Previously, we would unconditionally warn anytime you added a non-secret
config:
$ pulumi config set aws:region us-west-2
warning: saved config key '%s' value '%s' as plaintext;
re-run with --secret to encrypt the value instead.
Use --plaintext to avoid this warning
This was particularly annoying, since it is very common to store
non-secret config. For instance, the AWS region. And it was easy to tune
out because it wasn't actually warning about anything interesting.
This change, which resolvespulumi/pulumi#570, uses an approach similar
to Go's gas linter, to detect high entropy values, and issue an error.
This ensures that we only make noise on things we suspect are actually
secrets being stored in plaintext, and forces the user to pass
--plaintext. For instance, the common case issues no errors:
$ pulumi config set aws:region us-west-2
And in the event that you store something that is secret-like:
$ pulumi config set aws:region nq8r4B4xslzrtj0a3
error: config value 'nq8r4B4xslzrtj0a3' looks like a secret;
rerun with --secret to encrypt it, or --plaintext if you meant
to store in plaintext
To suppress this, simply pass --secret (to encrypt) or --plaintext (to
override the warning).
b2c91f7c24