search

pulumi / pulumi-vault

A Vault Pulumi resource package, providing multi-language access to HashiCorp Vault
Apache License 2.0
25 stars 5 forks source link

The Output of `get_secret_output` is not marked as a secret #424

Open SharpEdgeMarshall opened 8 months ago

SharpEdgeMarshall commented 8 months ago

What happened?

Calling get_secret_output returns an Output that is not marked as secret and is shown in the preview if passed to other resources.

Example

Code:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=credentials_data.apply(lambda data: data["username"]),
            password=credentials_data.apply(lambda data: data["password"]),
        )

Preview diff:

+ pulumi:providers:rabbitmq: (create)
    [urn=URN]
    endpoint: [secret]
    password: "CLEAR_TEXT_PASSWORD"
    username: "CLEAR_TEXT_USERNAME"
    version : "3.3.1"

Workaround:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )

Output of pulumi about

CLI Version 3.106.0 Go Version go1.22.0 Go Compiler gc

Plugins python unknown rabbitmq 3.3.1 vault 5.20.0

Host OS darwin Version 14.3.1 Arch arm64

This project is written in python: executable='/Users/my-user/.pyenv/shims/python3' version='3.9.18'

Dependencies: NAME VERSION black 22.12.0 flake8 3.9.2 isort 5.12.0 mypy 0.910 pip 23.3.1 pulumi_rabbitmq 3.3.1 pulumi_vault 5.20.0 setuptools 69.0.2

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 8 months ago

Hey @SharpEdgeMarshall. Thanks for bringing this to our attention.

The bridge correctly marks these function outputs as secret in the schema:

https://github.com/pulumi/pulumi-vault/blob/23d71ff5ce3685154d99cbed959e8a92cef57e82/provider/cmd/pulumi-resource-vault/schema.json#L31069-L31082

We see this take effect for the generic.Secret resource:

https://github.com/pulumi/pulumi-vault/blob/23d71ff5ce3685154d99cbed959e8a92cef57e82/sdk/python/pulumi_vault/generic/secret.py#L357

I don't see any similar code to pass secrets to resource options. I'll open an issue in pulumi/pulumi. (issue created)

In the mean time, you can call pulumi.Output.secret to convert non-secret outputs to secret values:

credentials_data = pulumi_vault.generic.get_secret_output(path=f"rabbitmq/creds/my-role").data
provider = rabbitmq.Provider(
            "rabbitmq-provider",
            username=pulumi.Output.secret(credentials_data.apply(lambda data: data["username"])),
            password=pulumi.Output.secret(credentials_data.apply(lambda data: data["password"])),
        )
SharpEdgeMarshall commented 8 months ago

Thank you @iwahbe for the answer, that's exactly what we ended up doing I simply forgot to add it to the issue. 👍