Speculative fix for __inputs secrets #2300

checkpointObject checks for secrets in the input, but in this case the input is of Kind=="Secret" but ContainsSecret() is false. I'm not quite sure yet that this is the best fix but it works in my local repro.
pulumi · Feb 3, 2023 · 92fe8f6 · 92fe8f6
1 parent 203d95e
commit 92fe8f6
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -2955,6 +2955,11 @@ func checkpointObject(inputs, live *unstructured.Unstructured, fromInputs resour
 		}
 	}
 
+	inputsCopy := resource.NewObjectProperty(inputsPM)
+	if inputs.GetKind() == "Secret" && !inputsPM.ContainsSecrets() {
+		inputsCopy = resource.MakeSecret(inputsCopy)
+	}
+
 	// Ensure that the annotation we add for lastAppliedConfig is treated as a secret if any of the inputs were secret
 	// (the value of this annotation is a string-ified JSON so marking the entire thing as a secret is really the best
 	// that we can do).
@@ -2970,7 +2975,7 @@ func checkpointObject(inputs, live *unstructured.Unstructured, fromInputs resour
 		}
 	}
 
-	object["__inputs"] = resource.NewObjectProperty(inputsPM)
+	object["__inputs"] = inputsCopy
 	object[initialAPIVersionKey] = resource.NewStringProperty(initialAPIVersion)
 	object[fieldManagerKey] = resource.NewStringProperty(fieldManager)