Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow pulumi stack export to decrypt secrets #4046

Merged
merged 1 commit into from
May 11, 2020
Merged

Allow pulumi stack export to decrypt secrets #4046

merged 1 commit into from
May 11, 2020

Conversation

stack72
Copy link
Contributor

@stack72 stack72 commented Mar 9, 2020

Fixes: #2918

This allows us to run the command pulumi stack export --show-secrets
it will also introduce the changes that allows the import to handle
when plain text is included in the import file

@stack72 stack72 requested a review from pgavlin March 9, 2020 21:59
@stack72
Copy link
Contributor Author

stack72 commented Mar 9, 2020

@lukehoban / @pgavlin would love eyes on this when you get some time please

@stack72 stack72 self-assigned this Mar 9, 2020
@stack72 stack72 requested a review from lukehoban March 9, 2020 22:40
lukehoban
lukehoban reviewed Mar 18, 2020
View reviewed changes
Copy link
Member

@lukehoban lukehoban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few notes. But would definitely be great for @pgavlin to take a look too.

pkg/backend/httpstate/backend.go Outdated Show resolved Hide resolved
pkg/backend/httpstate/backend.go Outdated Show resolved Hide resolved
pkg/backend/httpstate/backend.go Outdated Show resolved Hide resolved
pkg/resource/stack/deployment.go Show resolved Hide resolved
pkg/backend/httpstate/backend.go Outdated Show resolved Hide resolved
pkg/backend/httpstate/state.go Outdated Show resolved Hide resolved
pgavlin
pgavlin reviewed Mar 18, 2020
View reviewed changes
Copy link
Member

@pgavlin pgavlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few things offhand--I'll take a more detailed look later today.

cmd/stack_import.go Outdated Show resolved Hide resolved
cmd/stack_output.go Outdated Show resolved Hide resolved
cmd/state.go Outdated Show resolved Hide resolved
@stack72 stack72 force-pushed the stack-export-secrets branch 6 times, most recently from d252414 to bd9c148 Compare March 23, 2020 15:00
@NinoFloris
Copy link

We're running into to this, the workaround to migrate a stack - we're going from default secret provider to kms- is very tedious without this. Any update?

@stack72
Copy link
Contributor Author

stack72 commented Apr 19, 2020

Hi @NinoFloris

We paused this to concentrate on the 2.0 work so I will get back to this shortly

Paul

@stack72 stack72 changed the title Allow pulumi stack export to decrypt secrets [WIP] Allow pulumi stack export to decrypt secrets Apr 21, 2020
@stack72
Copy link
Contributor Author

stack72 commented May 5, 2020

This allows to export and import secrets

~/code/secrets
▶ pulumi stack export --show-secrets > test.json

~/code/secrets
▶ pulumi stack import --file test.json
Import successful.

~/code/secrets
▶ pulumi stack export > test.json

~/code/secrets
▶ pulumi stack import --file test.json
Import successful.

I can see the secrets in the output as well:

▶ cat test.json
{
    "version": 3,
    "deployment": {
        "manifest": {
            "time": "2020-05-05T22:31:33.276569+01:00",
            "magic": "7c37e5b973ae9a0866c7b0097ad75696c2881d030dcc17834b2ef914fe3ecba0",
            "version": "v2.2.0-alpha.1588707575+g7b446d6c.dirty"
        },
        "secrets_providers": {
            "type": "service",
            "state": {
                "url": "https://api.pulumi.com",
                "owner": "stack72",
                "project": "secrets",
                "stack": "dev"
            }
        },
        "resources": [
            {
                "urn": "urn:pulumi:dev::secrets::pulumi:pulumi:Stack::secrets-dev",
                "custom": false,
                "type": "pulumi:pulumi:Stack",
                "outputs": {
                    "secret": {
                        "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                        "ciphertext": "AAABADjwqpv+jPnI8iB7ctNgF9tLe6cjry9KKIg8YNblA1JFiVIPzfcrmCsVhfXJ7hq+o73m9A=="
                    }
                }
            },
            {
                "urn": "urn:pulumi:dev::secrets::pulumi:providers:random::default_2_1_0",
                "custom": true,
                "id": "e4810fc7-d485-4cda-b62c-95e767296cdd",
                "type": "pulumi:providers:random",
                "inputs": {
                    "version": "2.1.0"
                },
                "outputs": {
                    "version": "2.1.0"
                }
            },
            {
                "urn": "urn:pulumi:dev::secrets::random:index/randomString:RandomString::my-string",
                "custom": true,
                "id": "O[tUh1E-TF\u003eW+P=t",
                "type": "random:index/randomString:RandomString",
                "inputs": {
                    "__defaults": [
                        "lower",
                        "minLower",
                        "minNumeric",
                        "minSpecial",
                        "minUpper",
                        "number",
                        "upper"
                    ],
                    "length": 16,
                    "lower": true,
                    "minLower": 0,
                    "minNumeric": 0,
                    "minSpecial": 0,
                    "minUpper": 0,
                    "number": true,
                    "special": true,
                    "upper": true
                },
                "outputs": {
                    "__meta": "{\"schema_version\":\"1\"}",
                    "id": "O[tUh1E-TF\u003eW+P=t",
                    "length": 16,
                    "lower": true,
                    "minLower": 0,
                    "minNumeric": 0,
                    "minSpecial": 0,
                    "minUpper": 0,
                    "number": true,
                    "result": {
                        "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
                        "ciphertext": "AAABADDSJYg7UC9JUNdQ3HdO+AXjxd2IlLN49Wd7qfXwea1T73F/DjsgndGoz5O6876LR0uN3Q=="
                    },
                    "special": true,
                    "upper": true
                },
                "parent": "urn:pulumi:dev::secrets::pulumi:pulumi:Stack::secrets-dev",
                "provider": "urn:pulumi:dev::secrets::pulumi:providers:random::default_2_1_0::e4810fc7-d485-4cda-b62c-95e767296cdd",
                "propertyDependencies": {
                    "length": null,
                    "special": null
                },
                "additionalSecretOutputs": [
                    "result"
                ]
            }
        ]
    }
}

@stack72 stack72 requested a review from pgavlin May 5, 2020 22:12
@stack72 stack72 changed the title [WIP] Allow pulumi stack export to decrypt secrets Allow pulumi stack export to decrypt secrets May 5, 2020
@stack72 stack72 force-pushed the stack-export-secrets branch 2 times, most recently from 97df22b to dc6f373 Compare May 5, 2020 23:01
lukehoban
lukehoban approved these changes May 9, 2020
View reviewed changes
Copy link
Member

@lukehoban lukehoban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

BTW - also confirmed that this works 😄:

$ pulumi stack init fromstack
$ pulumi config set aws:region us-west-2
$ pulumi up --skip-preview
$ pulumi stack init tostack
$ cp Pulumi.fromstack.yaml Pulumi.tostack.yaml
$ pulumi stack export --show-secrets -s fromstack | sed 's/fromstack/tostack/g' | pulumi stack import -s tostack
$ pulumi preview -s tostack
Previewing update (tostack):
     Type                 Name            Plan     
     pulumi:pulumi:Stack  node14-tostack           
 
Resources:
    2 unchanged

pkg/backend/filestate/state.go Outdated Show resolved Hide resolved
pkg/cmd/pulumi/stack_export.go Outdated Show resolved Hide resolved
pkg/cmd/pulumi/stack_export.go Outdated Show resolved Hide resolved
pkg/resource/stack/deployment.go Show resolved Hide resolved
pgavlin
pgavlin approved these changes May 11, 2020
View reviewed changes
pkg/resource/stack/deployment.go Outdated Show resolved Hide resolved
pkg/resource/stack/deployment.go Outdated Show resolved Hide resolved
@stack72
Allow pulumi stack export to decrypt secrets
c594957 
Fixes: #2918

This allows us to run the command `pulumi stack export --show-secrets`
it will also introduce the changes that allows the import to handle
when plain text is included in the import file
@stack72 stack72 merged commit 48f906e into master May 11, 2020
@stack72 stack72 deleted the stack-export-secrets branch May 11, 2020 18:16
@lukehoban lukehoban mentioned this pull request May 13, 2020
Closed
@danfhernandez danfhernandez mentioned this pull request May 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukehoban lukehoban lukehoban approved these changes

@pgavlin pgavlin pgavlin approved these changes

Assignees

@stack72 stack72

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow pulumi stack export to get an unencrypted statefile
4 participants
@stack72 @NinoFloris @lukehoban @pgavlin