Ensure Old Secrets Provider Details Removed when Changing to Passphrase (#6210)

Co-authored-by: Justin Van Patten <jvp@justinvp.com>
2021-01-27 20:07:25 +00:00 · 2021-01-27 20:07:25 +00:00 · d72b788011
parent 30a4fc789b
commit d72b788011
2 changed files with 10 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,9 @@ CHANGELOG
 - [sdk/go] Take a breaking change to remove unidiomatic numerical types and drastically improve build performance (binary size and compilation time).
  [#6143](https://github.com/pulumi/pulumi/pull/6143)

+- [cli] Ensure `pulumi stack change-secrets-provider` allows rotating the key from hashivault to passphrase provider
+  [#6210](https://github.com/pulumi/pulumi/pull/6210)
+
 ## 2.18.2 (2021-01-22)

 - [CLI] Fix malformed resource value bug.
--- a/pkg/cmd/pulumi/crypto_local.go
+++ b/pkg/cmd/pulumi/crypto_local.go
@ -78,6 +78,13 @@ func newPassphraseSecretsManager(stackName tokens.QName, configFile string,
 		info.EncryptionSalt = ""
 	}

+	// If there are any other secrets providers set in the config, remove them, as the passphrase
+	// provider deals only with EncryptionSalt, not EncryptedKey or SecretsProvider.
+	if info.EncryptedKey != "" || info.SecretsProvider != "" {
+		info.EncryptedKey = ""
+		info.SecretsProvider = ""
+	}
+
 	// If we have a salt, we can just use it.
 	if info.EncryptionSalt != "" {
 		for {