Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets stored in plain text in the state when setting an environment variable in a stack deployment settings. #377

Closed
aureq opened this issue Aug 14, 2024 · 1 comment
Closed

Secrets stored in plain text in the state when setting an environment variable in a stack deployment settings. #377

aureq opened this issue Aug 14, 2024 · 1 comment
Assignees
@IaroslavTitov @komalali
Labels
impact/regression Something that used to work, but is now broken impact/security kind/bug Some behavior is incorrect or out of spec p1 A bug severe enough to be the next item assigned to an engineer
Milestone
0.108

Comments

@aureq
Copy link
Member

aureq commented Aug 14, 2024
edited
Loading

What happened?

When using the code shown below, the stack state stores SECRET_ENV_VAR in plain text despite the value being marked as a secret. One, in the resource inputs and two, in the resource outputs.

Example

import pulumi
import pulumi_pulumiservice as pulumiservice

deployment_settings = pulumiservice.DeploymentSettings(
    resource_name = "deployment-settings",
    organization = pulumi.get_organization(),
    project = pulumi.get_project(),
    stack = pulumi.get_stack(),
    source_context = pulumiservice.DeploymentSettingsSourceContextArgs(
        git = pulumiservice.DeploymentSettingsGitSourceArgs(
            branch = "main",
            repo_url = "aureq/aws-py-eks-helm",
            git_auth = pulumiservice.DeploymentSettingsGitSourceGitAuthArgs(
                basic_auth = pulumiservice.DeploymentSettingsGitAuthBasicAuthArgs(
                    username = "aureq",
                    password = "<redacted>"
                )
            )
        )
    ),
    operation_context = pulumiservice.DeploymentSettingsOperationContextArgs(
        environment_variables = {
            "SECRET_ENV_VAR": pulumi.Output.secret('This should NOT be visible')
        }
    )
)

State

            {
                "urn": "urn:pulumi:9999::zendesk::pulumiservice:index:DeploymentSettings::deployment-settings",
                "custom": true,
                "id": "menfin/zendesk/9999",
                "type": "pulumiservice:index:DeploymentSettings",
                "inputs": {
                    "operationContext": {
                        "environmentVariables": {
                            "SECRET_ENV_VAR": "This should NOT be visible"
                        }
                    },
                    "organization": "menfin",
                    "project": "zendesk",
                    "sourceContext": {
                        "git": {
                            "branch": "main",
                            "gitAuth": {
                                "basicAuth": {
                                    "password": "\u003credacted\u003e",
                                    "username": "aureq"
                                }
                            },
                            "repoUrl": "aureq/aws-py-eks-helm"
                        }
                    },
                    "stack": "9999"
                },
                "outputs": {
                    "operationContext": {
                        "environmentVariables": {
                            "SECRET_ENV_VAR": "This should NOT be visible"
                        }
                    },
                    "organization": "menfin",
                    "project": "zendesk",
                    "sourceContext": {
                        "git": {
                            "branch": "main",
                            "gitAuth": {
                                "basicAuth": {
                                    "password": "AAABANYD+tl1+/Fy7TERObgT3QCyYnlhAkoKzuuF/K7E5Bl5buDncM6W",
                                    "username": "aureq"
                                }
                            },
                            "repoUrl": "aureq/aws-py-eks-helm"
                        }
                    },
                    "stack": "9999"
                },
                "parent": "urn:pulumi:9999::zendesk::pulumi:pulumi:Stack::zendesk-9999",
                "provider": "urn:pulumi:9999::zendesk::pulumi:providers:pulumiservice::default_0_23_1::943b7e37-8759-40f6-b222-1dff25cd249a",
                "propertyDependencies": {
                    "operationContext": [],
                    "organization": [],
                    "project": [],
                    "sourceContext": [],
                    "stack": []
                },
                "created": "2024-08-14T02:13:59.88608919Z",
                "modified": "2024-08-14T02:15:52.410864954Z",
                "sourcePosition": "project:///venv/lib/python3.11/site-packages/pulumi_pulumiservice/deployment_settings.py#211"
            }

Output of pulumi about

CLI          
Version      3.129.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME           VERSION
resource  pulumiservice  0.23.1
language  python         unknown

Host     
OS       debian
Version  12.6
Arch     x86_64

This project is written in python: executable='/home/aureq/work/customers/zendesk/5662/venv/bin/python' version='3.11.9'

Current Stack: menfin/zendesk/9999

TYPE                                    URN
pulumi:pulumi:Stack                     urn:pulumi:9999::zendesk::pulumi:pulumi:Stack::zendesk-9999
pulumi:providers:pulumiservice          urn:pulumi:9999::zendesk::pulumi:providers:pulumiservice::default_0_23_1
pulumiservice:index:DeploymentSettings  urn:pulumi:9999::zendesk::pulumiservice:index:DeploymentSettings::deployment-settings


Found no pending operations associated with 9999

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/aureq
User           aureq
Organizations  aureq, team-ce, menfin, menfin-team, demo
Token type     personal

Dependencies:
NAME                  VERSION
pip                   24.2
pulumi-pulumiservice  0.23.1
setuptools            72.2.0
wheel                 0.44.0

Pulumi locates its logs in /tmp by default

Additional context

Related to #376

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@aureq aureq added impact/security kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team p1 A bug severe enough to be the next item assigned to an engineer labels Aug 14, 2024
@cleverguy25 cleverguy25 added this to the 0.109 milestone Aug 14, 2024
@komalali komalali added impact/regression Something that used to work, but is now broken and removed needs-triage Needs attention from the triage team labels Aug 14, 2024
@IaroslavTitov
Copy link
Contributor

Thank you for finding and bringing this up!
Fixed and released a new version, please update to 0.23.2 and secrets will work in Deployment Settings again.

@komalali komalali modified the milestones: 0.109, 0.108 Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IaroslavTitov IaroslavTitov

@komalali komalali

Labels
impact/regression Something that used to work, but is now broken impact/security kind/bug Some behavior is incorrect or out of spec p1 A bug severe enough to be the next item assigned to an engineer
Projects
None yet
Milestone
0.108
Development

No branches or pull requests
4 participants
@aureq @cleverguy25 @IaroslavTitov @komalali