Sanitize exported stack state by scrubbing secrets

README.md

@@ -89,7 +89,7 @@ snapshots need to be recorded anew on the new version.
 
 ### Fixing failing tests
 - If the tests fail by flagging unwanted resource updates or replacements that are actually
-  acceptable, configure or custom
+  acceptable, configure a custom
   [DiffValidation](https://github.com/pulumi/providertest/blob/5f23c3ec7cee882392ea356a54c0f74f56b0f7d5/upgrade.go#L241)
   setting with more relaxed asserts.
 

pulumitest/run.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/pulumi/providertest/pulumitest/optrun"
+	"github.com/pulumi/providertest/pulumitest/sanitize"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
 )
 
@@ -42,8 +43,14 @@ func (pulumiTest *PulumiTest) Run(t PT, execute func(test *PulumiTest), opts ...
 		execute(isolatedTest)
 		exportedStack := isolatedTest.ExportStack(t)
 		if options.EnableCache {
+			ptLogF(t, "sanitizing secrets from stack state")
+			sanitizedStack, err := sanitize.SanitizeSecretsInStackState(&exportedStack)
+			if err != nil {
+				ptError(t, "failed to sanitize secrets from stack state: %v", err)
+			}
+
 			ptLogF(t, "writing stack state to %s", options.CachePath)
-			err = writeStackExport(options.CachePath, &exportedStack, false /* overwrite */)
+			err = writeStackExport(options.CachePath, sanitizedStack, false /* overwrite */)
 			if err != nil {
 				ptFatalF(t, "failed to write snapshot to %s: %v", options.CachePath, err)
 			}

pulumitest/sanitize/sanitize.go

@@ -0,0 +1,77 @@
+// Copyright 2016-2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sanitize
+
+import (
+	"encoding/json"
+
+	"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
+)
+
+const plaintextSub = "REDACTED BY PROVIDERTEST"
+const secretSignature = "4dabf18193072939515e22adb298388d"
+
+// SanitizeSecretsInStackState sanitizes secrets in the stack state by replacing them with a placeholder.
+// secrets are identified by their magic signature, copied from pulumi/pulumi.
+func SanitizeSecretsInStackState(stack *apitype.UntypedDeployment) (*apitype.UntypedDeployment, error) {
+	var d apitype.DeploymentV3
+	err := json.Unmarshal(stack.Deployment, &d)
+	if err != nil {
+		return nil, err
+	}
+
+	sanitizeSecretsInResources(d.Resources)
+
+	marshaledDeployment, err := json.Marshal(d)
+	if err != nil {
+		return nil, err
+	}
+
+	return &apitype.UntypedDeployment{
+		Version:    stack.Version,
+		Deployment: json.RawMessage(marshaledDeployment),
+	}, nil
+}
+
+func sanitizeSecretsInResources(resources []apitype.ResourceV3) {
+	for i, r := range resources {
+		r.Inputs = sanitizeSecretsInObject(r.Inputs)
+		r.Outputs = sanitizeSecretsInObject(r.Outputs)
+		resources[i] = r
+	}
+}
+
+var secretReplacement = map[string]any{
+	secretSignature: "1b47061264138c4ac30d75fd1eb44270",
+	"plaintext":     `"` + plaintextSub + `"`, // must be valid JSON, hence quoted
+}
+
+func sanitizeSecretsInObject(obj map[string]any) map[string]any {
+	copy := map[string]any{}
+	for k, v := range obj {
+		innerObj, ok := v.(map[string]any)
+		if ok {
+			_, hasSecret := innerObj[secretSignature]
+			if hasSecret {
+				copy[k] = secretReplacement
+			} else {
+				copy[k] = sanitizeSecretsInObject(innerObj)
+			}
+		} else {
+			copy[k] = v
+		}
+	}
+	return copy
+}