Ensure pulumi history marks secrets that can't be un-encrypted as such (#5701)

CHANGELOG.md

@@ -3,6 +3,9 @@ CHANGELOG
 
 ## HEAD (Unreleased)
 
+- [cli] Ensure `pulumi history` annotes when secrets are unable to be decrypted
+  [#5701](https://github.com/pulumi/pulumi/pull/5701)
+
 - Fix a bug in the Python SDK that caused incompatibilities with versions of the CLI prior to 
   2.13.0.
   [#5702](https://github.com/pulumi/pulumi/pull/5702)

pkg/cmd/pulumi/stack_history.go

@@ -18,6 +18,8 @@ import (
 	"github.com/pulumi/pulumi/sdk/v2/go/common/util/cmdutil"
 )
 
+const errorDecryptingValue = "ERROR_UNABLE_TO_DECRYPT"
+
 func newStackHistoryCmd() *cobra.Command {
 	var stack string
 	var jsonOut bool
@@ -109,9 +111,12 @@ func displayUpdatesJSON(updates []backend.UpdateInfo, decrypter config.Decrypter
 			if !v.Secure() || (v.Secure() && decrypter != nil) {
 				value, err := v.Value(decrypter)
 				if err != nil {
-					return err
+					// We don't actually want to error here
+					// we are just going to mark as "UNKNOWN" and then let the command continue
+					configValue.Value = makeStringRef(errorDecryptingValue)
+				} else {
+					configValue.Value = makeStringRef(value)
 				}
-				configValue.Value = makeStringRef(value)
 
 				if v.Object() {
 					var obj interface{}
@@ -121,7 +126,6 @@ func displayUpdatesJSON(updates []backend.UpdateInfo, decrypter config.Decrypter
 					configValue.ObjectValue = obj
 				}
 			}
-
 			info.Config[k.String()] = configValue
 		}
 		info.Result = string(update.Result)