hashicorp · tomwerneruk · Jun 20, 2021 · Jun 30, 2021 · Jul 1, 2021 · Jul 1, 2021
diff --git a/template/funcs.go b/template/funcs.go
@@ -332,7 +332,7 @@ func nodesFunc(b *Brain, used, missing *dep.Set) func(...string) ([]*dep.Node, e
 }
 
 // secretFunc returns or accumulates secret dependencies from Vault.
-func secretFunc(b *Brain, used, missing *dep.Set) func(...string) (*dep.Secret, error) {
+func secretFunc(b *Brain, used, missing *dep.Set, sandboxPath string) func(...string) (*dep.Secret, error) {
 	return func(s ...string) (*dep.Secret, error) {
 		var result *dep.Secret
 
@@ -351,6 +351,29 @@ func secretFunc(b *Brain, used, missing *dep.Set) func(...string) (*dep.Secret,
 
 			k, v := strings.TrimSpace(parts[0]), strings.TrimSpace(parts[1])
 			data[k] = v
+
+			// vault has a notation to prefix file paths pointing to files
+			// containing attribute data with an @. Parse this, load the file
+			// contents and use as the value. Most useful for PKI `sign`
+			// method to provide csr as a file
+			if v[0] == '@' {
+				var extfile_path string
+				extfile_path = v[1:]
+
+				sandbox_err := pathInSandbox(sandboxPath, extfile_path)
+				if sandbox_err != nil {
+					return result, sandbox_err
+				}
+
+				extfile, err := ioutil.ReadFile(extfile_path)
+
+				if err != nil {
+					fmt.Println("Error reading external file", err)
+					return nil, err
+				}
+
+				data[k] = string(extfile)
+			}
 		}
 
 		var d dep.Dependency

diff --git a/template/template.go b/template/template.go
@@ -234,7 +234,7 @@ func funcMap(i *funcMapInput) template.FuncMap {
 		"safeLs":       safeLsFunc(i.brain, i.used, i.missing),
 		"node":         nodeFunc(i.brain, i.used, i.missing),
 		"nodes":        nodesFunc(i.brain, i.used, i.missing),
-		"secret":       secretFunc(i.brain, i.used, i.missing),
+		"secret":       secretFunc(i.brain, i.used, i.missing, i.sandboxPath),
 		"secrets":      secretsFunc(i.brain, i.used, i.missing),
 		"service":      serviceFunc(i.brain, i.used, i.missing),
 		"connect":      connectFunc(i.brain, i.used, i.missing),
@@ -294,7 +294,7 @@ func funcMap(i *funcMapInput) template.FuncMap {
 		"split":                 split,
 		"byMeta":                byMeta,
 		"sockaddr":              sockaddr,
-    
+
 		// Math functions
 		"add":      add,
 		"subtract": subtract,