Hi, I am just getting started with Pulumi. Works r...
# getting-started
Hi, I am just getting started with Pulumi. Works really, really great so far. Nonetheless I have a question 😅: What guarantees for applying updates does Pulumi have? As an example: I am using the (excellent) MongoDB Atlas package (https://www.pulumi.com/registry/packages/mongodbatlas/) for e.g. creating a database user. As the docs state, the password of the user will be saved in raw pulumi state:
IMPORTANT: All arguments including the password will be stored in the raw state as plain-text. Read more about sensitive data in state.
So my plan is to create a new user via Pulumi, go to the Mongo Web UI and update the password of this user. This works. Also after a redeployment the password doesn’t get updated (as long as the password in Pulumi code doesn’t change). But my question is: Is there a guarantee somewhere, that it doesn’t get updated if e.g. another property of the user gets changed? Can the current behaviour change? Is the current behaviour package dependent or general Pulumi behaviour, e.g. as long as it is not in the diff it doesn’t change?
@delightful-table-58879 I don't think that statement applies anymore for
. If I look at the Pulumi schema for that resource type, I can see the
property configured like this:
Copy code
"password": {
                    "type": "string",
                    "secret": true
This means that the password is not stored as clear text in the Pulumi state. Let's try this: create a
for test purposes and set the password using Pulumi. Apply the changes. Now go to your stack on our cloud portal, click on the
tab and click further on your
resource. The
property should show with some dots, similar to my screenshot. The dots mean this is a secret. Now run
pulumi stack export --file state.json
. Search in that file for
. I expect it to have an encrypted value.