Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to opt-out of secretness for Python dynamic providers #15539

Open
justinvp opened this issue Feb 28, 2024 · 0 comments · May be fixed by #15864
Open

Provide a way to opt-out of secretness for Python dynamic providers #15539

justinvp opened this issue Feb 28, 2024 · 0 comments · May be fixed by #15864
Assignees
@justinvp
Labels
area/dynamic-providers area/sdks Pulumi language SDKs kind/enhancement Improvements or new features language/python
Milestone
0.104

Comments

@justinvp
Copy link
Member

justinvp commented Feb 28, 2024
edited

The serialized Python dynamic provider code is marked as a secret by default with #13315. This was done to ensure any credentials used by a dynamic provider would not be stored in plaintext in the state. However, this can lead to performance issues due to #15538.

We should consider providing a way to opt-out of secretness, or even consider changing the default back and making it opt-in. Perhaps we could come up with a way to detect secretness similar to what the Node.js SDK does for its dynamic provider implementation.

In the meantime, if you know your Python dynamic provider implementation does not capture any secrets, and you'd like to opt-out of secretness, you could use a transformation to do so as a workaround. For example, calling register_stack_transformation before creating any of the dynamic resources:

import pulumi

def unsecret_dynamic_providers(args: pulumi.ResourceTransformationArgs):
    if args.type_ == "pulumi-python:dynamic:Resource":
        args.props["__provider"] = pulumi.Output.unsecret(args.props["__provider"])
        return pulumi.ResourceTransformationResult(args.props, args.opts)
    return None

pulumi.runtime.register_stack_transformation(unsecret_dynamic_providers)
@justinvp justinvp added area/sdks Pulumi language SDKs kind/enhancement Improvements or new features language/python area/dynamic-providers labels Feb 28, 2024
@justinvp justinvp linked a pull request Apr 4, 2024 that will close this issue
Open
@justinvp justinvp self-assigned this Apr 4, 2024
@justinvp justinvp added this to the 0.103 milestone Apr 4, 2024
@justinvp justinvp modified the milestones: 0.103, 0.104 May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinvp justinvp

Labels
area/dynamic-providers area/sdks Pulumi language SDKs kind/enhancement Improvements or new features language/python
Projects
None yet
Milestone
0.104
Development

Successfully merging a pull request may close this issue.

Allow Python dynamic providers to capture secrets pulumi/pulumi
1 participant
@justinvp