Refresh on Deployment Settings always shows a diff if there are secrets #123
Assignees
Labels
bug-bash-candidate
customer/feedback
Feedback from customers
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
Milestone
Comments
Merged
|
Investigating into this using this example resource: Git login into are secrets. When I do pulumi refresh, it wants to update agentPooId and sourceContext, and result looks like this So Read operation breaks these secrets, which is why pulumi up shows diff and actually fails after that, failing to read empty object where it expected a string or a secret. |
|
Had a meeting to discuss this issue, review design doc and agreed on a gameplan described in the doc. Will proceed with implementation. |
|
Create this issue https://github.com/pulumi/pulumi-service/issues/19990 for first part of the plan. I will use this issue for tracking change in PSP itself. |
|
Created Sub-issue #299 PRs necessary for next step: |
This was referenced Jun 14, 2024
IaroslavTitov
added a commit
that referenced
this issue
Jun 26, 2024
### Note: there is an alternative implementation of this PR - #320 ### Summary - Added logic to save ciphertext into the output properties for secret values, allowing comparison on refresh of just ciphertext, fixing #123 - Import now works as well, including code generation (with dummy values for secrets) - Migrated to new PUT API and updated client to actually return DeploymentSettings ### Testing - Tested pulumi up, refresh, import and up from previous version of the provider (for unchanged DS inputs, migrating to this new way of saving will require refresh and then up) Example TS program (Sadly can't use Dotnet, due to bug with maps): ``` const settings = new service.DeploymentSettings("deployment_settings", { organization: "IaroslavTitov", project: "PulumiDotnet", stack: "SdkTest5", operationContext: { environmentVariables: { TEST_VAR: "fooa", SECRET_VAR: config.requireSecret("my_secret"), } }, sourceContext: { git: { repoUrl: "https://github.com/pulumi/deploy-demos.git", branch: "refs/heads/main", repoDir: "pulumi-programs/simple-resource", gitAuth: { sshAuth: { sshPrivateKey: "privatekey", password: secret, } } } } }); ``` Secret resource values end up with just cipher, while plaintext is stored in inputs: ``` "sshAuth": { "password": "AAABAD6/2Nroj62qORoHOLofFOkRhdUNwCAYeC86nABU/G4AO5I7Fw==", "sshPrivateKey": "AAABABqRIQ1bZbvU/hrlpX1Rh9sj9OCyArjG0SUILPQmb0KSCFIrz6bK" } ``` Passwords and sshKey are forced into twin secrets, Environment Variables are optionally twin secrets, everything else uses normal Pulumi workflows, because they are not secret in Pulumi Service. Import of the above code generates successfully with dummy values for secrets: ``` const ds1 = new pulumiservice.DeploymentSettings("ds1", { operationContext: { environmentVariables: { SECRET_VAR: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"), TEST_VAR: "fooa", }, }, organization: "IaroslavTitov", project: "PulumiDotnet", sourceContext: { git: { branch: "refs/heads/main", gitAuth: { sshAuth: { password: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"), sshPrivateKey: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"), }, }, repoDir: "pulumi-programs/simple-resource", repoUrl: "https://github.com/pulumi/deploy-demos.git", }, }, stack: "SdkTest5", }, { protect: true, }); ```
|
Finally merged in the last part, resolving! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The underlying deployment settings API does not return any secret values on
GET. As a result, onrefresh, there is always a diff as the secret values are replaced by the stringsecret. Subsequently, anupdatealso shows a diff.To work through this, we will likely need to implement an endpoint for deployment settings that returns the secret values.
The text was updated successfully, but these errors were encountered: