Hi all, I have infrastructure in AWS that includes RDS Postgres. Now I am working on the same infrastructure in Google Cloud. I created Cloud SQL Postgres and see that "password" input is stored as plaintext in state file while "password" input is stored encrypted in case of Amazon RDS. Is this a bug ? As this is sensitive data I believe it always should be stored as encrypted. Thanks!

The password is encrypted in my state. How are you passing it in?

Input field is encrypted ? I tried many ways: 1. Create password in code using Pulumi.Random.RandomPasssword (I use this approach with RDS) 2. Create config secret value and pass it as config.RequireSecret("db_password") In both variants Input field is plaintext while Output is encrypted

We're using

config.requireSecret

here. Do you have a secrets provider setup to provide the encryption?

Of course, I use AWS S3 bucket with KMS key encryption as backend

if you export a value marked as secret, is that stored in plaintext or encrypted?

yes, it is stored encrypted

TestSecure = Output.CreateSecret("test_secret_value");

}
[Output] public Output<string> TestSecure { get; set; }

yes, it's encrypted in mine. Though I'm using gcp classic for the database

Thanks, I always try to use aws native or google native where it is possible )

It's fine to use both at the same time, so could setup the database with Classic, then have the rest with native

But they cover Cloud SQL with google-native that's why I used it

The APIs are very similar, so should all make sense to you. In the mean time, an issue should be raised about inputs not being encrypted: https://github.com/pulumi/pulumi-google-native/issues