I've been working on an upgrade of the aws-native python module. A result of that is that I have some resources I'm state deleting and re-importing. For the aws-native stuff that's fine. However, we provision an RDS instance and then use the pulumi-postgresql module to then configure users and permissions inside of it. Since those are parented into the RDS instance, that means I've had to state delete them as well. Importing them has proven to be challenging. To set up the hostname and password, we use a custom Provider, which works fine in code but doesn't seem to be possible to use with

pulumi import

. This means I'm attempting to use the

import_

resource option instead. I have gotten to a point where almost everything is working, but the import says there are diffs between my defined users and the real ones I'm trying to import. The diff is just

password: [secret] => [secret]

. I'm certain those actually are the same, but I can't verify because they're masked. And since I can't use

pulumi import

, I don't have autogenerated code to fall back on. The only last thing I can think of is to drop the users, but they're not only used for production workloads (I'm testing this first in a lower environment) but associated with production data schemas, and I don't really want to get into deleting and recreating our tables and restoring the data from backups. I would be happy to force an import with mismatched data and have it change the fields to what I have defined in code, but I don't see a way to do this.

The secrets not showing is a limitation, upvote this issue: https://github.com/pulumi/pulumi/issues/9830