access_key' => 'ak',
+          'secret' => 'abc'
         }
         allow(subject).to receive(:terraform_vars).and_return(vars)
         allow(subject).to receive(:var_file_path)
@@ -943,6 +953,8 @@
         expect(STDOUT).to receive(:puts).once.with('Terraform vars:')
         expect(STDOUT).to receive(:puts)
           .once.with('aws_access_key => (redacted)')
+        expect(STDOUT).to receive(:puts)
+          .once.with('secret => (redacted)')
         expect(STDOUT).to receive(:puts).once.with('baz => blam')
         expect(STDOUT).to receive(:puts).once.with('foo => bar')
         expect(File).to receive(:open).once.with('foo_file.tfvars.json', 'w')