Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sdk/nodejs] Warn when a secret config is read as a non-secret #6896

Merged
merged 1 commit into from
May 18, 2021
Merged

[sdk/nodejs] Warn when a secret config is read as a non-secret #6896

merged 1 commit into from
May 18, 2021

Conversation

justinvp
Copy link
Member

@justinvp justinvp commented Apr 27, 2021
edited
Loading

For example, if I have a config secret set with pulumi config set foo --secret bar, the following program:

import * as pulumi from "@pulumi/pulumi";

const config = new pulumi.Config();
const foo = config.require("foo");

... results in:

$ pulumi up
Previewing update (dev)

View Live: https://app.pulumi.com/<...>

     Type                 Name               Plan       Info
 +   pulumi:pulumi:Stack  configsecrets-dev  create     1 warning
 
Diagnostics:
  pulumi:pulumi:Stack (configsecrets-dev):
    warning: Configuration 'configsecrets:foo' value is a secret; use `requireSecret` instead of `require`

This is the Node.js change. Once we're happy with this, I'll follow-up with support in the other languages.

Part of #3139

Implementation Notes:

  • For Pulumi programs, the engine passes the config to the language host over gRPC and then the language host passes the config to the Pulumi program as a serialized JSON object in the PULUMI_CONFIG environment variable. This change passes a list of secret config keys over gRPC and a new PULUMI_CONFIG_SECRET_KEYS environment variable containing a JSON serialized array of strings representing the config keys that contain secret values.

  • When reading a config as a non-secret, if the key is within the set of secret keys, a warning is logged.

@justinvp justinvp force-pushed the justin/configwarn branch 2 times, most recently from 8375375 to f0bfc94 Compare May 11, 2021 14:55
@justinvp justinvp changed the title [WIP] Warn when a secret config is read as a non-secret [sdk/nodejs] Warn when a secret config is read as a non-secret May 11, 2021
@justinvp justinvp marked this pull request as ready for review May 11, 2021 14:55
EvanBoyle
EvanBoyle reviewed May 14, 2021
View reviewed changes
Copy link
Contributor

@EvanBoyle EvanBoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will try to take a deeper look today, at a glance seems to make sense. One question: does this work for structured config? My understanding is that portions of a config value (certain key paths) can be marked as secret. Does that information come back from the engine in configSecretKeys?

@justinvp
Copy link
Member Author

One question: does this work for structured config?

Yes. A nested secret means the entire object should be treated as a secret.

@EvanBoyle
Copy link
Contributor

I don't think that is completely true. A secret taints the entire object, but not non-secret leaf nodes within the object.

$ pulumi config set --path foo.bar abc --secret
$ pulumi config set --path foo.buzz def
$ pulumi config get foo --json
{
  "value": "{\"bar\":\"abc\",\"buzz\":\"def\"}",
  "objectValue": {
    "bar": "abc",
    "buzz": "def"
  },
  "secret": true
}
$ pulumi config get --path foo.bar --json
{
  "value": "abc",
  "secret": true
}
$ pulumi config get --path foo.buzz --json
{
  "value": "def",
  "secret": false
}

@justinvp
Copy link
Member Author

A secret taints the entire object, but not non-secret leaf nodes within the object.

Correct. But you can't access individual leaf nodes in a Pulumi program other than accessing the whole object.

EvanBoyle
EvanBoyle approved these changes May 18, 2021
View reviewed changes
sdk/nodejs/runtime/config.ts Show resolved Hide resolved
@justinvp justinvp merged commit a61e79e into master May 18, 2021
@pulumi-bot pulumi-bot deleted the justin/configwarn branch May 18, 2021 16:48
This was referenced May 18, 2021
Merged
Merged
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EvanBoyle EvanBoyle EvanBoyle approved these changes

@stack72 stack72 Awaiting requested review from stack72

@komalali komalali Awaiting requested review from komalali

@lukehoban lukehoban Awaiting requested review from lukehoban

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@justinvp @EvanBoyle