No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, What is the expected behavior of an `pulumi.config.require_object("config")` if the `config`  object has data that was deemed a secret. I am trying to understand if `require_object` automatically translates the portion of the object into a secret that was set by using pulumi config set --secret. FWIW it seems to mask the secret in pulumi preview, but when writing the state file it seems to be showing keys in plain text.

Yes - you must use `require_secret` to ensure the value is treated as a secret as part of the deployment (not serialized into any statefile). 

We will in the future make it an error to use other config functions on a secret config value (this is supported today for compatibility with how things worked prior to having deployment support for secrets). 

Thanks for the clarification. Is there currently a github issue for the above. I would love to follow along

<https://github.com/pulumi/pulumi/issues/3139|https://github.com/pulumi/pulumi/issues/3139>