https://pulumi.com logo
#general
Title
# general
b

bitter-island-28909

07/15/2019, 3:08 PM
Many thanks for the support of propagating secrets and encrypting them in the state. I have a follow-on question: how do I do this with a generated secret value? The recommendation seems to be to use the
random
module. However, using the following code, the
result
value of the
RandomString
resource is still present in plaintext in the state (even though it’s correctly hidden as an attribute of the SSM Parameter.)
Copy code
let password = pulumi.secret(new random.RandomString("my-password", {
        length: 32
    }).result);

    let param = new aws.ssm.Parameter("my-password", {
        name: "/my/password",
        type: "SecureString",
        value: password
    });
w

white-balloon-205

07/15/2019, 7:35 PM
The
random
package in particular unfortunately puts the secret value in both the
value
field and the
id
field. Blocking out the secret in the latter requires addressing https://github.com/pulumi/pulumi/issues/2717. Blocking out any other property can be done with the
additionalSecretOutputs: ["value"]
resource option. This tells Pulumi that that output from the resource should be marked as secret.
b

bitter-island-28909

07/15/2019, 8:17 PM
oh, cool, looks like
additionalSecretOutputs
is just what I need. The
random.SecureString
resource isn’t setting an
id
(or at least, not one I can see in the state) so I think this is sufficient.
thank you!