Stack outputs show secrets parameters when parent is exported

[hexmoose]

Pulumi Devs,

Thanks for taking a look at this. I've noticed that attributes of resources that contain a secret value are not encrypted in the stack when the parent resource is exported. However, individual references to that attribute as an export are encrypted. In both examples, the output is correctly masked. My expectation is that the secret never shows up in plaintext in the stack export in either case. This is almost the inverse of this issue: #2756.

To reproduce, setup a new typescript project (using pulumi 0.17.18 and node 12.4.0):

pulumi new typescript --secrets-provider passphrase
npm install --save @pulumi/random

Create a secret:

pulumi config set --secret petPrefix 'super-pet'

Edit index.ts:

import * as pulumi from "@pulumi/pulumi";
import * as random from "@pulumi/random";

const config = new pulumi.Config("secrets-issue");
const secretPetPrefix = config.requireSecret("petPrefix");

// This exposes the `prefix` field in the stack.
export const mypet = new random.RandomPet("mypet", {
    prefix: secretPetPrefix,
});

// This correctly masks/encrypts the secret.
export const myPetPrefix = mypet.prefix;

Create the stack:

pulumi up

Previewing update (dev):

     Type                       Name               Plan
 +   pulumi:pulumi:Stack        secrets-issue-dev  create
 +   └─ random:index:RandomPet  mypet              create

Resources:
    + 2 to create

Do you want to perform this update? yes
Updating (dev):

     Type                       Name               Status
 +   pulumi:pulumi:Stack        secrets-issue-dev  created
 +   └─ random:index:RandomPet  mypet              created

Outputs:
    myPetPrefix: "[secret]"
    mypet      : {
        id       : "[secret]-fluent-seal"
        length   : 2
        prefix   : "[secret]"
        separator: "-"
        urn      : "urn:pulumi:dev::secrets-issue::random:index/randomPet:RandomPet::mypet"
    }

Resources:
    + 2 created

Duration: 1s

If you inspect the stack via pulumi stack export (or by looking at the local stack directly), the text "super-pet" exists in plaintext as an output of mypet but not of myPetPrefix. I would expect it to be ciphertext in all cases.

[...]
    "resources": [
        {
            "urn": "urn:pulumi:dev::secrets-issue::pulumi:pulumi:Stack::secrets-issue-dev",
            "custom": false,
            "type": "pulumi:pulumi:Stack",
            "outputs": {
                "myPetPrefix": {
                    "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                    "ciphertext": "v1:OT/3h49G1Ca046xD:ILG2P3u3pj52qXgRd4708qEMwWE8vgSV+EL5"
                },
                "mypet": {
                    "id": "super-pet-fluent-seal",
                    "length": 2,
                    "prefix": "super-pet",
                    "separator": "-",
                    "urn": "urn:pulumi:dev::secrets-issue::random:index/randomPet:RandomPet::mypet"
                }
            }
        },
 [...]

Thanks for taking a look at this issue! Let me know if I can provide any other information to assist with debugging.

[lukehoban]

This appears to just be related to exporting the entire resource (which we then JSON serialize). We should make sure that process respects secrets.

Note that #2717 may also impact this case, though I don’t think it’s the cause of this specific issue.