maxmustermann/pulumi
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Ensure secret provider variables are cleaned up when changing secret providers (#5545)

Browse source 
Fixes: #5509

When changing from a passphrase provider to a cloud secrets provider,
the encryptionsalt is not required, so we should ensure this is removed
This commit is contained in:
Paul Stack 2020-10-10 19:04:07 +01:00 committed by GitHub
parent e687cbcffc
commit 36db22d488
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -34,6 +34,9 @@ CHANGELOG
- Support self-contained executables as binary option for .NET programs.
[#5519](https://github.com/pulumi/pulumi/pull/5519)
- [cli] Ensure old secret provider variables are cleaned up when changing between secret providers
[#5545](https://github.com/pulumi/pulumi/pull/5545)
## 2.11.2 (2020-10-01)

7
pkg/cmd/pulumi/crypto_cloud.go
View file

@ -40,6 +40,13 @@ func newCloudSecretsManager(stackName tokens.QName, configFile, secretsProvider
return nil, err
}
// Only a passphrase provider has an encryption salt. So changing a secrets provider
// from passphrase to a cloud secrets provider should ensure that we remove the enryptionsalt
// as it's a legacy artifact and needs to be removed
if info.EncryptionSalt != "" {
info.EncryptionSalt = ""
}
var secretsManager *cloud.Manager
if info.EncryptedKey == "" {
dataKey, err := cloud.GenerateNewDataKey(secretsProvider)