Parse and Handle environment variables in /params to facilitate secrets handling

[DarwinJS]

This is definitely related to #312 and to #955. The latter would be necessary for this to be a complete solution.

However, I wanted to submit a separate issue due the importance of this use case and the fact that it helps complete #955.

I have seen this use case used beyond packer for similar benefits.

A packer pattern for handling secrets is to have the provisioner inject an environment variable into the remote process and then reference that environment variable in any code that processes on the node.

The secret might be visible on the packer "builder" machine - but this approach helps prevent the target machine from recording it in logs (obviously subject to the handling of that data by whatever is processing it).

If I attempt to pass an environment variable reference (-params '"/secret=$env:varname"') in a chocolatey parameter it [a] does not parse, [b] won't be handled as a variable.

I understand that package parameter parsing is not a built-in function in chocolatey and that this might end up just being a better sample code for the parsing bit.

But I believe it would also require an "Invoke-Expression" or some other string expansion method that does not expose the variable data - that might be deeper in Chocolatey than simply the parsing problem.

[ferventcoder]

So why not just set the variable directly before calling install and then use it in the script if you detect it is available? That is currently the pattern we recommend on FOSS.

However, once you step to professional use/organization use of Chocolatey, you have options:

https://chocolatey.org/docs/commands-install#options-and-switches

     --install-arguments-sensitive=VALUE
     InstallArgumentsSensitive - Install Arguments to pass to the native 
       installer in the package that are sensitive and you do not want logged. 
       Defaults to unspecified. Available in 0.10.1+. [Licensed versions](https://chocolatey.org/compare) only.

     --package-parameters-sensitive=VALUE
     PackageParametersSensitive - Package Parameters to pass the package that 
       are sensitive and you do not want logged. Defaults to unspecified. 
       Available in 0.10.1+. [Licensed versions](https://chocolatey.org/compare) only.

[ferventcoder]

I think you are currently running into PowerShell possibly expanding your environment variable when you try to specify it. You could also see if there is a way not to have PowerShell expand it and then you can expand it in the package.

[ferventcoder]

Right now it feels like this is a duplicate of #948

[ferventcoder]

f I attempt to pass an environment variable reference (-params '"/secret=$env:varname"') in a chocolatey parameter it [a] does not parse, [b] won't be handled as a variable.

You may need to try several different methods to see if you can get it to send the value appropriately without expanding it.

Always attempt with --noop --debug so you can get quick feedback into how the values get set into the configuration.

Try
-params "'/secret=$env:varname'"to see if it passes it as a string.-params "'/secret=#env:varname'"is another option you can then replace#with$` in your script parsing and then call to expand environment variables.

$params = $env:ChocolateyPackageParameters

if ($params -ne $null) {
 $params = [System.Environment]::ExpandEnvironmentVariables($params.Replace("#","$"))
}

[DarwinJS]

Rob - Thanks for all the useful ways to deal with this and I didn't know a feature is already in the paid versions - well handled all around.

[ferventcoder]

@DarwinJS My first examples didn't show the backtick, I fixed that example code.