Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
i
icy-jordan-58549
04/11/2022, 11:39 AMany ideas, why my preview always shows this changes? even if I use
pulumi.unsecretb
bored-oyster-3147
04/11/2022, 3:00 PMAre you use “—show-secrets” with your preview command?
i
icy-jordan-58549
04/12/2022, 12:25 PM@bored-oyster-3147 no
just regular
pulumi upb
bored-oyster-3147
04/12/2022, 12:28 PMDo the preview yourself. Tell it to show secrets if you want secrets in your logs. Then skip the preview with your up invocation.
It doesn't show secrets by default. Imagine running pulumi in continuous deployment and having your secrets preserved in those logs for as long as your artifact retention.
i
icy-jordan-58549
04/12/2022, 12:29 PMthe problem here is, I don’t want any secrets to be in the preview logs
this is just a regular URL, which is not secret and I want to
unsecretgithub action that detects “changes” every single time shows this change, which doesn’t make any sense to keep it running continuously 😞
so the flow is like this: 1) pulumi up (i get this change from secret to output<string>) 2) okay, let’s apply it 3) try again - it shows the same transformation from secret to output
¯\_(ツ)_/¯
b
bored-oyster-3147
04/12/2022, 12:34 PMI'm having a hard time understanding your flow example and getting the problem from it. What do you mean by “get this change from secret to output”? A secret and non-secrets use the same type in pulumi, they are both outputs.
There is no “secret” type. The log is not saying that the secret is transforming into an output, it is telling you that the secret is a string. The arrow may be misleading in that case
I'm incorrect. I'm sorry. I clearly need coffee. It looks like it is in fact telling you that if you apply the change it will unsecret it. You're saying that doesn't work?
Or at the very least it's saying it will change it to an output string, but that could still be a secret. So you may need to share your unsecret usage
i
icy-jordan-58549
04/12/2022, 2:33 PM@bored-oyster-3147 I am saying it doesn’t work, it says to
unsecretm
miniature-musician-31262
04/13/2022, 11:45 PM@icy-jordan-58549 Is that screenshot from the Pulumi Service Console? (Guessing not, but just ruling that out)
I wonder if what you’re seeing here is the CLI masking any value that matches a configured secret. Even if you
.unsecret()url"[secret]"Hard to tell if that’s what’s going on here, but seems like it could be.
i
icy-jordan-58549
04/14/2022, 7:13 AMuh oh, thanks @miniature-musician-31262 . Yea, I am seeing this inside CLI