New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for __inputs secrets #2300 #2301
Conversation
checkpointObject checks for secrets in the input, but in this case the input is of Kind=="Secret" but ContainsSecret() is false. I'm not quite sure yet that this is the best fix but it works in my local repro.
Does the PR have any schema changes?Looking good! No breaking changes found. |
provider/pkg/provider/provider.go
Outdated
@@ -2955,6 +2955,11 @@ func checkpointObject(inputs, live *unstructured.Unstructured, fromInputs resour | |||
} | |||
} | |||
|
|||
inputsCopy := resource.NewObjectProperty(inputsPM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than changing this logic, I think it may be better to change the behavior of the annotateSecrets
method to handle the case where the input map is empty. That way we don't split the secret handling logic.
The logic block above may need to be adapted as well. The intent is that the data
and stringData
fields are always encrypted in the following places:
- The property fields on the resource
- The
pulumi.com/lastAppliedConfiguration
annotation on the resource. This is a string, so the entire value would be encrypted for Secret resources. - The
__inputs
map that appears in the checkpoint
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @lblackstone I'm realizing your comment isn't quite enough for me to make changes.
The empty input map is only one issue. Another is that ContainsSecret()
is false here, so that would require further changes to annotateSecrets
. We need to check GetKind()
but annotateSecrets
works with property maps that don't even have this method.
As for data
and stringdata
, I don't see what needs to be changed there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Synced offline - latest revision should reflect all the input. Thank you!
Does the PR have any schema changes?Looking good! No breaking changes found. |
Does the PR have any schema changes?Looking good! No breaking changes found. |
Does the PR have any schema changes?Looking good! No breaking changes found. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One last comment, and then LGTM
Does the PR have any schema changes?Looking good! No breaking changes found. |
Does the PR have any schema changes?Looking good! No breaking changes found. |
checkpointObject checks for secrets in the input, but in this case the input is of Kind "Secret" but
ContainsSecret()
is false.annotateSecrets(inputsPM, fromInputs)
wouldn't do anything in any case because in thisRead()
call,fromInputs
is empty.I'm not quite sure yet that this is the best fix but it works in my local repro (described in the linked issue).
Fixes #2300