Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing Deployment Secrets - Plaintext in Inputs #325

Merged
merged 3 commits into from
Jun 26, 2024
Merged

Fixing Deployment Secrets - Plaintext in Inputs #325

merged 3 commits into from
Jun 26, 2024

Conversation

IaroslavTitov
Copy link
Contributor

@IaroslavTitov IaroslavTitov commented Jun 20, 2024
edited
Loading

Note: there is an alternative implementation of this PR - #320

Summary

Testing

  • Tested pulumi up, refresh, import and up from previous version of the provider (for unchanged DS inputs, migrating to this new way of saving will require refresh and then up)

Example TS program (Sadly can't use Dotnet, due to bug with maps):

const settings = new service.DeploymentSettings("deployment_settings", {
  organization: "IaroslavTitov",
  project: "PulumiDotnet",
  stack: "SdkTest5",
  operationContext: {
    environmentVariables: {
      TEST_VAR: "fooa",
      SECRET_VAR: config.requireSecret("my_secret"),
    }
  },
  sourceContext: {
    git: {
        repoUrl: "https://github.com/pulumi/deploy-demos.git",
        branch: "refs/heads/main",
        repoDir: "pulumi-programs/simple-resource",
        gitAuth: {
            sshAuth: {
                sshPrivateKey: "privatekey",
                password: secret,
            }
        }
    }
}
});

Secret resource values end up with just cipher, while plaintext is stored in inputs:

      "sshAuth": {
        "password": "AAABAD6/2Nroj62qORoHOLofFOkRhdUNwCAYeC86nABU/G4AO5I7Fw==",
        "sshPrivateKey": "AAABABqRIQ1bZbvU/hrlpX1Rh9sj9OCyArjG0SUILPQmb0KSCFIrz6bK"
      }

Passwords and sshKey are forced into twin secrets, Environment Variables are optionally twin secrets, everything else uses normal Pulumi workflows, because they are not secret in Pulumi Service.

Import of the above code generates successfully with dummy values for secrets:

const ds1 = new pulumiservice.DeploymentSettings("ds1", {
    operationContext: {
        environmentVariables: {
            SECRET_VAR: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"),
            TEST_VAR: "fooa",
        },
    },
    organization: "IaroslavTitov",
    project: "PulumiDotnet",
    sourceContext: {
        git: {
            branch: "refs/heads/main",
            gitAuth: {
                sshAuth: {
                    password: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"),
                    sshPrivateKey: pulumi.secret("<REPLACE WITH ACTUAL SECRET VALUE>"),
                },
            },
            repoDir: "pulumi-programs/simple-resource",
            repoUrl: "https://github.com/pulumi/deploy-demos.git",
        },
    },
    stack: "SdkTest5",
}, {
    protect: true,
});

@IaroslavTitov IaroslavTitov mentioned this pull request Jun 20, 2024
Closed
@IaroslavTitov IaroslavTitov force-pushed the iaro/secrets2 branch 5 times, most recently from 7c7285d to 4bd540b Compare June 24, 2024 17:05
@IaroslavTitov IaroslavTitov marked this pull request as ready for review June 24, 2024 17:34
@IaroslavTitov IaroslavTitov requested a review from komalali June 24, 2024 21:30
@IaroslavTitov IaroslavTitov force-pushed the iaro/secrets2 branch 2 times, most recently from d2e8bec to be8a6a0 Compare June 25, 2024 15:44
komalali
komalali reviewed Jun 25, 2024
View reviewed changes
provider/pkg/provider/deployment_settings.go
currentStateCipherSettings.SourceContext.Git != nil &&
currentStateCipherSettings.SourceContext.Git.GitAuth != nil &&
currentStateCipherSettings.SourceContext.Git.GitAuth.SSHAuth != nil {
plaintextValue = &plaintextInputSettings.SourceContext.Git.GitAuth.SSHAuth.SSHPrivateKey
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this guaranteed to exist? What happens if plaintextInputSettings.SourceContext.Git.GitAuth.SSHAuth is nil?

Copy link
Contributor Author

@IaroslavTitov IaroslavTitov Jun 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if a value in plaintextInputSettings exists, it also exists in plaintextInputSettings, because they are retrieved from inputs and outputs of the current state

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing you meant "if a value in currentStateCipherSettings exists, it also exists in plaintextInputSettings"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yes, sorry!

@IaroslavTitov IaroslavTitov merged commit 6853f00 into main Jun 26, 2024
13 checks passed
@IaroslavTitov IaroslavTitov deleted the iaro/secrets2 branch June 26, 2024 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@komalali komalali komalali approved these changes

@pgavlin pgavlin Awaiting requested review from pgavlin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IaroslavTitov @komalali