Backend: Support variables in`inputs:` syntax - part 2
Problem
When passing inputs to include:*:inputs syntax currently the values are hard-coded. Users may need to use dynamic values when they don't know them upfront.
Solution
Support variables in inputs: syntax:
spec:
inputs:
stage:
prefix:
---
"job-$[[ inputs.prefix | expand_vars ]]":
stage: $[[ inputs.stage | expand_vars ]]
script: echo hello worldUsage:
include:
- local: template.yml
inputs:
prefix: "${MY_PREFIX}-${MY_ENVIRONMENT}"
stage: $ANOTHER_VARWhen | expand_vars is used we check if any matching variable is masked and raise an error.
Note:
From !105817 (comment 1197707712)
Is there a way we will accept only the
${VAR}format and not$VAR, the reasoning is that we would like to allow users to use the $ sign as a characters.
This is out of scope for this issue.
Security requirement ⚠
As described in Passing secrets as component inputs is unsafe (#395639 - closed), users may use variables to pass secrets as inputs and this will be a problem because with interpolation we convert values to plain-text.
We must ensure that we detect if any masked variables are being used inside with inputs: keyword and raise an error immediately.expand_vars and raise an error
For the time being, secrets should be passed to nested components as environment variables until Introduce `secrets` CI config interpolation par... (#395753) is introduced for safer and more explicit use of secrets.
MR Implementation
| Description | MR |
|---|---|
Support variables in CI inputs with predefined function expand_vars
|
!131466 (merged) |