Closed guineveresaenger closed 10 months ago
Offhand, I don't know if YAML ever supported this. It would have to get the schema from the provider to determine if an output for a resource was marked as a secret in the schema.
There is shallow support in YAML for secrets and defaults on inputs, backed by schema, but I wasn't aware this was a feature of providers - outputs marked as secrets but not emitted as secret values.
I don't understand the issue though, maybe this belies my ignorance of another part of our SDKs though. It seems to me that the language host is on the wrong side of the language host <-> engine <-> provider RPC diagram to enforce this though.
If the provider returns a non-secret value that "should be" secret according to schema, how does the language host influence how the engine records the outputs in state?
Ah, I knew something was off. This looks like a regression, introduced here:
cc @dixler @justinvp
Edit - only during preview?
I think removing this:
And changing the behavior here will fix this:
I think the logic here is off, and I've only myself to blame - if the propertymap is missing a key rather than having an unknown property, x.ContainsUnknowns() will return false. Maybe the simplest fix is to have x.ContainsUnknowns() return true during previews?
That, or even more generally, property access should warn instead of error during preview and return unknowns on any evaluation error, letting the type checker catch invalid expressions. (edited)
There is shallow support in YAML for secrets and defaults on inputs, backed by schema, but I wasn't aware this was a feature of providers - outputs marked as secrets but not emitted as secret values.
I don't understand the issue though, maybe this belies my ignorance of another part of our SDKs though. It seems to me that the language host is on the wrong side of the language host <-> engine <-> provider RPC diagram to enforce this though.
If the provider returns a non-secret value that "should be" secret according to schema, how does the language host influence how the engine records the outputs in state?
The generated SDK makes the RegisterResource
call with an augmented additionalSecretOutputs
value to reflect schema secrets:
YAML should do the same at runtime, but it seems like we are not doing so.
I don't think this is a regression actually. I just gave this a try with pulumi-yaml
v1.1.0, which did not include https://github.com/pulumi/pulumi-yaml/commit/41c6b655e15da2f391d65aeca6b390703b34e274#diff-228d45f9d585e3feb8e035e1d905d4321203f645dd1a8be21da364c5699ad671R1576-R1599, and the same issue exists:
$ pulumi preview
Previewing update (dev)
View in Browser (Ctrl+O): https://app.pulumi.com/v-thomas-pulumi-corp/dev/dev/previews/904132e9-207f-4ffa-90c0-3a9bc4b600c5
Type Name Plan Info
+ pulumi:pulumi:Stack dev-dev create 1 warning
+ ├─ pulumi:providers:gcp gcp-provider create
+ └─ gcp:storage:Bucket my-bucket create
Diagnostics:
pulumi:pulumi:Stack (dev-dev):
warning: using pulumi-resource-gcp from $PATH at /home/tgummerer/work/pulumi-gcp/main/bin/pulumi-resource-gcp
Outputs:
bucketName : output<string>
pulumiAllLabels : {
bad : "things"
good : "morning"
hello: "goodbye"
new : "defaultlabel"
}
resourceSetLabels: {
bad : "things"
good: "morning"
}
Resources:
+ 3 to create
Of course this is an issue that should still be fixed.
I believe https://github.com/pulumi/pulumi-yaml/pull/526 will fix this. I'm still looking into a test for that, and then it should be ready.
One doubt though, it looks like labels
does not seem to be marked as secret by pulumi-gcp, only pulumiLabels
is (and so is effectiveLabels
). I tried in Go as well, and also go the same result, and looking around pulumi/pulumi-gcp
that also seems to be the case. Am I missing something here?
What happened?
During the upgrade to pulumi-gcp to v7.0.0, we schematized a few new Outputs as Secret.
When running
pulumi up
on a YAML program, these Secrets were written to Outputs in plaintext.This does not occur with the equivalent program in Typescript, or Go (which I verified.)
Example
Output of
pulumi preview
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a đź‘Ť reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).