Merge pull request #1741 from hashicorp/vault-env-var-secrets

Add support for Vault agent environment variables | VAULT-16059
hashicorp · May 9, 2023 · 2a5a5b5 · 2a5a5b5
2 parents 02d863a + c529aa9
commit 2a5a5b5
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 14 deletions.
diff --git a/config/template.go b/config/template.go
@@ -127,6 +127,13 @@ type TemplateConfig struct {
 	// and causes an error if a relative path tries to traverse outside that
 	// prefix.
 	SandboxPath *string `mapstructure:"sandbox_path"`
+
+	// MapToEnvironmentVariable is the name of the environment variable this
+	// template should map to. It is currently only used by Vault Agent and
+	// will be ignored otherwise. When specified, Vault Agent will render the
+	// contents of this template to the given environment variable instead
+	// of a file. This field is mutually exclusive with `Destination`.
+	MapToEnvironmentVariable *string `mapstructure:"-"`
 }
 
 // DefaultTemplateConfig returns a configuration that is populated with the
@@ -194,6 +201,8 @@ func (c *TemplateConfig) Copy() *TemplateConfig {
 
 	o.SandboxPath = c.SandboxPath
 
+	o.MapToEnvironmentVariable = c.MapToEnvironmentVariable
+
 	return &o
 }
 
@@ -302,6 +311,10 @@ func (c *TemplateConfig) Merge(o *TemplateConfig) *TemplateConfig {
 		r.SandboxPath = o.SandboxPath
 	}
 
+	if o.MapToEnvironmentVariable != nil {
+		r.MapToEnvironmentVariable = o.MapToEnvironmentVariable
+	}
+
 	return r
 }
 
@@ -404,6 +417,10 @@ func (c *TemplateConfig) Finalize() {
 	} else {
 		c.FunctionDenylist = combineLists(c.FunctionDenylist, c.FunctionDenylistDeprecated)
 	}
+
+	if c.MapToEnvironmentVariable == nil {
+		c.MapToEnvironmentVariable = String("")
+	}
 }
 
 // GoString defines the printable version of this struct.
@@ -429,7 +446,8 @@ func (c *TemplateConfig) GoString() string {
 		"RightDelim:%s, "+
 		"ExtFuncMap:%s, "+
 		"FunctionDenylist:%s, "+
-		"SandboxPath:%s"+
+		"SandboxPath:%s "+
+		"MapToEnvironmentVariable:%s"+
 		"}",
 		BoolGoString(c.Backup),
 		c.Command,
@@ -448,6 +466,7 @@ func (c *TemplateConfig) GoString() string {
 		maps.Keys(c.ExtFuncMap),
 		combineLists(c.FunctionDenylist, c.FunctionDenylistDeprecated),
 		StringGoString(c.SandboxPath),
+		StringGoString(c.MapToEnvironmentVariable),
 	)
 }
 
@@ -464,9 +483,14 @@ func (c *TemplateConfig) Display() string {
 		source = String("(dynamic)")
 	}
 
+	destination := c.Destination
+	if StringPresent(c.MapToEnvironmentVariable) {
+		destination = c.MapToEnvironmentVariable
+	}
+
 	return fmt.Sprintf("%q => %q",
 		StringVal(source),
-		StringVal(c.Destination),
+		StringVal(destination),
 	)
 }
 

diff --git a/config/template_test.go b/config/template_test.go
@@ -27,18 +27,19 @@ func TestTemplateConfig_Copy(t *testing.T) {
 		{
 			"same_enabled",
 			&TemplateConfig{
-				Backup:         Bool(true),
-				Command:        []string{"command"},
-				CommandTimeout: TimeDuration(10 * time.Second),
-				Contents:       String("contents"),
-				CreateDestDirs: Bool(true),
-				Destination:    String("destination"),
-				Exec:           &ExecConfig{Command: []string{"command"}},
-				Perms:          FileMode(0o600),
-				Source:         String("source"),
-				Wait:           &WaitConfig{Min: TimeDuration(10)},
-				LeftDelim:      String("left_delim"),
-				RightDelim:     String("right_delim"),
+				Backup:                   Bool(true),
+				Command:                  []string{"command"},
+				CommandTimeout:           TimeDuration(10 * time.Second),
+				Contents:                 String("contents"),
+				CreateDestDirs:           Bool(true),
+				Destination:              String("destination"),
+				Exec:                     &ExecConfig{Command: []string{"command"}},
+				Perms:                    FileMode(0o600),
+				Source:                   String("source"),
+				Wait:                     &WaitConfig{Min: TimeDuration(10)},
+				LeftDelim:                String("left_delim"),
+				RightDelim:               String("right_delim"),
+				MapToEnvironmentVariable: String(""),
 			},
 		},
 	}
@@ -396,6 +397,24 @@ func TestTemplateConfig_Merge(t *testing.T) {
 			&TemplateConfig{RightDelim: String("right_delim")},
 			&TemplateConfig{RightDelim: String("right_delim")},
 		},
+		{
+			"map_to_env_var_empty_one",
+			&TemplateConfig{MapToEnvironmentVariable: String("FOO")},
+			&TemplateConfig{},
+			&TemplateConfig{MapToEnvironmentVariable: String("FOO")},
+		},
+		{
+			"map_to_env_var_empty_two",
+			&TemplateConfig{},
+			&TemplateConfig{MapToEnvironmentVariable: String("FOO")},
+			&TemplateConfig{MapToEnvironmentVariable: String("FOO")},
+		},
+		{
+			"map_to_env_var_override",
+			&TemplateConfig{MapToEnvironmentVariable: String("FOO")},
+			&TemplateConfig{MapToEnvironmentVariable: String("BAR")},
+			&TemplateConfig{MapToEnvironmentVariable: String("BAR")},
+		},
 	}
 
 	for i, tc := range cases {
@@ -456,6 +475,7 @@ func TestTemplateConfig_Finalize(t *testing.T) {
 				FunctionDenylist:           []string{},
 				FunctionDenylistDeprecated: []string{},
 				SandboxPath:                String(""),
+				MapToEnvironmentVariable:   String(""),
 			},
 		},
 	}
@@ -503,6 +523,21 @@ func TestTemplateConfig_Display(t *testing.T) {
 			},
 			`"/var/my.tpl" => "/var/my.txt"`,
 		},
+		{
+			"with_environment_variable",
+			&TemplateConfig{
+				MapToEnvironmentVariable: String("FOO"),
+			},
+			`"" => "FOO"`,
+		},
+		{
+			"with_environment_variable_and_contents",
+			&TemplateConfig{
+				MapToEnvironmentVariable: String("FOO"),
+				Contents:                 String("hello"),
+			},
+			`"(dynamic)" => "FOO"`,
+		},
 	}
 
 	for i, tc := range cases {