search

pulumi / pulumi-terraform-bridge

A library allowing Terraform providers to be bridged into Pulumi.
Apache License 2.0
194 stars 43 forks source link

Tests for secret handling in provider configuration #2440

Open t0yv0 opened 4 hours ago

t0yv0 commented 4 hours ago

For the following combinations:

Check that first-class secrets work as expected: When a program configures the provider with a secret input Pulumi up succeeds and TF code receives the expected un-secreted value Secret material does not leak to state

Check that schema-based secrets work as expected: When a provider property is sensitive according to SchemaInfo or underlying TF schema User configures the provider with a plain value The plain value does not leak to state but is secreted instate

Some suggestions on "bulletproof" test suite at integration level to work around concerns of mixing things up around provider configuration due to Config Encoding.

CC @VenelinMartinov @iwahbe @guineveresaenger

One other thing to call out is checking upgrade scenarios where DiffConfig() might be in play and receive a previous version of the schema.

t0yv0 commented 4 hours ago

TBD move to the bridge

t0yv0 commented 3 hours ago

Jotting this down as part of discussion re: https://github.com/pulumi/pulumi-terraform-bridge/issues/2439

t0yv0 commented 3 hours ago

@iwahbe brought up a good point that due to https://github.com/pulumi/pulumi/pull/15032 the language dimension is pertinent here. We do not know from a YAML-based test that C# or TypeScript are going to work because languages differ due to SDK handling in how they pass config information over the wire.

We discussed a reluctance to add language-specific testes to the bridge codebase as in an idealized world language variance would be guaranteed by pulumi/pulumi machinery and out of scope for the bridged codebase. In the immediate term Ian is to introduce replay tests that mimic TypeScript behavior.

It is however not entirely satisfactory as we will not be able to push https://github.com/pulumi/pulumi-terraform-bridge/issues/2439 forward without having tests that assure us that bridged providers behave correctly for configuration in each language after the change, and there is the Gordian knot that the bridge does not bottom out at a supported Go SDK. This could be done either by language-variant tests in the bridge or else by introducing tests in pulumi/pulumi that depend on bridged providers. Expecting some pushback both ways but we'll need to pick our poison to move the 2439 forward.