search

pulumi / pulumi-yaml

YAML language provider for Pulumi
Apache License 2.0
38 stars 11 forks source link

Using secret path breaks pulumi up #434

Open istvan-fodor opened 1 year ago

istvan-fodor commented 1 year ago

What happened?

I created a new project from the yaml template (no code at all, just config files) and set a secret value using the following command:

pulumi config set --path 'my.test.password' secretpassword123 --secret

The resulting config file looks like this:

config:
  test-pulumi-config:my:
    test:
      password:
        secure: AAABAMWO68C8qxo2dfXy4UHPUjIeXx76vbwuawqzWj1BBDYDZO3aMI39S9nWzoUQQw==

When I try to run a pulumi up, I get the following error:

╰─ pulumi up                                                                                                                                                                   ─╯
Previewing update (dev)

View Live: https://app.pulumi.com/starschema/test-pulumi-config/dev/previews/e209230c-d2c4-4b3a-b4f3-e9d1aecf6579

     Type                 Name                    Plan       Info
 +   pulumi:pulumi:Stack  test-pulumi-config-dev  create     1 error

Diagnostics:
  pulumi:pulumi:Stack (test-pulumi-config-dev):
    error: an unhandled error occurred: 1 error occurred:
        * <nil>: 1 error occurred:
        * unexpected configuration type 'map[string]interface {}': valid types are string, List<string>, number, List<number>, integer, List<integer>, boolean, List<number>

    ;

Steps to reproduce

  1. Create new project
  2. Set secret value: pulumi config set --path 'my.test.password' secretpassword123 --secret
  3. Run pulumi up
  4. Observe error.

Expected Behavior

pulumi up would run without error.

Actual Behavior

Got error on pulumi up

Output of pulumi about

CLI
Version      3.52.1
Go Version   go1.19.5
Go Compiler  gc

Plugins
NAME  VERSION
yaml  unknown

Host
OS       darwin
Version  13.0
Arch     arm64

This project is written in yaml

Current Stack: starschema/test-pulumi-config/dev

Found no resources associated with dev

Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/ifodor
User           ifodor
Organizations  ifodor, starschema

No dependencies found

Pulumi locates its logs in /var/folders/0k/5cb46pm90dv17f7675zv7xlm0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Frassle commented 1 year ago

This is a current limitation of config with the yaml runtime. It doesn't support objects, I think the following config should work:

config:
  test-pulumi-config:my:
    password:
      secure: AAABAMWO68C8qxo2dfXy4UHPUjIeXx76vbwuawqzWj1BBDYDZO3aMI39S9nWzoUQQw==
fuadsaud commented 1 year ago

I'm having the exact same symptom when running a YAML program with the aws:assumeRole.roleArn config. Is there a workaround for this one?

AaronFriel commented 1 year ago

I have a workaround for aws:assumeRole.roleArn, but not for the original issue. @istvan-fodor if you are able to break up your initial object into separate keys, that will work for now.

For @fuadsaud using roleArn we have a workaround. In your Pulumi.yaml declare a config entry and resources entry like so:

config:
  awsRoleArn:
    type: string
    secret: true
resources:
  awsProvider:
    type: pulumi:providers:aws
    properties:
      assumeRole:
        roleArn: ${awsRoleArn}
    defaultProvider: true
    # options:
    #   # if you would like to pin to an AWS version
    #   version:

Then run:

pulumi config set --secret awsRoleArn foobar

The default provider will then be used for all resources in your program. The default provider configured in this way only takes configuration via environment variable (AWS_... env vars) and explicit config, so if you have any config in your Pulumi.stack.yaml like so:

# In the stack config file
config:
  aws:foo: "bar"

You will want to pass them into the explicit provider like so:

resources:
  awsProvider:
    type: pulumi:providers:aws
    properties:
      foo: ${aws:foo}
AaronFriel commented 1 year ago

A partial fix for Pulumi YAML unblocking a workaround for @istvan-fodor has been posted here:

Sorry that this isn't an ideal solution @istvan-fodor, definitely something we need to improve upon.