search

pulumi / pulumi-terraform-bridge

A library allowing Terraform providers to be bridged into Pulumi.
Apache License 2.0
199 stars 43 forks source link

Functions return secret values as plain #1051

Open t0yv0 opened 1 year ago

t0yv0 commented 1 year ago

What happened?

Invoking a function that has output properties marked as sensitive returns plain values to Pulumi program, bypassing the secret bit propagation functionality of Output<T>. If the user later uses this data in a way that's recorded in the state file, such as using it as an input to the Resource, it can compromise safety by exposing the sensitive data in plaintext in the statefile.

Blocker: https://github.com/pulumi/pulumi/issues/12710

Currently cannot be implemented in the bridge as updating providers to the bridge version that supports this would break user programs. Some assistance is needed from the engine to dis-intermediate.

Expected Behavior

Sensitive data is protected and encrypted if it ends up in the state file.

Steps to reproduce

Use https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getrandompassword/ and store the results in the statefile.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const test = aws.secretsmanager.getRandomPasswordOutput({
    excludeNumbers: true,
    passwordLength: 50,
});

export const pw = test.apply(x => x.randomPassword);

Note that the password is NOT [secret] in the stack output.

$ pulumi stack output                                                                                                                                              ~/tmp/2023/04/aws-Current stack outputs (1):
    OUTPUT  VALUE
    pw      .UDP*(N?(L|?C&\pjJ\LKLpjC!`q%o>vEUoYl],ee]~Be<!SXy

Output of pulumi about

CLI          
Version      3.64.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.38.0
awsx    1.0.2
docker  3.6.1
nodejs  unknown

Host     
OS       darwin
Version  13.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/.nix-profile/bin/node' version='v18.12.1'

Current Stack: t0yv0/aws-secret-leak/dev

TYPE                  URN
pulumi:pulumi:Stack   urn:pulumi:dev::aws-secret-leak::pulumi:pulumi:Stack::aws-secret-leak-dev
pulumi:providers:aws  urn:pulumi:dev::aws-secret-leak::pulumi:providers:aws::default_5_38_0

Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/t0yv0
User           t0yv0
Organizations  t0yv0, pulumi

Dependencies:
NAME            VERSION
@types/node     16.18.25
@pulumi/aws     5.38.0
@pulumi/awsx    1.0.2
@pulumi/pulumi  3.65.1

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/ by default

Additional context

Plugin Framework version (./pf Go module) started by doing this right but had to manually remove secrets due to the blocker in the engine. Reminder to remove those lines when this is ready to go.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

jazzyfresh commented 1 year ago

Added to the project board

t0yv0 commented 1 month ago

Platform features have been built 🥇

We can build this into the bridge now.

t0yv0 commented 1 month ago

https://github.com/pulumi/pulumi/issues/12710 to be precise.