https://pulumi.com logo
#getting-started
Title
# getting-started
d

delightful-table-58879

03/04/2024, 1:15 PM
Hi, I am just getting started with Pulumi. Works really, really great so far. Nonetheless I have a question 😅: What guarantees for applying updates does Pulumi have? As an example: I am using the (excellent) MongoDB Atlas package (https://www.pulumi.com/registry/packages/mongodbatlas/) for e.g. creating a database user. As the docs state, the password of the user will be saved in raw pulumi state:
IMPORTANT: All arguments including the password will be stored in the raw state as plain-text. Read more about sensitive data in state.
So my plan is to create a new user via Pulumi, go to the Mongo Web UI and update the password of this user. This works. Also after a redeployment the password doesn’t get updated (as long as the password in Pulumi code doesn’t change). But my question is: Is there a guarantee somewhere, that it doesn’t get updated if e.g. another property of the user gets changed? Can the current behaviour change? Is the current behaviour package dependent or general Pulumi behaviour, e.g. as long as it is not in the diff it doesn’t change?
l

limited-rainbow-51650

03/06/2024, 3:42 PM
@delightful-table-58879 I don't think that statement applies anymore for
DatabaseUser
. If I look at the Pulumi schema for that resource type, I can see the
password
property configured like this:
Copy code
"password": {
                    "type": "string",
                    "secret": true
                },
This means that the password is not stored as clear text in the Pulumi state. Let's try this: create a
DatabaseUser
for test purposes and set the password using Pulumi. Apply the changes. Now go to your stack on our cloud portal, click on the
Resources
tab and click further on your
DatabaseUser
resource. The
password
property should show with some dots, similar to my screenshot. The dots mean this is a secret. Now run
pulumi stack export --file state.json
. Search in that file for
password
. I expect it to have an encrypted value.