Respect provider config secretness. (#5742)

Just what it says on the tin. This is implemented by changing the `GetPackageConfig` method of `ConfigSource` to return a `PropertyMap` and ensuring that any secret config is represented by a `Secret`.
2020-11-12 12:18:12 -08:00 · 2020-11-12 12:18:12 -08:00 · 1e0c9efdd7
parent fe96365e6e
commit 1e0c9efdd7
10 changed files with 113 additions and 67 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,12 @@ CHANGELOG

 ## HEAD (Unreleased)

+- Propagate secretness of provider configuration through to the statefile. This ensures
+  that any configuration values marked as secret (i.e. values set with
+  `pulumi config set --secret`) that are used as inputs to providers are encrypted
+  before they are stored.
+  [#5742](https://github.com/pulumi/pulumi/pull/5742)
+
 - Fix a bug that could prevent `pulumi import` from succeeding.
  [#5730](https://github.com/pulumi/pulumi/pull/5730)

--- a/pkg/engine/lifeycletest/pulumi_test.go
+++ b/pkg/engine/lifeycletest/pulumi_test.go
@ -5856,3 +5856,43 @@ func TestImport(t *testing.T) {
 	assert.Nil(t, res)
 	assert.Len(t, snap.Resources, 4)
 }
+
+func TestConfigSecrets(t *testing.T) {
+	loaders := []*deploytest.ProviderLoader{
+		deploytest.NewProviderLoader("pkgA", semver.MustParse("1.0.0"), func() (plugin.Provider, error) {
+			return &deploytest.Provider{}, nil
+		}),
+	}
+
+	program := deploytest.NewLanguageRuntime(func(_ plugin.RunInfo, monitor *deploytest.ResourceMonitor) error {
+		_, _, _, err := monitor.RegisterResource("pkgA:m:typA", "resA", true)
+		assert.NoError(t, err)
+		return nil
+	})
+	host := deploytest.NewPluginHost(nil, nil, program, loaders...)
+
+	crypter := config.NewSymmetricCrypter(make([]byte, 32))
+	secret, err := crypter.EncryptValue("hunter2")
+	assert.NoError(t, err)
+
+	p := &TestPlan{
+		Options: UpdateOptions{Host: host},
+		Steps:   MakeBasicLifecycleSteps(t, 2),
+		Config: config.Map{
+			config.MustMakeKey("pkgA", "secret"): config.NewSecureValue(secret),
+		},
+		Decrypter: crypter,
+	}
+
+	project := p.GetProject()
+	snap, res := TestOp(Update).Run(project, p.GetTarget(nil), p.Options, false, p.BackendClient, nil)
+	assert.Nil(t, res)
+
+	if !assert.Len(t, snap.Resources, 2) {
+		return
+	}
+
+	provider := snap.Resources[0]
+	assert.True(t, provider.Inputs["secret"].IsSecret())
+	assert.True(t, provider.Outputs["secret"].IsSecret())
+}
--- a/pkg/resource/deploy/import.go
+++ b/pkg/resource/deploy/import.go
@ -219,16 +219,12 @@ func (i *importer) registerProviders(ctx context.Context) (map[resource.URN]stri
 		urn := i.plan.generateURN("", typ, name)

 		// Fetch, prepare, and check the configuration for this provider.
-		cfg, err := i.plan.target.GetPackageConfig(req.Package())
+		inputs, err := i.plan.target.GetPackageConfig(req.Package())
 		if err != nil {
 			return nil, result.Errorf("failed to fetch provider config: %v", err), false
 		}

 		// Calculate the inputs for the provider using the ambient config.
-		inputs := resource.PropertyMap{}
-		for k, v := range cfg {
-			inputs[resource.PropertyKey(k.Name())] = resource.NewStringProperty(v)
-		}
 		if v := req.Version(); v != nil {
 			inputs["version"] = resource.NewStringProperty(v.String())
 		}
--- a/pkg/resource/deploy/plan.go
+++ b/pkg/resource/deploy/plan.go
@ -178,15 +178,10 @@ func addDefaultProviders(target *Target, source Source, prev *Snapshot) error {
 		pkg := res.URN.Type().Package()
 		ref, ok := defaultProviderRefs[pkg]
 		if !ok {
-			cfg, err := target.GetPackageConfig(pkg)
+			inputs, err := target.GetPackageConfig(pkg)
 			if err != nil {
 				return errors.Errorf("could not fetch configuration for default provider '%v'", pkg)
 			}
-
-			inputs := make(resource.PropertyMap)
-			for k, v := range cfg {
-				inputs[resource.PropertyKey(k.Name())] = resource.NewStringProperty(v)
-			}
 			if version, ok := defaultProviderVersions[pkg]; ok {
 				inputs["version"] = resource.NewStringProperty(version.String())
 			}
--- a/pkg/resource/deploy/source_eval.go
+++ b/pkg/resource/deploy/source_eval.go
@ -264,17 +264,11 @@ func (d *defaultProviders) newRegisterDefaultProviderEvent(
 	req providers.ProviderRequest) (*registerResourceEvent, <-chan *RegisterResult, error) {

 	// Attempt to get the config for the package.
-	cfg, err := d.config.GetPackageConfig(req.Package())
+	inputs, err := d.config.GetPackageConfig(req.Package())
 	if err != nil {
 		return nil, nil, err
 	}

-	// Create the inputs for the provider resource.
-	inputs := make(resource.PropertyMap)
-	for k, v := range cfg {
-		inputs[resource.PropertyKey(k.Name())] = resource.NewStringProperty(v)
-	}
-
 	// Request that the engine instantiate a specific version of this provider, if one was requested. We'll figure out
 	// what version to request by:
 	//   1. Providing the Version field of the ProviderRequest verbatim, if it was provided, otherwise
--- a/pkg/resource/deploy/target.go
+++ b/pkg/resource/deploy/target.go
@ -15,6 +15,7 @@
 package deploy

 import (
+	"github.com/pulumi/pulumi/sdk/v2/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v2/go/common/resource/config"
 	"github.com/pulumi/pulumi/sdk/v2/go/common/tokens"
 )
@ -28,8 +29,8 @@ type Target struct {
 }

 // GetPackageConfig returns the set of configuration parameters for the indicated package, if any.
-func (t *Target) GetPackageConfig(pkg tokens.Package) (map[config.Key]string, error) {
-	var result map[config.Key]string
+func (t *Target) GetPackageConfig(pkg tokens.Package) (resource.PropertyMap, error) {
+	result := resource.PropertyMap{}
 	if t == nil {
 		return result, nil
 	}
@ -38,14 +39,17 @@ func (t *Target) GetPackageConfig(pkg tokens.Package) (map[config.Key]string, er
 		if tokens.Package(k.Namespace()) != pkg {
 			continue
 		}
+
 		v, err := c.Value(t.Decrypter)
 		if err != nil {
 			return nil, err
 		}
-		if result == nil {
-			result = make(map[config.Key]string)
+
+		propertyValue := resource.NewStringProperty(v)
+		if c.Secure() {
+			propertyValue = resource.MakeSecret(propertyValue)
 		}
-		result[k] = v
+		result[resource.PropertyKey(k.Name())] = propertyValue
 	}
 	return result, nil
 }
--- a/sdk/go/common/resource/plugin/config_source.go
+++ b/sdk/go/common/resource/plugin/config_source.go
@ -15,7 +15,7 @@
 package plugin

 import (
-	"github.com/pulumi/pulumi/sdk/v2/go/common/resource/config"
+	"github.com/pulumi/pulumi/sdk/v2/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v2/go/common/tokens"
 )

@ -23,5 +23,5 @@ import (
 // package.
 type ConfigSource interface {
 	// GetPackageConfig returns the set of configuration parameters for the indicated package, if any.
-	GetPackageConfig(pkg tokens.Package) (map[config.Key]string, error)
+	GetPackageConfig(pkg tokens.Package) (resource.PropertyMap, error)
 }
--- a/sdk/go/common/resource/plugin/context.go
+++ b/sdk/go/common/resource/plugin/context.go
@ -16,10 +16,12 @@ package plugin

 import (
 	"context"
+	"io/ioutil"

 	"github.com/opentracing/opentracing-go"

 	"github.com/pulumi/pulumi/sdk/v2/go/common/diag"
+	"github.com/pulumi/pulumi/sdk/v2/go/common/diag/colors"
 	"github.com/pulumi/pulumi/sdk/v2/go/common/util/rpcutil"
 )

@ -40,6 +42,13 @@ func NewContext(d, statusD diag.Sink, host Host, cfg ConfigSource,
 	pwd string, runtimeOptions map[string]interface{}, disableProviderPreview bool,
 	parentSpan opentracing.Span) (*Context, error) {

+	if d == nil {
+		d = diag.DefaultSink(ioutil.Discard, ioutil.Discard, diag.FormatOptions{Color: colors.Never})
+	}
+	if statusD == nil {
+		statusD = diag.DefaultSink(ioutil.Discard, ioutil.Discard, diag.FormatOptions{Color: colors.Never})
+	}
+
 	ctx := &Context{
 		Diag:        d,
 		StatusDiag:  statusD,
--- a/sdk/python/Pipfile
+++ b/sdk/python/Pipfile
@ -11,4 +11,4 @@ six = ">=1.12.0"

 [dev-packages]
 pylint = ">=2.1"
-mypy = ">=0.77"
+mypy = "0.78"
--- a/sdk/python/Pipfile.lock
+++ b/sdk/python/Pipfile.lock
@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "d90637326727e2e688542a55f80b31f08863b1a70d11226579319725e189fdc5"
+            "sha256": "8f39c345effaa48064d02b8c1b617359571fa9d1d3577fa86e82a2692d233481"
        },
        "pipfile-spec": 6,
        "requires": {},
@ -24,50 +24,52 @@
        },
        "grpcio": {
            "hashes": [
-                "sha256:02a4a637a774382d6ac8e65c0a7af4f7f4b9704c980a0a9f4f7bbc1e97c5b733",
-                "sha256:08b6a58c8a83e71af5650f8f879fe14b7b84dce0c4969f3817b42c72989dacf0",
-                "sha256:0aeed3558a0eec0b31700af6072f1c90e8fd5701427849e76bc469554a14b4f5",
-                "sha256:0cebba3907441d5c620f7b491a780ed155140fbd590da0886ecfb1df6ad947b9",
-                "sha256:143b4fe72c01000fc0667bf62ace402a6518939b3511b3c2bec04d44b1d7591c",
-                "sha256:21265511880056d19ce4f809ce3fbe2a3fa98ec1fc7167dbdf30a80d3276202e",
-                "sha256:289671cfe441069f617bf23c41b1fa07053a31ff64de918d1016ac73adda2f73",
-                "sha256:2d5124284f9d29e4f06f674a12ebeb23fc16ce0f96f78a80a6036930642ae5ab",
-                "sha256:2f2eabfd514af8945ee415083a0f849eea6cb3af444999453bb6666fadc10f54",
-                "sha256:3ac453387add933b6cfbc67cc8635f91ff9895299130fc612c3c4b904e91d82a",
-                "sha256:407b4d869ce5c6a20af5b96bb885e3ecaf383e3fb008375919eb26cf8f10d9cd",
-                "sha256:4bb771c4c2411196b778871b519c7e12e87f3fa72b0517b22f952c64ead07958",
-                "sha256:4cef3eb2df338abd9b6164427ede961d351c6bf39b4a01448a65f9e795f56575",
-                "sha256:514b4a6790d6597fc95608f49f2f13fe38329b2058538095f0502b734b98ffd2",
-                "sha256:52143467237bfa77331ed1979dc3e203a1c12511ee37b3ddd9ff41b05804fb10",
-                "sha256:56e2a985efdba8e2282e856470b684e83a3cadd920f04fcd360b4b826ced0dd3",
-                "sha256:592656b10528aa327058d2007f7ab175dc9eb3754b289e24cac36e09129a2f6b",
-                "sha256:5b21d3de520a699cb631cfd3a773a57debeb36b131be366bf832153405cc5404",
-                "sha256:62ce7e86f11e8c4ff772e63c282fb5a7904274258be0034adf37aa679cf96ba0",
-                "sha256:65b06fa2db2edd1b779f9b256e270f7a58d60e40121660d8b5fd6e8b88f122ed",
-                "sha256:6a1b5b7e47600edcaeaa42983b1c19e7a5892c6b98bcde32ae2aa509a99e0436",
-                "sha256:703da25278ee7318acb766be1c6d3b67d392920d002b2d0304e7f3431b74f6c1",
                "sha256:7744468ee48be3265db798f27e66e118c324d7831a34fd39d5775bcd5a70a2c4",
-                "sha256:7c1ea6ea6daa82031af6eb5b7d1ab56b1193840389ea7cf46d80e98636f8aff5",
-                "sha256:7d292dabf7ded9c062357f8207e20e94095a397d487ffd25aa213a2c3dff0ab4",
-                "sha256:7f727b8b6d9f92fcab19dbc62ec956d8352c6767b97b8ab18754b2dfa84d784f",
-                "sha256:7fda62846ef8d86caf06bd1ecfddcae2c7e59479a4ee28808120e170064d36cc",
-                "sha256:85e56ab125b35b1373205b3802f58119e70ffedfe0d7e2821999126058f7c44f",
-                "sha256:88f2a102cbc67e91f42b4323cec13348bf6255b25f80426088079872bd4f3c5c",
-                "sha256:8cf67b8493bff50fa12b4bc30ab40ce1f1f216eb54145962b525852959b0ab3d",
-                "sha256:a8c84db387907e8d800c383e4c92f39996343adedf635ae5206a684f94df8311",
-                "sha256:abaf30d18874310d4439a23a0afb6e4b5709c4266966401de7c4ae345cc810ee",
-                "sha256:affbb739fde390710190e3540acc9f3e65df25bd192cc0aa554f368288ee0ea2",
-                "sha256:b412f43c99ca72769306293ba83811b241d41b62ca8f358e47e0fdaf7b6fbbd7",
+                "sha256:0cebba3907441d5c620f7b491a780ed155140fbd590da0886ecfb1df6ad947b9",
                "sha256:b581ddb8df619402c377c81f186ad7f5e2726ad9f8d57047144b352f83f37522",
-                "sha256:bf7de9e847d2d14a0efcd48b290ee181fdbffb2ae54dfa2ec2a935a093730bac",
+                "sha256:8cf67b8493bff50fa12b4bc30ab40ce1f1f216eb54145962b525852959b0ab3d",
+                "sha256:4bb771c4c2411196b778871b519c7e12e87f3fa72b0517b22f952c64ead07958",
+                "sha256:6a1b5b7e47600edcaeaa42983b1c19e7a5892c6b98bcde32ae2aa509a99e0436",
+                "sha256:0aeed3558a0eec0b31700af6072f1c90e8fd5701427849e76bc469554a14b4f5",
+                "sha256:4cef3eb2df338abd9b6164427ede961d351c6bf39b4a01448a65f9e795f56575",
+                "sha256:592656b10528aa327058d2007f7ab175dc9eb3754b289e24cac36e09129a2f6b",
+                "sha256:289671cfe441069f617bf23c41b1fa07053a31ff64de918d1016ac73adda2f73",
                "sha256:c5030be8a60fb18de1fc8d93d130d57e4296c02f229200df814f6578da00429e",
-                "sha256:c89510381cbf8c8317e14e747a8b53988ad226f0ed240824064a9297b65f921d",
-                "sha256:d386630af995fd4de225d550b6806507ca09f5a650f227fddb29299335cda55e",
-                "sha256:d51ddfb3d481a6a3439db09d4b08447fb9f6b60d862ab301238f37bea8f60a6d",
-                "sha256:eff55d318a114742ed2a06972f5daacfe3d5ad0c0c0d9146bcaf10acb427e6be",
-                "sha256:f2673c51e8535401c68806d331faba614bcff3ee16373481158a2e74f510b7f6",
+                "sha256:7fda62846ef8d86caf06bd1ecfddcae2c7e59479a4ee28808120e170064d36cc",
+                "sha256:3ac453387add933b6cfbc67cc8635f91ff9895299130fc612c3c4b904e91d82a",
                "sha256:fa78bd55ec652d4a88ba254c8dae623c9992e2ce647bd17ba1a37ca2b7b42222",
-                "sha256:ffec0b854d2ed6ee98776c7168c778cdd18503642a68d36c00ba0f96d4ccff7c"
+                "sha256:56e2a985efdba8e2282e856470b684e83a3cadd920f04fcd360b4b826ced0dd3",
+                "sha256:7c1ea6ea6daa82031af6eb5b7d1ab56b1193840389ea7cf46d80e98636f8aff5",
+                "sha256:a8c84db387907e8d800c383e4c92f39996343adedf635ae5206a684f94df8311",
+                "sha256:62ce7e86f11e8c4ff772e63c282fb5a7904274258be0034adf37aa679cf96ba0",
+                "sha256:7f727b8b6d9f92fcab19dbc62ec956d8352c6767b97b8ab18754b2dfa84d784f",
+                "sha256:02a4a637a774382d6ac8e65c0a7af4f7f4b9704c980a0a9f4f7bbc1e97c5b733",
+                "sha256:abaf30d18874310d4439a23a0afb6e4b5709c4266966401de7c4ae345cc810ee",
+                "sha256:08b6a58c8a83e71af5650f8f879fe14b7b84dce0c4969f3817b42c72989dacf0",
+                "sha256:407b4d869ce5c6a20af5b96bb885e3ecaf383e3fb008375919eb26cf8f10d9cd",
+                "sha256:dd47fac2878f6102efa211461eb6fa0a6dd7b4899cd1ade6cdcb9fa9748363eb",
+                "sha256:d51ddfb3d481a6a3439db09d4b08447fb9f6b60d862ab301238f37bea8f60a6d",
+                "sha256:bf7de9e847d2d14a0efcd48b290ee181fdbffb2ae54dfa2ec2a935a093730bac",
+                "sha256:ffec0b854d2ed6ee98776c7168c778cdd18503642a68d36c00ba0f96d4ccff7c",
+                "sha256:7d292dabf7ded9c062357f8207e20e94095a397d487ffd25aa213a2c3dff0ab4",
+                "sha256:2d5124284f9d29e4f06f674a12ebeb23fc16ce0f96f78a80a6036930642ae5ab",
+                "sha256:143b4fe72c01000fc0667bf62ace402a6518939b3511b3c2bec04d44b1d7591c",
+                "sha256:f2673c51e8535401c68806d331faba614bcff3ee16373481158a2e74f510b7f6",
+                "sha256:affbb739fde390710190e3540acc9f3e65df25bd192cc0aa554f368288ee0ea2",
+                "sha256:5b21d3de520a699cb631cfd3a773a57debeb36b131be366bf832153405cc5404",
+                "sha256:514b4a6790d6597fc95608f49f2f13fe38329b2058538095f0502b734b98ffd2",
+                "sha256:65b06fa2db2edd1b779f9b256e270f7a58d60e40121660d8b5fd6e8b88f122ed",
+                "sha256:52143467237bfa77331ed1979dc3e203a1c12511ee37b3ddd9ff41b05804fb10",
+                "sha256:85e56ab125b35b1373205b3802f58119e70ffedfe0d7e2821999126058f7c44f",
+                "sha256:21265511880056d19ce4f809ce3fbe2a3fa98ec1fc7167dbdf30a80d3276202e",
+                "sha256:b412f43c99ca72769306293ba83811b241d41b62ca8f358e47e0fdaf7b6fbbd7",
+                "sha256:2f2eabfd514af8945ee415083a0f849eea6cb3af444999453bb6666fadc10f54",
+                "sha256:c89510381cbf8c8317e14e747a8b53988ad226f0ed240824064a9297b65f921d",
+                "sha256:eff55d318a114742ed2a06972f5daacfe3d5ad0c0c0d9146bcaf10acb427e6be",
+                "sha256:89add4f4cda9546f61cb8a6988bc5b22101dd8ca4af610dff6f28105d1f78695",
+                "sha256:88f2a102cbc67e91f42b4323cec13348bf6255b25f80426088079872bd4f3c5c",
+                "sha256:d386630af995fd4de225d550b6806507ca09f5a650f227fddb29299335cda55e",
+                "sha256:703da25278ee7318acb766be1c6d3b67d392920d002b2d0304e7f3431b74f6c1"
            ],
            "index": "pypi",
            "version": "==1.33.2"