Fixed secrets shown in diff (#443)

### Summary - Made sure Check method uses secrets and correctly keeps them in place. Yaml field is forced into a secret at all times. ### Testing - Manual test
pulumi · Nov 14, 2024 · f01dd75 · f01dd75
1 parent b62ee3d
commit f01dd75
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
@@ -3,5 +3,6 @@
 ### Bug Fixes
 
 - Fixed eternal drift in Webhook resource when `secret` field is supplied [#369](https://github.com/pulumi/pulumi-pulumiservice/issues/369)
+- Fixed Environment resource secrets regression [#442](https://github.com/pulumi/pulumi-pulumiservice/issues/442)
 
 ### Miscellaneous
diff --git a/provider/pkg/provider/environment.go b/provider/pkg/provider/environment.go
@@ -218,7 +218,7 @@ func (st *PulumiServiceEnvironmentResource) Create(req *pulumirpc.CreateRequest)
 }
 
 func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (*pulumirpc.CheckResponse, error) {
-	inputMap, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
+	inputMap, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true, KeepSecrets: true})
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +232,7 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 				Reason:   fmt.Sprintf("missing required property '%s'", p),
 				Property: string(p),
 			})
-		} else if p != "yaml" && !input.IsComputed() && strings.Contains(input.StringValue(), "/") {
+		} else if p != "yaml" && !input.IsComputed() && strings.Contains(getSecretOrStringValue(input), "/") {
 			failures = append(failures, &pulumirpc.CheckFailure{
 				Reason:   fmt.Sprintf("'%s' property contains `/` illegal character", p),
 				Property: string(p),
@@ -243,6 +243,10 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 	var stringYaml string
 	inputYaml := inputMap["yaml"]
 	if !inputYaml.IsComputed() {
+		if inputYaml.IsSecret() {
+			inputYaml = inputYaml.SecretValue().Element
+		}
+
 		if inputYaml.IsAsset() {
 			yamlBytes, err := getBytesFromAsset(inputYaml.AssetValue())
 			if err != nil {
@@ -257,7 +261,7 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 	trimmedYaml := strings.TrimSpace(stringYaml)
 	inputMap["yaml"] = resource.MakeSecret(resource.NewStringProperty(trimmedYaml))
 
-	inputs, err := plugin.MarshalProperties(inputMap, plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
+	inputs, err := plugin.MarshalProperties(inputMap, plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true, KeepSecrets: true})
 	if err != nil {
 		return nil, err
 	}