Many thanks for the support of propagating secrets and encry Pulumi Community #general

Many thanks for the support of propagating secrets...

bitter-island-28909

07/15/2019, 3:08 PM

Many thanks for the support of propagating secrets and encrypting them in the state. I have a follow-on question: how do I do this with a generated secret value? The recommendation seems to be to use the

random

module. However, using the following code, the

result

value of the

RandomString

resource is still present in plaintext in the state (even though it’s correctly hidden as an attribute of the SSM Parameter.)

Copy code

let password = pulumi.secret(new random.RandomString("my-password", {
        length: 32
    }).result);

    let param = new aws.ssm.Parameter("my-password", {
        name: "/my/password",
        type: "SecureString",
        value: password
    });

white-balloon-205

07/15/2019, 7:35 PM

The

random

package in particular unfortunately puts the secret value in both the

value

field and the

id

field. Blocking out the secret in the latter requires addressing https://github.com/pulumi/pulumi/issues/2717. Blocking out any other property can be done with the

additionalSecretOutputs: ["value"]

resource option. This tells Pulumi that that output from the resource should be marked as secret.

bitter-island-28909

07/15/2019, 8:17 PM

oh, cool, looks like

additionalSecretOutputs

is just what I need. The

random.SecureString

resource isn’t setting an

id

(or at least, not one I can see in the state) so I think this is sufficient.

bitter-island-28909

07/15/2019, 8:17 PM

thank you!

Open in Slack

Previous Next