Merge pull request #5 from laszlojau/main

Return values from multiple secret fields

README.md

@@ -20,7 +20,7 @@ packer {
   required_plugins {
     tss = {
       version = ">= 0.1.0"
-      source  = "github.com/breed808/packer-plugin-tss"
+      source  = "github.com/breed808/tss"
     }
   }
 }
@@ -54,7 +54,8 @@ data "tss" "mock-data" {
   password = "test123" # TSS password
   server_url = "https://my-thycotic-server.example.com/SecretServer"
 
-  secret_id = "500" # ID of TSS secret to retrieve
+  secret_id     = 500                      # ID of TSS secret to retrieve
+  secret_fields = ["username", "password"] # Fields to retrieve from the TSS secret
 }
 ```
 
@@ -67,7 +68,8 @@ data "tss" "mock-data" {
   server_url = "https://my-thycotic-server.example.com/SecretServer"
   domain = "example.com" # Domain of user. I.E. testing@example.com
 
-  secret_id = "500" # ID of TSS secret to retrieve
+  secret_id     = 500                      # ID of TSS secret to retrieve
+  secret_fields = ["username", "password"] # Fields to retrieve from the TSS secret
 }
 ```
 
@@ -84,7 +86,8 @@ data "tss" "mock-data" {
   password = "test123" # TSS password
   server_url = "https://my-thycotic-server.example.com/SecretServer"
 
-  secret_id = "500" # ID of TSS secret to retrieve
+  secret_id     = 500                      # ID of TSS secret to retrieve
+  secret_fields = ["username", "password"] # Fields to retrieve from the TSS secret
 }
 
 build {
@@ -105,12 +108,21 @@ build {
           datacenter = "PackerDatacenter"
           datastore  = "datastore1"
           host       = "123.45.678.9"
-          password   = data.mock-data.password
-          username   = data.mock-data.username
+          password   = data.mock-data.fields.username
+          username   = data.mock-data.fields.password
       }
     }
 }
 ```
 
+**NOTE:** Packer does not seem to support sensitive values from custom data sources yet. If you are passing the variables to provisioners and wish to keep them sensitive, you can create a sensitive local.
+
+```hcl
+local "my_secret_password" {
+  expression = "${data.mock-data.fields.password}"
+  sensitive  = true
+}
+```
+
 ## Packer Compatibility
 This template is compatible with Packer >= v1.7.0

datasource/tss/data.go

@@ -3,7 +3,6 @@ package tss
 
 import (
 	"fmt"
-
 	"packer-plugin-tss/common"
 
 	"github.com/hashicorp/hcl/v2/hcldec"
@@ -14,19 +13,19 @@ import (
 
 type Config struct {
 	common.AuthConfig `mapstructure:",squash"`
-	SecretID          int `mapstructure:"secret_id" required:"true"`
+	SecretID          int      `mapstructure:"secret_id" required:"true"`
+	SecretFields      []string `mapstructure:"secret_fields" required:"true"`
 }
 
 type Datasource struct {
 	config Config
 }
 
 type DatasourceOutput struct {
+	// Secret ID in TSS.
 	ID int `mapstructure:"id"`
-
-	// Though TSS stores other fields, retrieve only credential details (username & password) for now.
-	Username string `mapstructure:"username"`
-	Password string `mapstructure:"password"`
+	// Values of the requested Secret Fields.
+	Fields map[string]string `mapstructure:"fields"`
 }
 
 func (d *Datasource) ConfigSpec() hcldec.ObjectSpec {
@@ -50,32 +49,30 @@ func (d *Datasource) OutputSpec() hcldec.ObjectSpec {
 }
 
 func (d *Datasource) Execute() (cty.Value, error) {
-	output := DatasourceOutput{}
-
-	emptyOutput := hcl2helper.HCL2ValueFromConfig(output, d.OutputSpec())
-
 	client, err := d.config.CreateClient()
 	if err != nil {
-		return emptyOutput, err
+		return cty.NullVal(cty.EmptyObject), err
 	}
 
 	// TSS SDK only supports retrieving secrets by ID
 	secret, err := client.Secret(d.config.SecretID)
 	if err != nil {
-		return emptyOutput, err
+		return cty.NullVal(cty.EmptyObject), err
 	}
 
-	output.ID = secret.ID
+	secretFields := make(map[string]string, len(d.config.SecretFields))
 
-	var success bool
-	output.Username, success = secret.Field("username")
-	if !success {
-		output.Username = ""
+	for _, field := range d.config.SecretFields {
+		var success bool
+		secretFields[field], success = secret.Field(field)
+		if !success {
+			secretFields[field] = ""
+		}
 	}
 
-	output.Password, success = secret.Field("password")
-	if !success {
-		output.Password = ""
+	output := DatasourceOutput{
+		ID:     secret.ID,
+		Fields: secretFields,
 	}
 
 	return hcl2helper.HCL2ValueFromConfig(output, d.OutputSpec()), nil

example/data.pkr.hcl

@@ -1,7 +1,11 @@
 data "tss" "mock-data" {
-  username = "testing"
-  password = "test123"
+  username   = "testing"
+  password   = "test123"
   server_url = "https://my-thycotic-server.example.com/SecretServer"
 
   secret_id = "500"
+  secret_fields = [
+    "password",
+    "username",
+  ]
 }