New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulumi output with a single secret taints all other outputs when using Go SDK #9564
Comments
@calufornia Thank you for reporting this. I'm failing to understand the exact scenario... Your example is a bit short and has no secrets - what is actually a secret in your program? What are you |
@mikhailshilkov Sure thing, here's a more full-fledged example below: Let's say I have a stack (call it
After initializing the stack:
You can see that there's two outputs, one that's a secret and one that isn't. Now let's say I have another stack that references the non-secret output in the
Now, when running
As you can see, Pulumi masks the
Which produces the expected non-masked
However, I feel that I shouldn't need to use |
Thank you for the detailed response! Now I understand the problem - and agree this is sub-optimal. |
I think this is pretty similar to the issue @AaronFriel was having with YAML. We use |
If that's the case, we now have a finer grained "RawOutput" we can use. @Frassle I can take this on Monday. |
What happened?
When using the Go SDK, if a stack has any secret in the output, and we reference any of the outputs (secret or not), Pulumi will treat that output as a secret. This is problematic since
pulumi preview
will mask the output even though it isn't secret and we'd like to see the change. Additionally, if the output is used in the context of something like a Kubernetes env var, this issue in conjunction with pulumi/pulumi-kubernetes#1576 causes the entire env var array to be labeled as secret.I believe that there was a fix for this for the Node and Python SDKs in #2744, but no such fix was created for the Go SDK. In the meantime, I've just been wrapping all the outputs in
pulumi.Unsecret
- let me know if there's a better workaround here. If this is indeed an issue, I can also go ahead and start working on a fix.Steps to reproduce
In my case, I created a Kubernetes deployment, which had the following:
where
some-output
is a non-secret output from another stack.Then, after running
pulumi preview
, I see something likeExpected Behavior
Pulumi not to treat the output as a secret (and causing the env var to be considered a secret)
Actual Behavior
Pulumi considered the output to be a secret which caused the preview to show
[secret] => [secret]
Versions used
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: