https://pulumi.com logo
#general
Title
# general
r

rhythmic-finland-36256

05/26/2020, 6:25 PM
Marking fields (outputs) of custom components as secret when creating own `ComponentResource`s…
I’m using `ComponentResource`s to modularize my pulumi programs. Inside those I often also create (in the Azure case) `ServicePrincipal`s with random passwords. In most cases, those passwords are only consumed internally from another component. Sometimes, e.g. when creating an
ACR
(container registry) I also want to export the push credential of that component so that I can use it from the CI system.
What is the correct way to mark one of the exported fields as secret?
There is
additionalResourceOutputs
but this only works with `CustomResource`s and not with `ComponentResource`s and I would like to handle that inside my component and don’t want to make the consumer of the component responsible to do so… https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs
That flag is there for
CustomResourceOptions
but not for
ComponentResourceOptions
class…
But anyways, I would prefer to do this when registering the fields inside the resource, not when using the resource itself.
I’m using typescript and I got the feeling that I might have misused that concept of ComponentResource fields because I never really did it with
registerOutputs
but just assigned the fields…
I found out others have similar feelings about this function. Especially in Typescript it felt strange to create a
readonly
property that must be initialized
undefined
to later set the value. I remember having some issues with not populated fields when I used constructor-local variables and called
registerOutputs
on those fields https://github.com/pulumi/pulumi/issues/2653
So in my components I’m only calling
registerOutputs
to conform to the desired behaviour of telling pulumi that I’m done setting the fields…
Sorry for drifting into the
registerOutputs
part. I just wanted to make sure that I might be using it wrong because I don’t pass the values there. But it seems that calling this method differently would not help either.
So to summarize, the question is: If I build a
ComponentResource
and inside create a
RandomPassword
and want to expose that as an output (aka
readonly
property of my
ComponentResource
) how can I mark this property to be treated as a secret value so that if someone does a top-level
export const pass = myComponentResource.password;
won’t print in clear text? It would also be fine to pass in something when creating the resource. But as said,
additionalSecretOutputs
is not there for
ComponentResourceOptions
.
w

white-balloon-205

05/26/2020, 7:10 PM
You will generally want to mark as secret at the point the data comes from outside of Pulumi, so that it is treated as a secret throughout the process (and not inadvertently serialized as it comes into Pulumi). As a result, for "most" cases, you will only need to think about this for CustomResoruces - as those are the resources that directly interface with the outside world.
If I build a 
ComponentResource
 and inside create a 
RandomPassword
 and want to expose that as an output (aka 
readonly
 property of my 
ComponentResource
) how can I mark this property to be treated as a secret value so that if someone does a top-level 
export const pass = myComponentResource.password;
 won’t print in clear text?
In this case, the key thing to do is to make sure the output of the
RandomPassword
is secret. If you don't do that, the output of that resource will end up in plaintext in the statefile regardless of what your component decides to do with its outputs. So you will want to use
additionalSecretOutputs
on the
RandomPassword
. Then, that output will be marked as secret, and everywhere else it flows it will remain a secret - including as an output of your component. Note that once https://github.com/pulumi/pulumi-terraform-bridge/issues/10 is addressed, this whole thing should be automatic - the output of
RandomPassword
will automatically be a secret without you needing to say anything, and thay will flow through the rest of the Pulumi code naturally. Does that help?
r

rhythmic-finland-36256

05/27/2020, 3:25 PM
Thanks for that detailed explanation. That completely explains why there is no
additionalSecretOutputs
on `ComponentResource`s. Marking the
result
on the
RandomPassword
accordingly did the trick. I had expected this to be the default for this resource that’s why I was wondering if I need to specify it again on my `ComponentResource`s. Might be great to have this in the samples/docs as for now basically everyone should do it like this when creating a
RandomPassword
. Thanks for your help! 👍