https://pulumi.com logo
#general
Title
# general
c

cool-egg-852

11/07/2019, 8:45 PM
Anyone know why the passwords for
gcp.sql.User
are not automatically encrypted?
g

gentle-diamond-70147

11/07/2019, 8:50 PM
Don't know offhand why that is. You can use
additionalSecretOutputs
to ensure they are though - https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs.
c

cool-egg-852

11/07/2019, 8:51 PM
Yeah, I only discovered this today by accident. Shouldn’t have to do that though.
g

gentle-diamond-70147

11/07/2019, 8:56 PM
Agreed.
w

white-balloon-205

11/07/2019, 10:30 PM
c

cool-egg-852

11/07/2019, 10:32 PM
Ah so it is related to that issue after all.
Is there any idea on when it will be fixed? It’s actually a bit of a security issue unless you know it’s broken to apply the change @gentle-diamond-70147 mentioned.
w

white-balloon-205

11/07/2019, 10:55 PM
It's not "broken" per se - it's just the case that you have to explicitly indicate any place you want things to be secret. We definitely want to make this automatic in some cases, but it's a little dangerous to only rely on that - the things that are sensitive for you may not necessarily be marked as
Sensitive
in the upstream TF schema. The biggest issues with that change is that it will break some existing code - we want to be really careful about that to avoid disruption (perhaps even requiring explicit opt-in).
c

cool-egg-852

11/07/2019, 11:08 PM
IMO I would break the existing code and require opt-out. It’s actually a security issue in that anyone would expect this to be automatically done by default. We’ve been using pulumi for months now and only just realized this as an example. If we had other people who don’t have access to these secrets via another mechanism, then we would have more serious issues. Anything that pulumi knows is sensitive should automatically be handled. Given that pulumi already does this elsewhere, I consider this broken because it goes against expected behavior.