Many thanks for the support of propagating secrets and encrypting them in the state. I have a follow-on question: how do I do this with a generated secret value? The recommendation seems to be to use the

random

module. However, using the following code, the

result

value of the

RandomString

resource is still present in plaintext in the state (even though it’s correctly hidden as an attribute of the SSM Parameter.)

let password = pulumi.secret(new random.RandomString("my-password", {
        length: 32
    }).result);

    let param = new aws.ssm.Parameter("my-password", {
        name: "/my/password",
        type: "SecureString",
        value: password
    });

The

random

package in particular unfortunately puts the secret value in both the

value

field and the

id

field. Blocking out the secret in the latter requires addressing https://github.com/pulumi/pulumi/issues/2717. Blocking out any other property can be done with the

additionalSecretOutputs: ["value"]

resource option. This tells Pulumi that that output from the resource should be marked as secret.

oh, cool, looks like

additionalSecretOutputs

is just what I need. The

random.SecureString

resource isn’t setting an

id

(or at least, not one I can see in the state) so I think this is sufficient.