From 682e378968faaf0494b272dccc06b0090dbc9a58 Mon Sep 17 00:00:00 2001
From: Braedon Leonard <braedonleonard@gmail.com>
Date: Tue, 22 Oct 2024 04:42:18 -0400
Subject: [PATCH] feat(pulumi): add `spec.showSecretsInOutput` config to Pulumi
 deploy action (#6555)

* fix(pulumi): show secrets in pulumi stack output

* feat(pulumi): Add `spec.showSecretsInOutput` config to Pulumi deploy action

* chore: regenerate docs
---
 docs/reference/action-types/Deploy/pulumi.md | 13 +++++++++++++
 docs/reference/module-types/pulumi.md        | 17 +++++++++++++++++
 plugins/pulumi/src/action.ts                 | 12 ++++++++++++
 plugins/pulumi/src/helpers.ts                |  6 +++++-
 plugins/pulumi/src/index.ts                  |  1 +
 5 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/docs/reference/action-types/Deploy/pulumi.md b/docs/reference/action-types/Deploy/pulumi.md
index 96486460d1..04c0a37f13 100644
--- a/docs/reference/action-types/Deploy/pulumi.md
+++ b/docs/reference/action-types/Deploy/pulumi.md
@@ -441,6 +441,19 @@ The name of the pulumi stack to use. Defaults to the current environment name.
 | -------- | -------- |
 | `string` | No       |
 
+### `spec.showSecretsInOutput`
+
+[spec](#spec) > showSecretsInOutput
+
+When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+the true content of the output.
+
+| Type      | Default | Required |
+| --------- | ------- | -------- |
+| `boolean` | `false` | No       |
+
 
 ## Outputs
 
diff --git a/docs/reference/module-types/pulumi.md b/docs/reference/module-types/pulumi.md
index 00baa08d55..dfdb4425e1 100644
--- a/docs/reference/module-types/pulumi.md
+++ b/docs/reference/module-types/pulumi.md
@@ -255,6 +255,12 @@ deployFromPreview: false
 
 # The name of the pulumi stack to use. Defaults to the current environment name.
 stack:
+
+# When set to true, stack outputs which are marked as secrets will be shown in the output.
+#
+# By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+# the true content of the output.
+showSecretsInOutput: false
 ```
 
 ## Configuration Keys
@@ -707,6 +713,17 @@ The name of the pulumi stack to use. Defaults to the current environment name.
 | -------- | -------- |
 | `string` | No       |
 
+### `showSecretsInOutput`
+
+When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+the true content of the output.
+
+| Type      | Default | Required |
+| --------- | ------- | -------- |
+| `boolean` | `false` | No       |
+
 
 ## Outputs
 
diff --git a/plugins/pulumi/src/action.ts b/plugins/pulumi/src/action.ts
index fd1ab12524..039a10ffef 100644
--- a/plugins/pulumi/src/action.ts
+++ b/plugins/pulumi/src/action.ts
@@ -23,6 +23,7 @@ export interface PulumiDeploySpec {
   deployFromPreview: boolean
   root: string
   stack?: string
+  showSecretsInOutput: boolean
 }
 
 export type PulumiDeployConfig = DeployActionConfig<"pulumi", PulumiDeploySpec>
@@ -129,6 +130,17 @@ export const pulumiDeploySchemaKeys = () => ({
     .string()
     .allow(null)
     .description("The name of the pulumi stack to use. Defaults to the current environment name."),
+  showSecretsInOutput: joi
+    .boolean()
+    .default(false)
+    .description(
+      dedent`
+      When set to true, stack outputs which are marked as secrets will be shown in the output.
+
+      By default, Pulumi will print secret stack outputs as the string '[secret]' instead of
+      the true content of the output.
+      `
+    ),
 })
 
 export const pulumiDeploySchema = createSchema({
diff --git a/plugins/pulumi/src/helpers.ts b/plugins/pulumi/src/helpers.ts
index 7552a5dc9e..47286c3344 100644
--- a/plugins/pulumi/src/helpers.ts
+++ b/plugins/pulumi/src/helpers.ts
@@ -151,9 +151,13 @@ export async function previewStack(
 }
 
 export async function getStackOutputs({ log, ctx, provider, action }: PulumiParams): Promise<any> {
+  const args = ["stack", "output", "--json"]
+  if (action.getSpec("showSecretsInOutput")) {
+    args.push("--show-secrets")
+  }
   const res = await pulumi(ctx, provider).json({
     log,
-    args: ["stack", "output", "--json"],
+    args,
     env: ensureEnv({ log, ctx, provider, action }),
     cwd: getActionStackRoot(action),
   })
diff --git a/plugins/pulumi/src/index.ts b/plugins/pulumi/src/index.ts
index a7284f5eeb..d0a9639fff 100644
--- a/plugins/pulumi/src/index.ts
+++ b/plugins/pulumi/src/index.ts
@@ -124,6 +124,7 @@ export const gardenPlugin = () =>
                 cacheStatus: module.spec.cacheStatus || false,
                 stackReferences: module.spec.stackReferences || [],
                 deployFromPreview: module.spec.deployFromPreview || false,
+                showSecretsInOutput: module.spec.showSecretsInOutput || false,
                 root: module.spec.root || ".",
                 ...omit(module.spec, ["build", "dependencies"]),
               },