f705dde7fb
In our system, we model secrets as outputs with an additional bit of metadata that says they are secret. For Read and Register resource calls, our RPC interface says if the client side of the interface can handle secrets being returned (i.e. the language SDK knows how to sniff for the special signiture and resolve the output with the special bit set). For Invoke, we have no such model. Instead, we return a `Promise<T>` where T's shape has just regular property fields. There's no place for us to tack the secretness onto, since there are no Outputs. So, for now, don't even return secret values back across the invoke channel. We can still take them as arguments (which is good) but we can't even return secrets as part of invoke calls. This is not ideal, but given the way we model these sources, there's no way around this. Fortunately, the result of these invoke calls are not stored in the checkpoint and since the type is not Output<T> it will be clear that the underlying value is just present in plaintext. A user that wants to pass the result of an invoke into a resource can turn an existing property into a secret via `pulumi.secret`. |
||
---|---|---|
.. | ||
pulumi | ||
test | ||
MANIFEST.in | ||
setup.py |