Secrets stored in plain text in the state when setting an environment variable in a stack deployment settings.

[aureq]

What happened?

When using the code shown below, the stack state stores SECRET_ENV_VAR in plain text despite the value being marked as a secret. One, in the resource inputs and two, in the resource outputs.

Example

import pulumi
import pulumi_pulumiservice as pulumiservice

deployment_settings = pulumiservice.DeploymentSettings(
    resource_name = "deployment-settings",
    organization = pulumi.get_organization(),
    project = pulumi.get_project(),
    stack = pulumi.get_stack(),
    source_context = pulumiservice.DeploymentSettingsSourceContextArgs(
        git = pulumiservice.DeploymentSettingsGitSourceArgs(
            branch = "main",
            repo_url = "aureq/aws-py-eks-helm",
            git_auth = pulumiservice.DeploymentSettingsGitSourceGitAuthArgs(
                basic_auth = pulumiservice.DeploymentSettingsGitAuthBasicAuthArgs(
                    username = "aureq",
                    password = "<redacted>"
                )
            )
        )
    ),
    operation_context = pulumiservice.DeploymentSettingsOperationContextArgs(
        environment_variables = {
            "SECRET_ENV_VAR": pulumi.Output.secret('This should NOT be visible')
        }
    )
)

State

            {
                "urn": "urn:pulumi:9999::zendesk::pulumiservice:index:DeploymentSettings::deployment-settings",
                "custom": true,
                "id": "menfin/zendesk/9999",
                "type": "pulumiservice:index:DeploymentSettings",
                "inputs": {
                    "operationContext": {
                        "environmentVariables": {
                            "SECRET_ENV_VAR": "This should NOT be visible"
                        }
                    },
                    "organization": "menfin",
                    "project": "zendesk",
                    "sourceContext": {
                        "git": {
                            "branch": "main",
                            "gitAuth": {
                                "basicAuth": {
                                    "password": "\u003credacted\u003e",
                                    "username": "aureq"
                                }
                            },
                            "repoUrl": "aureq/aws-py-eks-helm"
                        }
                    },
                    "stack": "9999"
                },
                "outputs": {
                    "operationContext": {
                        "environmentVariables": {
                            "SECRET_ENV_VAR": "This should NOT be visible"
                        }
                    },
                    "organization": "menfin",
                    "project": "zendesk",
                    "sourceContext": {
                        "git": {
                            "branch": "main",
                            "gitAuth": {
                                "basicAuth": {
                                    "password": "AAABANYD+tl1+/Fy7TERObgT3QCyYnlhAkoKzuuF/K7E5Bl5buDncM6W",
                                    "username": "aureq"
                                }
                            },
                            "repoUrl": "aureq/aws-py-eks-helm"
                        }
                    },
                    "stack": "9999"
                },
                "parent": "urn:pulumi:9999::zendesk::pulumi:pulumi:Stack::zendesk-9999",
                "provider": "urn:pulumi:9999::zendesk::pulumi:providers:pulumiservice::default_0_23_1::943b7e37-8759-40f6-b222-1dff25cd249a",
                "propertyDependencies": {
                    "operationContext": [],
                    "organization": [],
                    "project": [],
                    "sourceContext": [],
                    "stack": []
                },
                "created": "2024-08-14T02:13:59.88608919Z",
                "modified": "2024-08-14T02:15:52.410864954Z",
                "sourcePosition": "project:///venv/lib/python3.11/site-packages/pulumi_pulumiservice/deployment_settings.py#211"
            }

Output of pulumi about

CLI          
Version      3.129.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME           VERSION
resource  pulumiservice  0.23.1
language  python         unknown

Host     
OS       debian
Version  12.6
Arch     x86_64

This project is written in python: executable='/home/aureq/work/customers/zendesk/5662/venv/bin/python' version='3.11.9'

Current Stack: menfin/zendesk/9999

TYPE                                    URN
pulumi:pulumi:Stack                     urn:pulumi:9999::zendesk::pulumi:pulumi:Stack::zendesk-9999
pulumi:providers:pulumiservice          urn:pulumi:9999::zendesk::pulumi:providers:pulumiservice::default_0_23_1
pulumiservice:index:DeploymentSettings  urn:pulumi:9999::zendesk::pulumiservice:index:DeploymentSettings::deployment-settings

Found no pending operations associated with 9999

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/aureq
User           aureq
Organizations  aureq, team-ce, menfin, menfin-team, demo
Token type     personal

Dependencies:
NAME                  VERSION
pip                   24.2
pulumi-pulumiservice  0.23.1
setuptools            72.2.0
wheel                 0.44.0

Pulumi locates its logs in /tmp by default

Additional context

Related to https://github.com/pulumi/pulumi-pulumiservice/issues/376

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[IaroslavTitov]

Thank you for finding and bringing this up! Fixed and released a new version, please update to 0.23.2 and secrets will work in Deployment Settings again.