https://pulumi.com logo
#general
Title
# general
c

clever-nest-47198

08/26/2019, 2:18 PM
How do sensitive values from TF providers work in Pulumi? https://github.com/terraform-providers/terraform-provider-fastly/blob/master/fastly/resource_fastly_service_v1.go#L596 The TF provider marks the resource input as sensitive here, and we've created our own provider using pulumi-terraform-bridge here https://github.com/terraform-providers/terraform-provider-fastly/blob/master/fastly/resource_fastly_service_v1.go#L596 However, we don't see Pulumi treating it as a secret? Our S3 access keys show up in plaintext in the console output.
g

gentle-diamond-70147

08/26/2019, 4:26 PM
Pulumi does not yet mark them as secret automatically. We will do this in the future as part of https://github.com/pulumi/pulumi-terraform/issues/449. In the meantime, you can use
additional_secret_outputs
per https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs to mark specific resource properties as secrets.
c

colossal-plastic-46140

08/26/2019, 10:41 PM
So it looks like the masking works if you mask on the whole entire object. For example, we have s3loggings.s3SecretKey. Is it possible only mask the s3secretKey vs masking all the values in the s3loggings block?
g

gentle-diamond-70147

08/26/2019, 11:38 PM
Currently it can only be applied to top-level properties or objects. I've opened https://github.com/pulumi/pulumi/issues/3144 to track supporting nested properties.
c

colossal-plastic-46140

08/26/2019, 11:42 PM
👍