https://pulumi.com logo
Title
i

icy-jordan-58549

04/11/2022, 11:39 AM
any ideas, why my preview always shows this changes? even if I use
pulumi.unsecret
?
b

bored-oyster-3147

04/11/2022, 3:00 PM
Are you use “—show-secrets” with your preview command?
i

icy-jordan-58549

04/12/2022, 12:25 PM
@bored-oyster-3147 no
just regular
pulumi up
b

bored-oyster-3147

04/12/2022, 12:28 PM
Do the preview yourself. Tell it to show secrets if you want secrets in your logs. Then skip the preview with your up invocation. It doesn't show secrets by default. Imagine running pulumi in continuous deployment and having your secrets preserved in those logs for as long as your artifact retention.
i

icy-jordan-58549

04/12/2022, 12:29 PM
the problem here is, I don’t want any secrets to be in the preview logs
this is just a regular URL, which is not secret and I want to
unsecret
it
github action that detects “changes” every single time shows this change, which doesn’t make any sense to keep it running continuously 😞
so the flow is like this: 1) pulumi up (i get this change from secret to output<string>) 2) okay, let’s apply it 3) try again - it shows the same transformation from secret to output
¯\_(ツ)_/¯
b

bored-oyster-3147

04/12/2022, 12:34 PM
I'm having a hard time understanding your flow example and getting the problem from it. What do you mean by “get this change from secret to output”? A secret and non-secrets use the same type in pulumi, they are both outputs.
There is no “secret” type. The log is not saying that the secret is transforming into an output, it is telling you that the secret is a string. The arrow may be misleading in that case
I'm incorrect. I'm sorry. I clearly need coffee. It looks like it is in fact telling you that if you apply the change it will unsecret it. You're saying that doesn't work? Or at the very least it's saying it will change it to an output string, but that could still be a secret. So you may need to share your unsecret usage
i

icy-jordan-58549

04/12/2022, 2:33 PM
@bored-oyster-3147 I am saying it doesn’t work, it says to
unsecret
every single time when I want to apply changes
m

miniature-musician-31262

04/13/2022, 11:45 PM
@icy-jordan-58549 Is that screenshot from the Pulumi Service Console? (Guessing not, but just ruling that out)
I wonder if what you’re seeing here is the CLI masking any value that matches a configured secret. Even if you
.unsecret()
the secret within the scope of the program, Pulumi will still prevent that value from being exposed by the CLI. So if your program happens to be tracking a secret whose value matches what you’ve got there for the
url
property, the CLI will always mask it as
"[secret]"
.
Hard to tell if that’s what’s going on here, but seems like it could be.
i

icy-jordan-58549

04/14/2022, 7:13 AM
uh oh, thanks @miniature-musician-31262 . Yea, I am seeing this inside CLI