Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change reading passphrase from stdin to be explicit #14698

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Change reading passphrase from stdin to be explicit #14698

wants to merge 1 commit into from

Conversation

same-id
Copy link
Contributor

@same-id same-id commented Nov 29, 2023
edited

Require users to pass --stdin to:

pulumi stack change-secrets-provider passphrase

Allow passing passphrase through stdin non-interactively also when existing passphrase is not being rotated.

Description

Fixes # (issue)

Checklist

  • I have run make tidy to update any new dependencies
  • I have run make lint to verify my code passes the lint check
    • I have formatted my code using gofumpt
  • I have added tests that prove my fix is effective or that my feature works
  • I have run make changelog and committed the changelog/pending/<file> documenting my change
  • Yes, there are changes in this PR that warrants bumping the Pulumi Cloud API version

@same-id
Change reading passphrase from stdin to be explicit
56682a9 
Require users to pass `--stdin` to:

  `pulumi stack change-secrets-provider passphrase`

Allow passing passphrase through stdin non-interactively also when
existing passphrase is not being rotated.
@github-actions GitHub Actions
Copy link

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

  • /run-acceptance-tests - used to test run the acceptance tests for the project
  • /run-codegen - used to test the Pull Request against downstream codegen
  • /run-docs-gen - used to test the Pull Request against documentation generation

@pulumi-bot
Copy link
Contributor

Changelog

[uncommitted] (2023-11-29)

Features

  • [cli/config] Change reading passphrase from stdin to be explicit

@same-id same-id mentioned this pull request Nov 29, 2023
Merged
3 tasks
@same-id
Copy link
Contributor Author

same-id commented Nov 30, 2023
edited

I can also block empty passwords through -stdin in this same PR.

Already now you can not set an empty password using environment variables.
So no reason we will keep supporting password rotation to an empty password.

However -stdin still has to be explicit because right now pulumi's behavior is not consistent.

For example, look at the following code:

pulumi stack init stax --secrets-provider gcpkms://...

export PULUMI_CONFIG_PASSPHRASE=foo

echo bar | pulumi stack change-secrets-provider passphrase

What will be the passphrase? foo or bar?
Depends on whether pulumi decides rotate is false or true respectively.

However in:

pulumi stack init stax --secrets-provider gcpkms://...

export PULUMI_CONFIG_PASSPHRASE=foo

echo bar | pulumi stack change-secrets-provider passphrase --stdin

It has to be bar or failure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@same-id @pulumi-bot