The pulumi-command provider I am building breaks if something is a secret. This line returns the error “Could not convert input: cannot convert *structpb.Struct to string”. This makes sense because pulumi secrets in state are objects instead of strings. Is there a way to have pulumi pass the secret in the clear and have it handle the string->object conversion? https://github.com/brandonkal/pulumi-command/blob/master/pkg/structpbconv/structpbconv.go#L119

I'd suggest using

plugin.UnmarshalProperties

(and

plugin.MarshalProperties

if you need to pass data back) to interpret the data on the RPC interface if you are implementing in Go. That includes much of the core interpretation of the wire format of the Pulumi Object Model - including some of the serialization/deserialization of things like secrets, assets, unknowns, etc. All existing providers use this as the first step in interpreting the values of properties structs from the RPC layer. https://github.com/pulumi/pulumi/blob/HEAD/pkg/resource/plugin/rpc.go#L203:6 An example of where this gets used for tf-bridged providers: https://github.com/pulumi/pulumi-terraform-bridge/blob/master/pkg/tfbridge/schema.go#L748

Thanks again. I found that if I set AcceptSecrets: false in the ConfigureResponse, pulumi passes me the raw value instead. I initially used

plugin.UnmarshalProperties

but found it rather difficult especially with nested structures because it returns an untyped map instead.

Yes - that's true. FWIW - In most other providers we have, we do a schema-driven serizaliztion/deserialzation of that untyped map into some structure that the target cloud understand (Terraform resource schema for tfbridge or JSON-Schema for Kubernetes). We expect in the future to have a "simpler" wrapper API for implementing providers in Go driven by a schematization (and possibly struct tags).