https://pulumi.com logo
h

hallowed-intern-40532

09/12/2023, 12:58 PM
Hi all, I have infrastructure in AWS that includes RDS Postgres. Now I am working on the same infrastructure in Google Cloud. I created Cloud SQL Postgres and see that "password" input is stored as plaintext in state file while "password" input is stored encrypted in case of Amazon RDS. Is this a bug ? As this is sensitive data I believe it always should be stored as encrypted. Thanks!
d

dry-keyboard-94795

09/12/2023, 1:02 PM
The password is encrypted in my state. How are you passing it in?
h

hallowed-intern-40532

09/12/2023, 1:09 PM
Input field is encrypted ? I tried many ways: 1. Create password in code using Pulumi.Random.RandomPasssword (I use this approach with RDS) 2. Create config secret value and pass it as config.RequireSecret("db_password") In both variants Input field is plaintext while Output is encrypted
d

dry-keyboard-94795

09/12/2023, 1:11 PM
We're using
config.requireSecret
here. Do you have a secrets provider setup to provide the encryption?
h

hallowed-intern-40532

09/12/2023, 1:11 PM
Of course, I use AWS S3 bucket with KMS key encryption as backend
I use google-native provider not classic
d

dry-keyboard-94795

09/12/2023, 1:17 PM
if you export a value marked as secret, is that stored in plaintext or encrypted?
something like
export foo = pulumi.secret("bar")
should do if using typescript
h

hallowed-intern-40532

09/12/2023, 1:38 PM
yes, it is stored encrypted
Copy code
TestSecure = Output.CreateSecret("test_secret_value");

}
[Output] public Output<string> TestSecure { get; set; }
The problem is not in encryption Output but in encryption of Input
If you export your state and check Input password value is it encrypted or not ?
d

dry-keyboard-94795

09/12/2023, 1:42 PM
yes, it's encrypted in mine. Though I'm using gcp classic for the database
h

hallowed-intern-40532

09/12/2023, 1:43 PM
Thanks, I always try to use aws native or google native where it is possible )
Looks like it is bug in google-native provider as SQL User password Input field also not encrypted
d

dry-keyboard-94795

09/12/2023, 1:44 PM
It's fine to use both at the same time, so could setup the database with Classic, then have the rest with native
h

hallowed-intern-40532

09/12/2023, 1:45 PM
But they cover Cloud SQL with google-native that's why I used it
d

dry-keyboard-94795

09/12/2023, 2:05 PM
The APIs are very similar, so should all make sense to you. In the mean time, an issue should be raised about inputs not being encrypted: https://github.com/pulumi/pulumi-google-native/issues