feat(pulumi): add spec.showSecretsInOutput config to Pulumi deploy …

…action (#6555)

* fix(pulumi): show secrets in pulumi stack output

* feat(pulumi): Add `spec.showSecretsInOutput` config to Pulumi deploy action

* chore: regenerate docs

docs/reference/action-types/Deploy/pulumi.md

@@ -441,6 +441,19 @@ The name of the pulumi stack to use. Defaults to the current environment name.
 | -------- | -------- |
 | `string` | No       |
 
+### `spec.showSecretsInOutput`
+
+[spec](#spec) > showSecretsInOutput
+
+When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+the true content of the output.
+
+| Type      | Default | Required |
+| --------- | ------- | -------- |
+| `boolean` | `false` | No       |
+
 
 ## Outputs
 

docs/reference/module-types/pulumi.md

@@ -255,6 +255,12 @@ deployFromPreview: false
 
 # The name of the pulumi stack to use. Defaults to the current environment name.
 stack:
+
+# When set to true, stack outputs which are marked as secrets will be shown in the output.
+#
+# By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+# the true content of the output.
+showSecretsInOutput: false
 ```
 
 ## Configuration Keys
@@ -707,6 +713,17 @@ The name of the pulumi stack to use. Defaults to the current environment name.
 | -------- | -------- |
 | `string` | No       |
 
+### `showSecretsInOutput`
+
+When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+the true content of the output.
+
+| Type      | Default | Required |
+| --------- | ------- | -------- |
+| `boolean` | `false` | No       |
+
 
 ## Outputs
 

plugins/pulumi/src/action.ts

@@ -23,6 +23,7 @@ export interface PulumiDeploySpec {
   deployFromPreview: boolean
   root: string
   stack?: string
+  showSecretsInOutput: boolean
 }
 
 export type PulumiDeployConfig = DeployActionConfig<"pulumi", PulumiDeploySpec>
@@ -129,6 +130,17 @@ export const pulumiDeploySchemaKeys = () => ({
     .string()
     .allow(null)
     .description("The name of the pulumi stack to use. Defaults to the current environment name."),
+  showSecretsInOutput: joi
+    .boolean()
+    .default(false)
+    .description(
+      dedent`
+      When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+      By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+      the true content of the output.
+      `
+    ),
 })
 
 export const pulumiDeploySchema = createSchema({

plugins/pulumi/src/helpers.ts

@@ -151,9 +151,13 @@ export async function previewStack(
 }
 
 export async function getStackOutputs({ log, ctx, provider, action }: PulumiParams): Promise<any> {
+  const args = ["stack", "output", "--json"]
+  if (action.getSpec("showSecretsInOutput")) {
+    args.push("--show-secrets")
+  }
   const res = await pulumi(ctx, provider).json({
     log,
-    args: ["stack", "output", "--json"],
+    args,
     env: ensureEnv({ log, ctx, provider, action }),
     cwd: getActionStackRoot(action),
   })

plugins/pulumi/src/index.ts

@@ -124,6 +124,7 @@ export const gardenPlugin = () =>
                 cacheStatus: module.spec.cacheStatus || false,
                 stackReferences: module.spec.stackReferences || [],
                 deployFromPreview: module.spec.deployFromPreview || false,
+                showSecretsInOutput: module.spec.showSecretsInOutput || false,
                 root: module.spec.root || ".",
                 ...omit(module.spec, ["build", "dependencies"]),
               },