-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply secrets to function result properties marked as such #272
Conversation
This will need a pulumi-yaml update before the tests go green |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this to be safe, I think it will need an engine level feature flag: The engine tells the provider that it's ok to send secrets on invokes.
Otherwise this will break existing providers on old SDKs without any explanation.
How so? In my mind, the flow goes like this:
The CLI version makes no difference here - so where should the flag be and why? |
Will the newly generated SDKs require version's of their languages core SDKs that support this? |
I think so... E.g. Node implementation relies on new functions in the core SDK: https://github.com/pulumi/pulumi/pull/17237/files#diff-f786ce189e2b1bb74d5f9425d102b713287faea09bc04b692ea0d42e1b035a10 Besides, taking advantage of output secretness requires a code change from the provider's author, hopefully they will do so only if they know what they do. |
I don't see any required version bump in that diff. On If they did bump the required SDK version, then I think this would be ok.
I don't think that's true. They could have marked field as secret (perhaps in a shared type) and forgot about it. Imagine if there was a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking about it some more, the only case where this introduces a break is:
- Someone will upgrade their pulumi-go-provider version to v${next}, which includes outputty functions.
- Someone will generate an SDK with an old version of pulumi, which doesn’t require the new output-supporting SDKs.
- The provider will start sending outputs in invokes, which will break existing usage.
This requires a pulumi package gen-sdk
version that's behind what pulumi-go-provider
uses, which is very hard to guard against.
cba25cd
to
a045d60
Compare
a045d60
to
2ee2a12
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #272 +/- ##
==========================================
- Coverage 38.42% 38.32% -0.10%
==========================================
Files 45 45
Lines 4705 4717 +12
==========================================
Hits 1808 1808
- Misses 2733 2745 +12
Partials 164 164 ☔ View full report in Codecov by Sentry. |
This PR has been shipped in release v0.23.0. |
Function output properties can be annotated as secrets. That may have two effects:
This PR implements (2) by applying secrets to inferred function results.
Added an invoke test that verifies this behavior. Also, extended the
credentials
sample program with an implementation of a secretty invokes and verified that it works manually.Note that this requires 3.131.0 or later of Node.js/Go/YAML SDK or a later version for Python SDK support. Earlier versions fail to deserialize a secretty invoke output.
Resolves #259