Anyone know why the passwords for

gcp.sql.User

are not automatically encrypted?

Don't know offhand why that is. You can use

additionalSecretOutputs

to ensure they are though - https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs.

Yeah, I only discovered this today by accident. Shouldn’t have to do that though.

Agreed.

This is being tracked in https://github.com/pulumi/pulumi-terraform-bridge/issues/10.

Ah so it is related to that issue after all.

It's not "broken" per se - it's just the case that you have to explicitly indicate any place you want things to be secret. We definitely want to make this automatic in some cases, but it's a little dangerous to only rely on that - the things that are sensitive for you may not necessarily be marked as

Sensitive

in the upstream TF schema. The biggest issues with that change is that it will break some existing code - we want to be really careful about that to avoid disruption (perhaps even requiring explicit opt-in).

IMO I would break the existing code and require opt-out. It’s actually a security issue in that anyone would expect this to be automatically done by default. We’ve been using pulumi for months now and only just realized this as an example. If we had other people who don’t have access to these secrets via another mechanism, then we would have more serious issues. Anything that pulumi knows is sensitive should automatically be handled. Given that pulumi already does this elsewhere, I consider this broken because it goes against expected behavior.