Add the ability to set the passphrase secrets provider to read from a passphrase file (#5327)
* Addthe ability to set the passphrase secrets provider to read from a passphrase file * Feedback about removing newlines
This commit is contained in:
Paul Stack
GitHub
parent
f0386bec8d
commit
9a46dad7d0
|
|
@ -2,7 +2,12 @@ CHANGELOG
|
|||
=========
|
||||
|
||||
## HEAD (Unreleased)
|
||||
_(none)_
|
||||
|
||||
- Allow Pulumi to read a passphrase file, via `PULUMI_CONFIG_PASSPHRASE_FILE` to interact
|
||||
with the passphrase secrets provider. Pulumi will first try and use the `PULUMI_CONFIG_PASSPHRASE`
|
||||
to get the passphrase then will check `PULUMI_CONFIG_PASSPHRASE_FILE` and then all through to
|
||||
asking interactively as the final option.
|
||||
[#5327](https://github.com/pulumi/pulumi/pull/5327)
|
||||
|
||||
## 2.10.0 (2020-09-10)
|
||||
|
||||
|
|
|
|||
|
|
@ -17,10 +17,13 @@ package main
|
|||
import (
|
||||
cryptorand "crypto/rand"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/pulumi/pulumi/pkg/v2/secrets"
|
||||
"github.com/pulumi/pulumi/pkg/v2/secrets/passphrase"
|
||||
"github.com/pulumi/pulumi/sdk/v2/go/common/diag"
|
||||
|
|
@ -35,8 +38,20 @@ func readPassphrase(prompt string) (string, error) {
|
|||
if phrase, ok := os.LookupEnv("PULUMI_CONFIG_PASSPHRASE"); ok {
|
||||
return phrase, nil
|
||||
}
|
||||
if phraseFile, ok := os.LookupEnv("PULUMI_CONFIG_PASSPHRASE_FILE"); ok {
|
||||
phraseFilePath, err := filepath.Abs(phraseFile)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "unable to construct a path the PULUMI_CONFIG_PASSPHRASE_FILE")
|
||||
}
|
||||
phraseDetails, err := ioutil.ReadFile(phraseFilePath)
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "unable to read PULUMI_CONFIG_PASSPHRASE_FILE")
|
||||
}
|
||||
return strings.TrimSpace(string(phraseDetails)), nil
|
||||
}
|
||||
if !cmdutil.Interactive() {
|
||||
return "", errors.New("passphrase must be set with PULUMI_CONFIG_PASSPHRASE environment variable")
|
||||
return "", errors.New("passphrase must be set with PULUMI_CONFIG_PASSPHRASE or " +
|
||||
"PULUMI_CONFIG_PASSPHRASE_FILE environment variables")
|
||||
}
|
||||
return cmdutil.ReadConsoleNoEcho(prompt)
|
||||
}
|
||||
|
|
@ -61,7 +76,7 @@ func newPassphraseSecretsManager(stackName tokens.QName, configFile string) (sec
|
|||
if info.EncryptionSalt != "" {
|
||||
for {
|
||||
phrase, phraseErr := readPassphrase("Enter your passphrase to unlock config/secrets\n" +
|
||||
" (set PULUMI_CONFIG_PASSPHRASE to remember)")
|
||||
" (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember)")
|
||||
if phraseErr != nil {
|
||||
return nil, phraseErr
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue