New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 'secret' to config #11084
Add 'secret' to config #11084
Conversation
Changelog[uncommitted] (2022-10-24)Bug Fixes
|
9b8fb78
to
b415590
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Straightforward change.
I didn't see why the b64 crypter implementation moved, what did I miss?
It was in pkg, I put moved it to SDK so I could use it for tests there. Most of the other crypters are in that same file. |
I thought CI was flaky but these look like legitimate errors:
I will try fix 'em myself |
@Frassle I've done a bit of refactoring to make this work for @AaronFriel re-requested your review because I've some changes, would appreciate a second glance 😄 🙏 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new changes look good to me - the comment on ApplyProjectConfig was helpful to understand why we're calling it and not just always applying project config.
f3ce96f
to
a4ae636
Compare
Also separate the validation and merging of project-to-stack values, to allow us to apply in values even if they're secure and we don't have an available decrypter. We can't validate that they're all correct, but it means at least `config get` can do a best effort retrival for config values.
a4ae636
to
ea609d5
Compare
bors merge |
Build succeeded: |
Description
Fixes project level config correctly type checking secret values.
Also adds a "secret: true" flag to the config schema to require that the config value is secret (this doesn't currently enforce that the default must be secret because we have no way of setting a secure value in Pulumi.yaml).
This removes the support for
pulumi config list/get
to show project level defaults, they now purely look at stack config. Ideally we'll add this back in but it needs to be done in such a way that we can correctly validate secure config values, but only initializing the decrypter (and thus asking for passphrases etc) if it's needed for the values that list/get is showing.By default list doesn't do any decryption just transforming any secure value to the string "[secure]". That clearly won't typecheck in the current system if the key is tagged as a number, but what ever system we devise should allow it to typecheck.
Checklist
make changelog
and committed thechangelog/pending/<file>
documenting my change