This message was deleted.

Yes, as the providers do not identify which properties are sensitive/secret it is up to you to mark these to be encrypted in state. This can be done using the 3rd parameter when creating a resource https://www.pulumi.com/docs/intro/concepts/programming-model/#resourceoptions Using the

additionalSecretOutputs

property. Additionally you can mark other user created config, inputs and outputs as secret as well https://www.pulumi.com/docs/intro/concepts/config/

Woo. That's nice. Thanks @gray-ambulance-59402. Also is there a quick way for encrypting all the outputs in a single statement? Something like Additionalsecretoutputs = {"*"}?

np. As for encryption of all properties I'm not aware of a way currently as

Additionalsecretsoutputs

expects a list of strings of the property names. However it may be possible with reflection to list the output property names and pass this in? May be worth raising an issue if you think that this functionality could be useful? I'm not sure what the use case would be for encrypting all properties of a resource would be though

The use case here is like, if the state file is compromised, entire infra secrets is available in raw text in the state file and the attacker gain access to all components in the infra. So if the state secrets are encrypted using a secret which is only accessible to a service principal that is using for deploy, We can make sure, the infra components are safe even if the state file is compromised.