Warn when additionalSecretOutputs includes id (#9360)

* Warn when `additionalSecretOutputs` includes `id` * Update CHANGELOG_PENDING.md
pulumi · Apr 7, 2022 · 0994d80 · 0994d80
1 parent 45f7a06
commit 0994d80
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
@@ -9,5 +9,8 @@
 - [cli] Display more useful diffs for secrets that are not primitive values
   [#9351](https://github.com/pulumi/pulumi/pull/9351)
 
+- [cli] - Warn when `additionalSecretOutputs` is used to mark the `id` property as secret.
+  [#9360](https://github.com/pulumi/pulumi/pull/9360)
+
 ### Bug Fixes
 
diff --git a/pkg/resource/deploy/step_generator.go b/pkg/resource/deploy/step_generator.go
@@ -284,6 +284,15 @@ func (sg *stepGenerator) generateSteps(event RegisterResourceEvent) ([]Step, res
 	}
 	sg.urns[urn] = true
 
+	for _, secret := range goal.AdditionalSecretOutputs {
+		if secret == "id" {
+			sg.deployment.ctx.Diag.Warningf(&diag.Diag{
+				URN:     urn,
+				Message: "The 'id' property cannot be made secret. See pulumi/pulumi#2717 for more details.",
+			})
+		}
+	}
+
 	// Check for an old resource so that we can figure out if this is a create, delete, etc., and/or
 	// to diff.  We look up first by URN and then by any provided aliases.  If it is found using an
 	// alias, record that alias so that we do not delete the aliased resource later.