Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pulumi): add spec.showSecretsInOutput config to Pulumi deploy action #6555

Merged
merged 3 commits into from
Oct 22, 2024
Merged

feat(pulumi): add spec.showSecretsInOutput config to Pulumi deploy action #6555

merged 3 commits into from
Oct 22, 2024

Conversation

BraedonLeonard
Copy link
Contributor

What this PR does / why we need it:

Some outputs in Pulumi are considered secrets, and you need to use the --show-secrets flag to show them. If you don't, secret outputs get replaced with [secret]. Because the Pulumi provider doesn't include the --show-secrets flag, you can't use outputs from Pulumi which are marked as secrets, which can really limit the usefulness of the Pulumi deploy action's outputs.

This PR makes it so that secret values are included in the output of the Pulumi deploy action.

@BraedonLeonard
Copy link
Contributor Author

By the way, I'm not able to add reviewers to PRs for some reason, which is why I haven't been explicitly adding any to my PRs.

@eysi09 eysi09 requested a review from thsig October 17, 2024 11:45
@eysi09
Copy link
Collaborator

eysi09 commented Oct 17, 2024

Thanks for the contribution @BraedonLeonard! I assigned @thsig, our in-house Pulumi specialist.

@thsig
Copy link
Collaborator

thsig commented Oct 18, 2024

Thanks for the PR, @BraedonLeonard!

I'm wondering if this should be opt-in on a per-action basis, just so users are explicitly aware of the possible security implications.

Could you add an showSecretsInOutput boolean configuration field to pulumiDeploySchemaKeys here (with false as the default):

garden/plugins/pulumi/src/action.ts

Line 34 in 5e1fa21

export const pulumiDeploySchemaKeys = () => ({

And then only append the --show-secrets CLI option to the stack output command when this flag is set to true?

@BraedonLeonard
Copy link
Contributor Author

@thsig Just pushed the changes to add make this behaviour configurable, let me know if it looks good to you 👍

@BraedonLeonard BraedonLeonard changed the title fix(pulumi): show secrets in pulumi stack output feat(pulumi): add spec.showSecretsInOutput config to Pulumi deploy action Oct 18, 2024
thsig
thsig approved these changes Oct 22, 2024
View reviewed changes
Copy link
Collaborator

@thsig thsig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for your contribution! 🎉

@thsig thsig added this pull request to the merge queue Oct 22, 2024
Merged via the queue into garden-io:main with commit 682e378 Oct 22, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thsig thsig thsig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BraedonLeonard @eysi09 @thsig