Hi, I am just getting started with Pulumi. Works really, really great so far. Nonetheless I have a question 😅: What guarantees for applying updates does Pulumi have? As an example: I am using the (excellent) MongoDB Atlas package (https://www.pulumi.com/registry/packages/mongodbatlas/) for e.g. creating a database user. As the docs state, the password of the user will be saved in raw pulumi state:

IMPORTANT: All arguments including the password will be stored in the raw state as plain-text. Read more about sensitive data in state.

So my plan is to create a new user via Pulumi, go to the Mongo Web UI and update the password of this user. This works. Also after a redeployment the password doesn’t get updated (as long as the password in Pulumi code doesn’t change). But my question is: Is there a guarantee somewhere, that it doesn’t get updated if e.g. another property of the user gets changed? Can the current behaviour change? Is the current behaviour package dependent or general Pulumi behaviour, e.g. as long as it is not in the diff it doesn’t change?

@delightful-table-58879 I don't think that statement applies anymore for

DatabaseUser

. If I look at the Pulumi schema for that resource type, I can see the

password

property configured like this:

"password": {
                    "type": "string",
                    "secret": true
                },

This means that the password is not stored as clear text in the Pulumi state. Let's try this: create a

DatabaseUser

for test purposes and set the password using Pulumi. Apply the changes. Now go to your stack on our cloud portal, click on the

Resources

tab and click further on your

DatabaseUser

resource. The

password

property should show with some dots, similar to my screenshot. The dots mean this is a secret. Now run

pulumi stack export --file state.json

. Search in that file for

password

. I expect it to have an encrypted value.