maxmustermann/pulumi
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
pulumi/cmd/update.go
Matt Ellis ade366544e Encrypt secrets in Pulumi.yaml 
We now encrypt secrets at rest based on a key derived from a user
suplied passphrase.

The system is designed in a way such that we should be able to have a
different decrypter (either using a local key or some remote service
in the Pulumi.com case in the future).

Care is taken to ensure that we do not leak decrypted secrets into the
"info" section of the checkpoint file (since we currently store the
config there).

In addtion, secrets are "pay for play", a passphrase is only needed
when dealing with a value that's encrypted. If secure config values
are not used, `pulumi` will never prompt you for a
passphrase. Otherwise, we only prompt if we know we are going to need
to decrypt the value. For example, `pulumi config <key>` only prompts
if `<key>` is encrypted and `pulumi deploy` and friends only prompt if
you are targeting a stack that has secure configuration assoicated
with it.

Secure values show up as unecrypted config values inside the language
hosts and providers.
2017-10-24 16:48:12 -07:00

112 lines
3.6 KiB
Go
Raw Blame History

// Copyright 2016-2017, Pulumi Corporation. All rights reserved.
package cmd
import (
"github.com/spf13/cobra"
"github.com/pulumi/pulumi/pkg/engine"
"github.com/pulumi/pulumi/pkg/resource/config"
"github.com/pulumi/pulumi/pkg/util/cmdutil"
)
func newUpdateCmd() *cobra.Command {
var analyzers []string
var debug bool
var dryRun bool
var stack string
var parallel int
var showConfig bool
var showReplacementSteps bool
var showSames bool
var summary bool
var cmd = &cobra.Command{
Use: "update",
Aliases: []string{"up"},
SuggestFor: []string{"deploy", "push"},
Short: "Update the resources in an stack",
Long: "Update the resources in an stack\n" +
"\n" +
"This command updates an existing stack whose state is represented by the\n" +
"existing snapshot file. The new desired state is computed by compiling and evaluating an\n" +
"executable package, and extracting all resource allocations from its resulting object graph.\n" +
"These allocations are then compared against the existing state to determine what operations\n" +
"must take place to achieve the desired state. This command results in a full snapshot of the\n" +
"stack's new resource state, so that it may be updated incrementally again later.\n" +
"\n" +
"The package to execute is loaded from the current directory. Use the `-C` or `--cwd` flag to\n" +
"use a different directory.",
Run: cmdutil.RunFunc(func(cmd *cobra.Command, args []string) error {
stackName, err := explicitOrCurrent(stack)
if err != nil {
return err
}
cfg, err := getConfiguration(stackName)
if err != nil {
return err
}
var decrypter config.ValueDecrypter = panicCrypter{}
if hasSecureValue(cfg) {
decrypter, err = getSymmetricCrypter()
if err != nil {
return err
}
}
localProvider := localStackProvider{decrypter: decrypter}
pulumiEngine := engine.Engine{Targets: localProvider, Snapshots: localProvider}
events := make(chan engine.Event)
done := make(chan bool)
go displayEvents(events, done, debug)
if err = pulumiEngine.Deploy(stackName, events, engine.DeployOptions{
DryRun: dryRun,
Analyzers: analyzers,
Parallel: parallel,
ShowConfig: showConfig,
ShowReplacementSteps: showReplacementSteps,
ShowSames: showSames,
Summary: summary,
}); err != nil {
return err
}
<-done
close(events)
close(done)
return nil
}),
}
cmd.PersistentFlags().StringSliceVar(
&analyzers, "analyzer", []string{},
"Run one or more analyzers as part of this update")
cmd.PersistentFlags().BoolVarP(
&debug, "debug", "d", false,
"Print detailed debugging output during resource operations")
cmd.PersistentFlags().StringVarP(
&stack, "stack", "s", "",
"Choose an stack other than the currently selected one")
cmd.PersistentFlags().IntVarP(
&parallel, "parallel", "p", 0,
"Allow P resource operations to run in parallel at once (<=1 for no parallelism)")
cmd.PersistentFlags().BoolVar(
&showConfig, "show-config", false,
"Show configuration keys and variables")
cmd.PersistentFlags().BoolVar(
&showReplacementSteps, "show-replacement-steps", true,
"Show detailed resource replacement creates and deletes instead of a single step")
cmd.PersistentFlags().BoolVar(
&showSames, "show-sames", false,
"Show resources that needn't be updated because they haven't changed, alongside those that do")
cmd.PersistentFlags().BoolVar(
&summary, "summary", false,
"Only display summarization of resources and operations")
return cmd
}
Reference in a new issue View git blame Copy permalink