Hello there, could someone help me check on import resource currently. I’m trying to import Cloudflare Tunnel with https://www.pulumi.com/registry/packages/cloudflare/api-docs/tunnel/#import but input

secret

is required and I didn’t find a way to add secret value during import,

Are you importing this with

pulumi import

or the import resource option?

@echoing-dinner-19531 I tried with

pulumi import cloudflare:index/tunnel:Tunnel example <account_id>/<tunnel_id>

and with

pulumi import -f resources.json

where content of resource is

{
	"resources": [{
			"type": "cloudflare:index/tunnel:Tunnel",
			"name": "cf-tunnel-01",
			"id": "<account_id>/<tunnel_id>",
            "secret": "<secret_base64_value>"
		}
}

also tried with python

example = cloudflare.Tunnel("example",
    account_id="<account_id>",
    name="cf-tunnel-01",
    secret="<secret_base64_value>=",
    opts=pulumi.ResourceOptions(import_=<tunnel_id>)

Ah thanks, ok this is probably a tricky one. Arguably this is just a bug in the Cloudflare provider because it's

Read

method isn't returning all the data for the object, but I expect this is one of the awkward cases where they don't give any read access to this property once set because it's sensitive. Can you raise an issue at https://github.com/pulumi/pulumi-cloudflare/issues about this, we might be able to come up with some shortterm instructions to manually edit the state to "fix" this, but sounds like longer term we'll either need to somehow get

Read

to find the property data or come up with some standard way to import things where we can't know all the property values for them.

Hi @echoing-dinner-19531, I just opened ticket https://github.com/pulumi/pulumi-cloudflare/issues/371. Please help take a look

I've ping in our internal chat about this. Teams will take a look next week 🙂

@echoing-dinner-19531 Could you help me guide how to modify

secret

and

tunnelToken

directly in state file

"outputs": {
                        "accountId": "<redacted>",
                        "cname": "<redacted>.<http://cfargotunnel.com|cfargotunnel.com>",
                        "id": "<redacted>",
                        "name": "test-tunnel",
                        "secret": {
                            "4dabf181XXX939515e22adb298388d": "1XXX061264138c4ac30d75fd1eb4XXX0",
                            "ciphertext": "v1:gMPrepTA/bQnmaFD:7XXXXBp0cnH9uPco6hH5SmpijRLnywxUMT9BoT1D0fu8gy+mpR65N1Eymrcn94XXXGEFr+DI="
                        },
                        "tunnelToken": {
                            "4dabf1819307XXX22adb298388d": "1b47061264XXX0d75fd1eb44270",
                            "ciphertext": "v1:XXXpa/ytRaEtdVt5:wDd+czD4u/ASEXXTX7TE1wNTT+3DidXU71u+/HWhoMDrDsgT8qvAIQQ385DnVPOejiPXurRcKWHBwa4rehoX7snAAD6XXU+V/1fWd/9h9SrBDG0MFGnuXmRJzHQuNGJjbgY5wm3aNIlOlpy0DlqIFb+UNKyjmUVkY2ZC/ubdUXQ9IaiA5qA7KznkGMFt03cl3teXXX10blxUNRSVBuzkG31wTrtw199cQDfNle9MrnQaaUhSPXDvWeRI4W"
                        }
                    },

Ah secret values are tricky to work with. The simplest way is generally to abuse "pulumi config set --secret" to use that to do the encryption let it write the ciphertext to your Pulumi.stack.yaml file and then just cut it from there and paste into the state file (it's the same encryption system in both files). Or even simpler if your not worried about these state files being seen is to just put the plain values in there for now. Also if you turn on

--show-secrets

for preview/up it'll give you the actual diff for the secret property rather than just

+ secret=[secret]