Missing support for `Secret` in Pulumi Deployment environment variables

[aureq]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It's possible to configure the deployment settings for a given stack and inject plain text environment variables ✔. However, the input type is Mapping[str, str] and it doesn't make any distinctions on the value being a string or a Pulumi secret ❌. Both are treated as plain text values.

This mean, if a user/customer needs to provide a token (say, accessing a remote service), then the value shows up in plain text in the Pulumi Cloud Console ❌.

Here is a screen capture after running the code below

Source code for the screen short above

import pulumi
import pulumi_pulumiservice as pulumiservice

deployment_settings = pulumiservice.DeploymentSettings(
    resource_name = "deployment-settings",
    organization = pulumi.get_organization(),
    project = pulumi.get_project(),
    stack = pulumi.get_stack(),
    source_context = pulumiservice.DeploymentSettingsSourceContextArgs(
        git = pulumiservice.DeploymentSettingsGitSourceArgs(
            branch = "main",
            repo_url = "aureq/aws-py-eks-helm",
            git_auth = pulumiservice.DeploymentSettingsGitSourceGitAuthArgs(
                basic_auth = pulumiservice.DeploymentSettingsGitAuthBasicAuthArgs(
                    username = "aureq",
                    password = "<redacted>"
                )
            )
        )
    ),
    operation_context = pulumiservice.DeploymentSettingsOperationContextArgs(
        environment_variables = {
            "SECRET_ENV_VAR": pulumi.Output.secret('This should NOT be visible')
        }
    )
)

[IaroslavTitov]

Thank you for finding and bringing this up! Fixed and released a new version, please update to 0.23.2 and secrets will work in Deployment Settings again.