https://pulumi.com logo
Title
m

modern-petabyte-38275

02/10/2023, 3:43 PM
Hi, due to some API limitations, we might need to expose something in plain text in the pulumi runtime. whats the best way, if any, to hide a resource? it will probably be
pulumi local.Command
specifically so it doesnt show in the pulumi logs
o

orange-policeman-59119

02/10/2023, 3:44 PM
Expose something in plain text, but you want to hide it? Are you trying to redact a piece of text?
You could either wrap the input text you need to keep secret using secrets: https://www.pulumi.com/docs/intro/concepts/secrets/#programmatically-creating-secrets Or you could force the return properties of Command to be secret by setting a resource option: https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/ Either of these should keep your data redacted when printed by the CLI, and still usable by any resources that you pass it into.
m

modern-petabyte-38275

02/10/2023, 7:05 PM
@orange-policeman-59119 looks like the second one makes more sense, additional secret outputs. i need to hide the Input which is dynamically getting populated, potentially will have credential info. i know it might sound strange. limitation with Terraform/pulumi and aws right now i have a support ticket running on aws side
o

orange-policeman-59119

02/10/2023, 7:51 PM
To redact sensitive inputs use this (TypeScript here, substitute for the 1st article's API in your language)
const someValue = pulumi.ToSecret(x)
And to ensure a resource's outputs are secret, set
additionalSecretOutputs
.
m

modern-petabyte-38275

02/10/2023, 8:13 PM
got it. X would be the entire input value?
o

orange-policeman-59119

02/10/2023, 8:14 PM
Typically it would be one property of the input arguments to a resource, but you can use ToSecret on objects, arrays.
m

modern-petabyte-38275

02/10/2023, 9:13 PM
in my use case its just a string