Wordsmith CHNAGELOG.md
This commit is contained in:
parent
8a865acf11
commit
5a5d320b7d
24
CHANGELOG.md
24
CHANGELOG.md
|
@ -5,39 +5,23 @@
|
||||||
#### Secrets and Pluggable Encryption
|
#### Secrets and Pluggable Encryption
|
||||||
|
|
||||||
- The Pulumi engine and Python and NodeJS SDKs now have support for tracking values as "secret" to ensure they are
|
- The Pulumi engine and Python and NodeJS SDKs now have support for tracking values as "secret" to ensure they are
|
||||||
encrypted when being persisted in a state file.
|
encrypted when being persisted in a state file. `[pulumi/pulumi#397](https://github.com/pulumi/pulumi/issues/397)`
|
||||||
|
|
||||||
Any existing value may be turned into a secret by calling `pulumi.secret(<value>)` (NodeJS) or
|
Any existing value may be turned into a secret by calling `pulumi.secret(<value>)` (NodeJS) or
|
||||||
`Output.secret(<value>`) (Python). In both cases, the returned value is an Output which may be passed around
|
`Output.secret(<value>`) (Python). In both cases, the returned value is an output which may be passed around
|
||||||
like any other. If this value flows into a resource, the plaintext will not be stored in the state file, but instead
|
like any other. If this value flows into a resource, the plaintext will not be stored in the state file, but instead
|
||||||
It will be encrypted, just like values added to config with `pulumi config set --secret`.
|
It will be encrypted, just like values added to config with `pulumi config set --secret`.
|
||||||
|
|
||||||
If an output which has been marked as secret is combiend with other outputs (either via `all` or `apply`) the
|
|
||||||
resulting output value will also be treated as a secret.
|
|
||||||
|
|
||||||
You can verify that values are being stored as you expect by running `pulumi stack export`, When values are encrypted
|
You can verify that values are being stored as you expect by running `pulumi stack export`, When values are encrypted
|
||||||
in the state file, they appear as an object with a special signiture key and a ciphertext property.
|
in the state file, they appear as an object with a special signiture key and a ciphertext property.
|
||||||
|
|
||||||
When ouputs of a stack are secrets, `pulumi stack output` will show `[secret]` as the value, by default. You can
|
When ouputs of a stack are secrets, `pulumi stack output` will show `[secret]` as the value, by default. You can
|
||||||
pass `--show-secrets` to `pulumi stack output` in order to see the actual raw value.
|
pass `--show-secrets` to `pulumi stack output` in order to see the actual raw value.
|
||||||
|
|
||||||
**Known Issues**
|
|
||||||
|
|
||||||
- If a function which captures a secret output is serialized, the raw value will be visible inside the
|
|
||||||
function source code, and if that function is used to create a resource like an AWS Lambda, the raw text will
|
|
||||||
end up present in the state file. We are working to improve this experience.
|
|
||||||
|
|
||||||
- When using `StackReference` to fetch outputs from a stack which has any secret values (even if they are not
|
|
||||||
exported as stack outputs) Pulumi will need to decrypt the existing state file. If you are using passphrase based
|
|
||||||
encryption (which is the case for all stacks managed by the local backend, and may be used on new stacks managed)
|
|
||||||
by the Pulumi Service, you must set PULUMI_CONFIG_PASSPHRASE to the passphrase for the stack you are taking a
|
|
||||||
reference to. This means that both the source stack and target stack must share the same passphrase.
|
|
||||||
We are working to improve this experience.
|
|
||||||
|
|
||||||
- When storing state with the Pulumi Service, you may now elect to use the passphrase based encryption for both secret
|
- When storing state with the Pulumi Service, you may now elect to use the passphrase based encryption for both secret
|
||||||
configuration values and values that are encrypted in a state file. To use this new feature, pass
|
configuration values and values that are encrypted in a state file. To use this new feature, pass
|
||||||
`--secrets-provider passphrase` to `pulumi new` or `pulumi stack init` when you initally create the stack. When you
|
`--secrets-provider passphrase` to `pulumi new` or `pulumi stack init` when you initally create the stack. When you
|
||||||
create the stack, you will be prompted for a passphrase (or if PULUMI_CONFIG_PASSPHRASE is set, it will be used).
|
create the stack, you will be prompted for a passphrase (or if `PULUMI_CONFIG_PASSPHRASE` is set, it will be used).
|
||||||
This passphrase is used to generate a unique key for your stack, and config values and encrypted state values are
|
This passphrase is used to generate a unique key for your stack, and config values and encrypted state values are
|
||||||
encrypted using AES-256-GCM. The key is derived from your passphrase, and while information to re-create it when
|
encrypted using AES-256-GCM. The key is derived from your passphrase, and while information to re-create it when
|
||||||
provided with your passphrase is stored in both the `Pulumi.<stack-name>.yaml` file and the state file for your stack,
|
provided with your passphrase is stored in both the `Pulumi.<stack-name>.yaml` file and the state file for your stack,
|
||||||
|
@ -52,6 +36,8 @@
|
||||||
Stacks with encrypted secrets in their state files can only be managed by 0.17.11 or later of the CLI. Attempting
|
Stacks with encrypted secrets in their state files can only be managed by 0.17.11 or later of the CLI. Attempting
|
||||||
to use a previous version of the CLI with these stacks will result in an error.
|
to use a previous version of the CLI with these stacks will result in an error.
|
||||||
|
|
||||||
|
Fixes #397
|
||||||
|
|
||||||
### Improvements
|
### Improvements
|
||||||
|
|
||||||
- Add support for Azure Pipelines in CI environment detection.
|
- Add support for Azure Pipelines in CI environment detection.
|
||||||
|
|
Loading…
Reference in a new issue