Mark __inputs as secret (#407)

pulumi · Dec 18, 2020 · 0fc6ff1 · 0fc6ff1
1 parent 5b220d5
commit 0fc6ff1
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 5 deletions.
diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go
@@ -4,10 +4,11 @@
 package examples
 
 import (
+	"encoding/json"
 	"path/filepath"
 	"testing"
-
 	"github.com/pulumi/pulumi/pkg/v2/testing/integration"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestAccApiTs(t *testing.T) {
@@ -93,6 +94,27 @@ func TestMessagingTs(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestSecretsTs(t *testing.T) {
+	secretMessage := "secret message for testing"
+
+	test := getJSBaseOptions(t).
+		With(integration.ProgramTestOptions{
+			Dir: filepath.Join(getCwd(t), "secrets"),
+			Config: map[string]string{
+				"message": secretMessage,
+			},
+			ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+				assert.NotNil(t, stackInfo.Deployment)
+				state, err := json.Marshal(stackInfo.Deployment)
+				assert.NoError(t, err)
+
+				assert.NotContains(t, string(state), secretMessage)
+			},
+		})
+
+	integration.ProgramTest(t, &test)
+}
+
 func getJSBaseOptions(t *testing.T) integration.ProgramTestOptions {
 	base := getBaseOptions(t)
 	baseJS := base.With(integration.ProgramTestOptions{

diff --git a/examples/go.mod b/examples/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/onsi/gomega v1.9.0 // indirect
 	github.com/pulumi/pulumi/pkg/v2 v2.9.0
 	github.com/pulumi/pulumi/sdk/v2 v2.9.0 // indirect
+	github.com/stretchr/testify v1.6.1
 	gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect
 	gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 // indirect
 )
diff --git a/examples/secrets/Pulumi.yaml b/examples/secrets/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: secrets
+runtime: nodejs
+description: Secret values
diff --git a/examples/secrets/index.ts b/examples/secrets/index.ts
@@ -0,0 +1,18 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as random from "@pulumi/random";
+import * as resources from "@pulumi/azure-nextgen/resources/latest";
+
+const randomString = new random.RandomString("random", {
+    length: 12,
+    special: false,
+    upper: false,
+    number: false,
+});
+
+const resourceGroup = new resources.ResourceGroup("rg", {
+    resourceGroupName: randomString.result,
+    location: "westus2",
+    tags: {
+        something: new pulumi.Config().requireSecret("message"),
+    },
+});
diff --git a/examples/secrets/package.json b/examples/secrets/package.json
@@ -0,0 +1,11 @@
+{
+    "name": "azure-nextgen-secrets",
+    "version": "0.1.0",
+    "devDependencies": {
+        "@types/node": "latest"
+    },
+    "dependencies": {
+        "@pulumi/pulumi": "^2.0.0",
+        "@pulumi/random": "^2.0.0"
+    }
+}
diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -650,7 +650,7 @@ func (k *azureNextGenProvider) Create(ctx context.Context, req *rpc.CreateReques
 	// Serialize and return RPC outputs
 	checkpoint, err := plugin.MarshalProperties(
 		obj,
-		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepUnknowns: true, SkipNulls: true},
+		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepSecrets: true, KeepUnknowns: true, SkipNulls: true},
 	)
 	if err != nil {
 		return nil, err
@@ -735,7 +735,7 @@ func (k *azureNextGenProvider) Read(ctx context.Context, req *rpc.ReadRequest) (
 	// Serialize and return RPC outputs.
 	checkpoint, err := plugin.MarshalProperties(
 		obj,
-		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepUnknowns: true, SkipNulls: true},
+		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepSecrets: true, KeepUnknowns: true, SkipNulls: true},
 	)
 	if err != nil {
 		return nil, err
@@ -831,7 +831,7 @@ func (k *azureNextGenProvider) Update(ctx context.Context, req *rpc.UpdateReques
 	// Serialize and return RPC outputs.
 	checkpoint, err := plugin.MarshalProperties(
 		obj,
-		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepUnknowns: true, SkipNulls: true},
+		plugin.MarshalOptions{Label: fmt.Sprintf("%s.checkpoint", label), KeepSecrets: true, KeepUnknowns: true, SkipNulls: true},
 	)
 	if err != nil {
 		return nil, err
@@ -1374,7 +1374,7 @@ func buildUserAgent(partnerID string) (userAgent string) {
 // checkpointObject puts inputs in the `__inputs` field of the state.
 func checkpointObject(inputs resource.PropertyMap, outputs map[string]interface{}) resource.PropertyMap {
 	object := resource.NewPropertyMapFromMap(outputs)
-	object["__inputs"] = resource.NewObjectProperty(inputs)
+	object["__inputs"] = resource.MakeSecret(resource.NewObjectProperty(inputs))
 	return object
 
 }