[sdk/nodejs] Warn when a secret config is read as a non-secret #6896
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For example, if I have a config secret set with
pulumi config set foo --secret bar
, the following program:... results in:
This is the Node.js change. Once we're happy with this, I'll follow-up with support in the other languages.
Part of #3139
Implementation Notes:
For Pulumi programs, the engine passes the config to the language host over gRPC and then the language host passes the config to the Pulumi program as a serialized JSON object in the
PULUMI_CONFIG
environment variable. This change passes a list of secret config keys over gRPC and a newPULUMI_CONFIG_SECRET_KEYS
environment variable containing a JSON serialized array of strings representing the config keys that contain secret values.When reading a config as a non-secret, if the key is within the set of secret keys, a warning is logged.