ade366544e
We now encrypt secrets at rest based on a key derived from a user suplied passphrase. The system is designed in a way such that we should be able to have a different decrypter (either using a local key or some remote service in the Pulumi.com case in the future). Care is taken to ensure that we do not leak decrypted secrets into the "info" section of the checkpoint file (since we currently store the config there). In addtion, secrets are "pay for play", a passphrase is only needed when dealing with a value that's encrypted. If secure config values are not used, `pulumi` will never prompt you for a passphrase. Otherwise, we only prompt if we know we are going to need to decrypt the value. For example, `pulumi config <key>` only prompts if `<key>` is encrypted and `pulumi deploy` and friends only prompt if you are targeting a stack that has secure configuration assoicated with it. Secure values show up as unecrypted config values inside the language hosts and providers.
112 lines
3.6 KiB
Go
112 lines
3.6 KiB
Go
// Copyright 2016-2017, Pulumi Corporation. All rights reserved.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"github.com/spf13/cobra"
|
|
|
|
"github.com/pulumi/pulumi/pkg/engine"
|
|
"github.com/pulumi/pulumi/pkg/resource/config"
|
|
"github.com/pulumi/pulumi/pkg/util/cmdutil"
|
|
)
|
|
|
|
func newUpdateCmd() *cobra.Command {
|
|
var analyzers []string
|
|
var debug bool
|
|
var dryRun bool
|
|
var stack string
|
|
var parallel int
|
|
var showConfig bool
|
|
var showReplacementSteps bool
|
|
var showSames bool
|
|
var summary bool
|
|
var cmd = &cobra.Command{
|
|
Use: "update",
|
|
Aliases: []string{"up"},
|
|
SuggestFor: []string{"deploy", "push"},
|
|
Short: "Update the resources in an stack",
|
|
Long: "Update the resources in an stack\n" +
|
|
"\n" +
|
|
"This command updates an existing stack whose state is represented by the\n" +
|
|
"existing snapshot file. The new desired state is computed by compiling and evaluating an\n" +
|
|
"executable package, and extracting all resource allocations from its resulting object graph.\n" +
|
|
"These allocations are then compared against the existing state to determine what operations\n" +
|
|
"must take place to achieve the desired state. This command results in a full snapshot of the\n" +
|
|
"stack's new resource state, so that it may be updated incrementally again later.\n" +
|
|
"\n" +
|
|
"The package to execute is loaded from the current directory. Use the `-C` or `--cwd` flag to\n" +
|
|
"use a different directory.",
|
|
Run: cmdutil.RunFunc(func(cmd *cobra.Command, args []string) error {
|
|
stackName, err := explicitOrCurrent(stack)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg, err := getConfiguration(stackName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var decrypter config.ValueDecrypter = panicCrypter{}
|
|
|
|
if hasSecureValue(cfg) {
|
|
decrypter, err = getSymmetricCrypter()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
localProvider := localStackProvider{decrypter: decrypter}
|
|
pulumiEngine := engine.Engine{Targets: localProvider, Snapshots: localProvider}
|
|
|
|
events := make(chan engine.Event)
|
|
done := make(chan bool)
|
|
|
|
go displayEvents(events, done, debug)
|
|
|
|
if err = pulumiEngine.Deploy(stackName, events, engine.DeployOptions{
|
|
DryRun: dryRun,
|
|
Analyzers: analyzers,
|
|
Parallel: parallel,
|
|
ShowConfig: showConfig,
|
|
ShowReplacementSteps: showReplacementSteps,
|
|
ShowSames: showSames,
|
|
Summary: summary,
|
|
}); err != nil {
|
|
return err
|
|
}
|
|
|
|
<-done
|
|
close(events)
|
|
close(done)
|
|
return nil
|
|
}),
|
|
}
|
|
|
|
cmd.PersistentFlags().StringSliceVar(
|
|
&analyzers, "analyzer", []string{},
|
|
"Run one or more analyzers as part of this update")
|
|
cmd.PersistentFlags().BoolVarP(
|
|
&debug, "debug", "d", false,
|
|
"Print detailed debugging output during resource operations")
|
|
cmd.PersistentFlags().StringVarP(
|
|
&stack, "stack", "s", "",
|
|
"Choose an stack other than the currently selected one")
|
|
cmd.PersistentFlags().IntVarP(
|
|
¶llel, "parallel", "p", 0,
|
|
"Allow P resource operations to run in parallel at once (<=1 for no parallelism)")
|
|
cmd.PersistentFlags().BoolVar(
|
|
&showConfig, "show-config", false,
|
|
"Show configuration keys and variables")
|
|
cmd.PersistentFlags().BoolVar(
|
|
&showReplacementSteps, "show-replacement-steps", true,
|
|
"Show detailed resource replacement creates and deletes instead of a single step")
|
|
cmd.PersistentFlags().BoolVar(
|
|
&showSames, "show-sames", false,
|
|
"Show resources that needn't be updated because they haven't changed, alongside those that do")
|
|
cmd.PersistentFlags().BoolVar(
|
|
&summary, "summary", false,
|
|
"Only display summarization of resources and operations")
|
|
|
|
return cmd
|
|
}
|