Added hclsecret package for using secrets in HCL files
This commit is contained in:
57
hclsecret/example_test.go
Normal file
57
hclsecret/example_test.go
Normal file
@@ -0,0 +1,57 @@
|
||||
package hclsecret_test
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/hcl/v2"
|
||||
"github.com/hashicorp/hcl/v2/hclsimple"
|
||||
"github.com/zclconf/go-cty/cty/function"
|
||||
|
||||
"git.maze.io/go/secret/hclsecret"
|
||||
)
|
||||
|
||||
type mockProvider struct {
|
||||
out []byte
|
||||
err error
|
||||
}
|
||||
|
||||
func (p mockProvider) GetSecret(string) ([]byte, error) {
|
||||
return p.out, p.err
|
||||
}
|
||||
|
||||
func ExampleFunction() {
|
||||
// p would be your initialized secret.Provider
|
||||
p := mockProvider{[]byte("it works!"), nil}
|
||||
|
||||
// Our stand-in configuration file
|
||||
b := []byte(`
|
||||
database {
|
||||
username = "root"
|
||||
password = secret("password")
|
||||
}
|
||||
`)
|
||||
|
||||
// Our stand-in configuration struct
|
||||
type databaseConfig struct {
|
||||
Username string `hcl:"username"`
|
||||
Password string `hcl:"password"`
|
||||
}
|
||||
|
||||
var config struct {
|
||||
Database databaseConfig `hcl:"database,block"`
|
||||
}
|
||||
|
||||
// HCL evaluation context
|
||||
ctx := &hcl.EvalContext{
|
||||
Functions: map[string]function.Function{
|
||||
"secret": hclsecret.Function(p),
|
||||
},
|
||||
}
|
||||
|
||||
if err := hclsimple.Decode("example.hcl", []byte(b), ctx, &config); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
fmt.Println(config.Database.Password)
|
||||
// Output: it works!
|
||||
}
|
||||
49
hclsecret/hclsecret.go
Normal file
49
hclsecret/hclsecret.go
Normal file
@@ -0,0 +1,49 @@
|
||||
// Package hclsecret contains functions for exposing secrets to HCL parsers.
|
||||
package hclsecret
|
||||
|
||||
import (
|
||||
"github.com/zclconf/go-cty/cty"
|
||||
"github.com/zclconf/go-cty/cty/function"
|
||||
|
||||
"git.maze.io/go/secret"
|
||||
)
|
||||
|
||||
var templateSpec = &function.Spec{
|
||||
Description: "Retrieve a secret from the configured secret provider",
|
||||
Params: []function.Parameter{
|
||||
{
|
||||
Name: "key",
|
||||
Description: "Unique key identifying the secret",
|
||||
Type: cty.String,
|
||||
},
|
||||
},
|
||||
Type: func(args []cty.Value) (cty.Type, error) {
|
||||
return cty.String, nil
|
||||
},
|
||||
}
|
||||
|
||||
// Function returns a HCL function for resolving secrets.
|
||||
//
|
||||
// Typically one would use this in a [hcl.EvalContext]:
|
||||
//
|
||||
// ctx := &hcl.EvalContext{
|
||||
// Functions: map[string]function.Function{
|
||||
// "secret": Function(provider),
|
||||
// }
|
||||
// }
|
||||
//
|
||||
// This exposes a new HCL function "secret".
|
||||
func Function(p secret.Provider) function.Function {
|
||||
var spec = new(function.Spec)
|
||||
*spec = *templateSpec
|
||||
|
||||
spec.Impl = func(args []cty.Value, returnType cty.Type) (cty.Value, error) {
|
||||
value, err := p.GetSecret(args[0].AsString())
|
||||
if err != nil {
|
||||
return cty.StringVal(""), err
|
||||
}
|
||||
return cty.StringVal(string(value)), nil
|
||||
}
|
||||
|
||||
return function.New(spec)
|
||||
}
|
||||
Reference in New Issue
Block a user