Fixes secret tag leaks (#2791)

Fixes #2778 Secrets no longer leak through tagsAll because tagsAll is removed before persisting to Pulumi state files.
pulumi · Sep 20, 2023 · 9c56d40 · 9c56d40
1 parent 8a12083
commit 9c56d40
Show file tree

Hide file tree

Showing 3,705 changed files with 42,355 additions and 2,140 deletions.
diff --git a/examples/bucket-default-tags-yaml/Pulumi.yaml b/examples/bucket-default-tags-yaml/Pulumi.yaml
@@ -10,4 +10,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step1/Pulumi.yaml b/examples/bucket-default-tags-yaml/step1/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step2/Pulumi.yaml b/examples/bucket-default-tags-yaml/step2/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step3/Pulumi.yaml b/examples/bucket-default-tags-yaml/step3/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step4/Pulumi.yaml b/examples/bucket-default-tags-yaml/step4/Pulumi.yaml
@@ -18,4 +18,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step5/Pulumi.yaml b/examples/bucket-default-tags-yaml/step5/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step6/Pulumi.yaml b/examples/bucket-default-tags-yaml/step6/Pulumi.yaml
@@ -15,4 +15,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step7/Pulumi.yaml b/examples/bucket-default-tags-yaml/step7/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-default-tags-yaml/step8/Pulumi.yaml b/examples/bucket-default-tags-yaml/step8/Pulumi.yaml
@@ -10,4 +10,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/bucket-secret-tags-yaml/Pulumi.yaml b/examples/bucket-secret-tags-yaml/Pulumi.yaml
@@ -0,0 +1,10 @@
+name: test-aws-2778-bucket-with-secret-tugs
+runtime: yaml
+resources:
+
+  res:
+    type: aws:s3:BucketV2
+    properties:
+      tags:
+        that:
+          fn::secret: mysecret
diff --git a/examples/examples_yaml_test.go b/examples/examples_yaml_test.go
@@ -29,6 +29,7 @@ import (
 	"strings"
 	"testing"
 
+	"encoding/json"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -286,7 +287,7 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}`
+  actual: ${res.tags}`
 
 	var expandMap func(level int, v interface{}) string
 	expandMap = func(level int, v interface{}) string {
@@ -371,3 +372,15 @@ outputs:
 		}
 	}
 }
+
+func TestRegressSecretTags(t *testing.T) {
+	integration.ProgramTest(t, &integration.ProgramTestOptions{
+		Dir:   "bucket-secret-tags-yaml",
+		Quick: true,
+		ExtraRuntimeValidation: func(t *testing.T, stack integration.RuntimeValidationStackInfo) {
+			bytes, err := json.Marshal(stack.Deployment)
+			require.NoError(t, err)
+			require.NotContainsf(t, string(bytes), "mysecret", "mysecret leaked to state in plain text")
+		},
+	})
+}
diff --git a/examples/go.mod b/examples/go.mod
@@ -5,7 +5,7 @@ go 1.21
 require (
 	github.com/aws/aws-sdk-go v1.45.6
 	github.com/pulumi/pulumi-aws/provider/v6 v6.0.0-00010101000000-000000000000
-	github.com/pulumi/pulumi-terraform-bridge/pf v0.16.1
+	github.com/pulumi/pulumi-terraform-bridge/pf v0.16.2-0.20230920005537-64af66358186
 	github.com/pulumi/pulumi-terraform-bridge/testing v0.0.1
 	github.com/pulumi/pulumi/pkg/v3 v3.81.0
 	github.com/pulumi/pulumi/sdk/v3 v3.81.0

diff --git a/examples/go.sum b/examples/go.sum
@@ -2337,8 +2337,8 @@ github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/prometheus v0.35.0/go.mod h1:7HaLx5kEPKJ0GDgbODG0fZgXbQ8K/XjZNJXQmbmgQlY=
 github.com/prometheus/prometheus v0.37.0/go.mod h1:egARUgz+K93zwqsVIAneFlLZefyGOON44WyAp4Xqbbk=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/pulumi/pulumi-terraform-bridge/pf v0.16.1 h1:fdedACdg9+11sy/0UZoN5sKbhlGsgUOfRyKpfWhaPig=
-github.com/pulumi/pulumi-terraform-bridge/pf v0.16.1/go.mod h1:d/Gr5Q+guqusxOnvqruuxqKqUEI0dCv7g+c6zYHNlE4=
+github.com/pulumi/pulumi-terraform-bridge/pf v0.16.2-0.20230920005537-64af66358186 h1:5asorGOvKtS+Z9fKyYAmNnWM9i1LbfTjQ+xnwIXLCnM=
+github.com/pulumi/pulumi-terraform-bridge/pf v0.16.2-0.20230920005537-64af66358186/go.mod h1:NptD1F0yCzgtLptN9OoDQGcejAHSI9LcX1NW2GrxIS0=
 github.com/pulumi/pulumi-terraform-bridge/testing v0.0.1 h1:SCg1gjfY9N4yn8U8peIUYATifjoDABkyR7H9lmefsfc=
 github.com/pulumi/pulumi-terraform-bridge/testing v0.0.1/go.mod h1:7OeUPH8rpt5ipyj9EFcnXpuzQ8SHL0dyqdfa8nOacdk=
 github.com/pulumi/pulumi-terraform-bridge/v3 v3.60.0 h1:MPhSwNLJJlqLFHGfrXIRXZHzFIu05YLQldAJRYpOHRs=

diff --git a/examples/legacy-default-tags-yaml/Pulumi.yaml b/examples/legacy-default-tags-yaml/Pulumi.yaml
@@ -10,4 +10,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step1/Pulumi.yaml b/examples/legacy-default-tags-yaml/step1/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step2/Pulumi.yaml b/examples/legacy-default-tags-yaml/step2/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step3/Pulumi.yaml b/examples/legacy-default-tags-yaml/step3/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step4/Pulumi.yaml b/examples/legacy-default-tags-yaml/step4/Pulumi.yaml
@@ -18,4 +18,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step5/Pulumi.yaml b/examples/legacy-default-tags-yaml/step5/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step6/Pulumi.yaml b/examples/legacy-default-tags-yaml/step6/Pulumi.yaml
@@ -15,4 +15,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step7/Pulumi.yaml b/examples/legacy-default-tags-yaml/step7/Pulumi.yaml
@@ -14,4 +14,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/legacy-default-tags-yaml/step8/Pulumi.yaml b/examples/legacy-default-tags-yaml/step8/Pulumi.yaml
@@ -10,4 +10,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/Pulumi.yaml b/examples/pf-default-tags-yaml/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step1/Pulumi.yaml b/examples/pf-default-tags-yaml/step1/Pulumi.yaml
@@ -21,4 +21,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step2/Pulumi.yaml b/examples/pf-default-tags-yaml/step2/Pulumi.yaml
@@ -21,4 +21,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step3/Pulumi.yaml b/examples/pf-default-tags-yaml/step3/Pulumi.yaml
@@ -23,4 +23,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step4/Pulumi.yaml b/examples/pf-default-tags-yaml/step4/Pulumi.yaml
@@ -24,4 +24,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step5/Pulumi.yaml b/examples/pf-default-tags-yaml/step5/Pulumi.yaml
@@ -21,4 +21,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step6/Pulumi.yaml b/examples/pf-default-tags-yaml/step6/Pulumi.yaml
@@ -22,4 +22,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step7/Pulumi.yaml b/examples/pf-default-tags-yaml/step7/Pulumi.yaml
@@ -21,4 +21,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/pf-default-tags-yaml/step8/Pulumi.yaml b/examples/pf-default-tags-yaml/step8/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/Pulumi.yaml
@@ -13,4 +13,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step1/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step1/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step2/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step2/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step3/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step3/Pulumi.yaml
@@ -19,4 +19,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step4/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step4/Pulumi.yaml
@@ -20,4 +20,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step5/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step5/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step6/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step6/Pulumi.yaml
@@ -18,4 +18,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step7/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step7/Pulumi.yaml
@@ -17,4 +17,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}
diff --git a/examples/sdkv2-default-tags-yaml/step8/Pulumi.yaml b/examples/sdkv2-default-tags-yaml/step8/Pulumi.yaml
@@ -13,4 +13,4 @@ resources:
     options:
       provider: ${aws-provider}
 outputs:
-  actual: ${res.tagsAll}
+  actual: ${res.tags}