Determine secretness by checking raw string for the secret sentinel (#8179)

2021-10-08 14:43:10 -07:00 · 2021-10-08 14:43:10 -07:00 · a9a62bd761
parent d694276ed7
commit a9a62bd761
3 changed files with 21 additions and 2 deletions
--- a/CHANGELOG_PENDING.md
+++ b/CHANGELOG_PENDING.md
@ -22,3 +22,6 @@

 - [codegen/go] - Use `importBasePath` before `name` if specified
  [#8159](https://github.com/pulumi/pulumi/pull/8159)
+
+- [auto/go] - Mark entire exported map as secret if key in map is secret.
+  [#8179](https://github.com/pulumi/pulumi/pull/8179)
--- a/sdk/go/auto/local_workspace.go
+++ b/sdk/go/auto/local_workspace.go
@ -490,7 +490,12 @@ func (l *LocalWorkspace) StackOutputs(ctx context.Context, stackName string) (Ou

 	res := make(OutputMap)
 	for k, v := range secrets {
-		isSecret := outputs[k] == secretSentinel
+		raw, err := json.Marshal(outputs[k])
+		if err != nil {
+			return nil, errors.Wrapf(err, "error determining secretness: %s", secretStderr)
+		}
+		rawString := string(raw)
+		isSecret := strings.Contains(rawString, secretSentinel)
 		res[k] = OutputValue{
 			Value:  v,
 			Secret: isSecret,
--- a/sdk/go/auto/local_workspace_test.go
+++ b/sdk/go/auto/local_workspace_test.go
@ -1405,9 +1405,15 @@ func TestSupportsStackOutputs(t *testing.T) {
 	// initialize
 	s, err := NewStackInlineSource(ctx, stackName, pName, func(ctx *pulumi.Context) error {
 		c := config.New(ctx, "")
+
+		nestedObj := pulumi.Map{
+			"not_a_secret": pulumi.String("foo"),
+			"is_a_secret":  pulumi.ToSecret("iamsecret"),
+		}
 		ctx.Export("exp_static", pulumi.String("foo"))
 		ctx.Export("exp_cfg", pulumi.String(c.Get("bar")))
 		ctx.Export("exp_secret", c.GetSecret("buzz"))
+		ctx.Export("nested_obj", nestedObj)
 		return nil
 	})
 	if err != nil {
@ -1428,13 +1434,18 @@ func TestSupportsStackOutputs(t *testing.T) {
 	}

 	assertOutputs := func(t *testing.T, outputs OutputMap) {
-		assert.Equal(t, 3, len(outputs), "expected three outputs")
+		assert.Equal(t, 4, len(outputs), "expected four outputs")
 		assert.Equal(t, "foo", outputs["exp_static"].Value)
 		assert.False(t, outputs["exp_static"].Secret)
 		assert.Equal(t, "abc", outputs["exp_cfg"].Value)
 		assert.False(t, outputs["exp_cfg"].Secret)
 		assert.Equal(t, "secret", outputs["exp_secret"].Value)
 		assert.True(t, outputs["exp_secret"].Secret)
+		assert.Equal(t, map[string]interface{}{
+			"is_a_secret":  "iamsecret",
+			"not_a_secret": "foo",
+		}, outputs["nested_obj"].Value)
+		assert.True(t, outputs["nested_obj"].Secret)
 	}

 	initialOutputs, err := s.Outputs(ctx)