Commit Graph

20 Commits

Author SHA1 Message Date
Fraser Waters 7bb2a3c2ac
Auto-fix encrypted keys in the wrong format due to gocloud.dev upgrade regression ()
When attempting another gocloud.dev upgrade, some users ran into a
regression related to the format change of encrypted keys between
gocloud versions, which part of the system was not accounting for. This
PR addresses the issue and includes a fix that automatically fixes
forward state that has an encrypted key in the wrong format, and
includes a regression test and test for the auto-fix behavior.

Fixes 

Co-authored-by: Thomas Gummerer <t.gummerer@gmail.com>
2024-02-01 09:39:41 +00:00
Justin Van Patten d1904beb14
Revert gocloud.dev upgrade ()
Still regressions happening associated with upgrading gocloud.dev. This
reverts https://github.com/pulumi/pulumi/pull/15202.

Fixes 
2024-01-31 23:19:32 +00:00
Thomas Gummerer 927b7efef5
upgrade gocloud.dev take 2 ()
Another attempt at upgrading gocloud.dev to the latest version. We've
identified and added tests for the issues that came up in the last
attempt to do the upgrade in https://github.com/pulumi/pulumi/pull/15161
and https://github.com/pulumi/pulumi/pull/15187.

The problem with the SAS key appears to have been fixed in gocloud.dev
0.36.0 (The previous upgrade tried 0.28.0), and I've added additional
fixes for the azure key vault problem during pulumi refresh in this PR.

This needs https://github.com/pulumi/pulumi/pull/15161 to be merged
first, but I wanted to open a PR in the meantime.

Fixes 
Fixes https://github.com/pulumi/pulumi/issues/14647
Fixes https://github.com/pulumi/pulumi/issues/13161
Fixes  https://github.com/pulumi/pulumi/issues/14431
Fixes https://github.com/pulumi/pulumi/issues/14541

## Checklist

- [x] I have run `make tidy` to update any new dependencies
- [ ] I have run `make lint` to verify my code passes the lint check
  - [ ] I have formatted my code using `gofumpt`

<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [x] I have added tests that prove my fix is effective or that my
feature works
<!--- 
User-facing changes require a CHANGELOG entry.
-->
- [x] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-01-26 13:14:17 +00:00
Thomas Gummerer c48ed3ba49
Revert "upgrade gocloud.dev to latest version" ()
Reverts 

/xref https://github.com/pulumi/pulumi/issues/15126
/xref https://github.com/pulumi/pulumi/issues/15127
2024-01-10 15:16:36 +00:00
Thomas Gummerer d7b1a1d9b1
upgrade gocloud.dev to latest version ()
Upgrade gocloud.dev to the latest version.  

This requires a bit of a workaround, since `gocloud.dev` changed its
expectations how the encryption key is stored for Azure. In v0.27.0 and
earlier, gocloud.dev accepted an encryption key that was wrapped in
base64.RawURLEncoding (and produced one that was wrapped as such.
However in v0.28.0 that changed and the encryption key was no longer
wrapped in gocloud.dev, and as such it also didn't expect a wrapped key
anymore .

To keep compatibility we'll keep wrapping the azure key for gocloud.dev
in an inner encoding, which seems to be the path of least resistance.
Alternatively we could introduce a `v2` encoding by prefixing the
string, but that ends up being messier than just keeping the strings
compatible.

## Checklist

- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
  - [x] I have formatted my code using `gofumpt`

<!--- Please provide details if the checkbox below is to be left
unchecked. -->
Tests were introduced in https://github.com/pulumi/pulumi/pull/14649,
I've updated them slightly to cover the new code as well.
- [ ] I have added tests that prove my fix is effective or that my
feature works
<!--- 
User-facing changes require a CHANGELOG entry.
-->
- [x] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2024-01-04 09:03:42 +00:00
Fraser Waters 1087423566
Restore secrets provider in config refresh ()
<!--- 
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->

# Description

<!--- Please include a summary of the change and which issue is fixed.
Please also include relevant motivation and context. -->

Fixes https://github.com/pulumi/pulumi/issues/7282

This is fairly simple, just grab the last deployment from the stack (we
should have one otherwise we wouldn't have any config to fetch either)
and pull the SecretsProviders data out the deployment data and translate
and insert it into the stack config.

## Checklist

- [x] I have run `make tidy` to update any new dependencies
- [x] I have run `make lint` to verify my code passes the lint check
  - [ ] I have formatted my code using `gofumpt`

<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [ ] I have added tests that prove my fix is effective or that my
feature works - I've manually checked this with a passphrase deployment.
Need to do the command split for "config refresh" to write up some unit
tests to cover this.
<!--- 
User-facing changes require a CHANGELOG entry.
-->
- [ ] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @Pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
2023-11-13 12:27:46 +00:00
Fraser Waters 39aaf0604f Change secret.Manager State to json.RawMessage
The state from a secret manager _always_ has to be something json
serialisable because we store it into the json state files. Rather than
allowing any `interface{}` to be returned here and then error'ing if it
happens to not be something that can be marshalled to JSON this changes
the interface to return a `json.RawMessage` moving the
marshalling/unmarshalling concerns into the individual implementations
that can pretty much guarantee valid structures.
2023-05-22 11:21:15 +01:00
Abhinav Gupta 7aa5b77a0c
all: Reformat with gofumpt
Per team discussion, switching to gofumpt.

[gofumpt][1] is an alternative, stricter alternative to gofmt.
It addresses other stylistic concerns that gofmt doesn't yet cover.

  [1]: https://github.com/mvdan/gofumpt

See the full list of [Added rules][2], but it includes:

- Dropping empty lines around function bodies
- Dropping unnecessary variable grouping when there's only one variable
- Ensuring an empty line between multi-line functions
- simplification (`-s` in gofmt) is always enabled
- Ensuring multi-line function signatures end with
  `) {` on a separate line.

  [2]: https://github.com/mvdan/gofumpt#Added-rules

gofumpt is stricter, but there's no lock-in.
All gofumpt output is valid gofmt output,
so if we decide we don't like it, it's easy to switch back
without any code changes.

gofumpt support is built into the tooling we use for development
so this won't change development workflows.

- golangci-lint includes a gofumpt check (enabled in this PR)
- gopls, the LSP for Go, includes a gofumpt option
  (see [installation instrutions][3])

  [3]: https://github.com/mvdan/gofumpt#installation

This change was generated by running:

```bash
gofumpt -w $(rg --files -g '*.go' | rg -v testdata | rg -v compilation_error)
```

The following files were manually tweaked afterwards:

- pkg/cmd/pulumi/stack_change_secrets_provider.go:
  one of the lines overflowed and had comments in an inconvenient place
- pkg/cmd/pulumi/destroy.go:
  `var x T = y` where `T` wasn't necessary
- pkg/cmd/pulumi/policy_new.go:
  long line because of error message
- pkg/backend/snapshot_test.go:
  long line trying to assign three variables in the same assignment

I have included mention of gofumpt in the CONTRIBUTING.md.
2023-03-03 09:00:24 -08:00
Fraser Waters a3f7a342b2 Move the project file handling for secret config to one place
This means the secret providers just work in terms of
workspace.ProjectStack, mutate as they wish and let the higher level
work out if it should save the file or not. Rather than having each
secret manager maintain "should I save the file" code.
2023-02-01 17:03:38 +00:00
Fraser Waters f9a49b3407 Move cloud methods to pkg/secrets 2023-01-13 10:39:16 +00:00
Justin Van Patten 8227d933fc Remove dependency on errors.Wrap from pkg module
We'd previously removed the direct dependency on `github.com/pkg/errors` in the pkg module, but a community PR brought it back. This change removes it once again, as it's not needed for wrapping the errors in these cases.
2022-09-26 14:49:15 -07:00
Vladimir Pouzanov 6ee97e2b2b
Add support for authentication via GOOGLE_CREDENTIALS ()
* Add support for GCP auth via a PULUMI_GOOGLE_CREDENTIALS_HELPER

* Properly propagate the error for the google credentials auth

* Update the changelog with a note and usage example

* Propagate pulumi auth mechanisms to the secretsprovider

* Clean up the linter warnings

* Revert CHANGELOG.md

* Revert PULUMI_GOOGLE_CREDENTIALS_HELPER for now

* Cleanup

* Use same context

* Pass context

* Preserve scopes currently used

Co-authored-by: Fraser Waters <fraser@pulumi.com>
2022-06-07 16:02:08 +01:00
Paul Stack e3720b3a93
Using a decryptAll functionality when deserializing a deployment () 2022-01-24 22:33:40 +02:00
Ian Wahbe 272c4643b2
Update error handling ()
This is the result of a change applied via `go-rewrap-errors`.
2021-11-12 18:37:17 -08:00
pulumi-bot 73a66f48ea [breaking] Changing the version of go.mod in sdk / pkg to be v3 2021-04-14 19:32:18 +01:00
Levi Blackstone 709fcbad51
Document Go packages ()
Co-authored-by: Pat Gavlin <pat@pulumi.com>
2021-01-11 11:07:59 -07:00
CyrusNajmabadi 66bd3f4aa8
Breaking changes due to Feature 2.0 work
* Make `async:true` the default for `invoke` calls ()

* Switch away from native grpc impl. ()

* Remove usage of the 'deasync' library from @pulumi/pulumi. ()

* Only retry as long as we get unavailable back.  Anything else continues. ()

* Handle all errors for now. ()


* Do not assume --yes was present when using pulumi in non-interactive mode ()

* Upgrade all paths for sdk and pkg to v2

* Backport C# invoke classes and other recent gen changes ()

Adjust C# generation

* Replace IDeployment with a sealed class ()

Replace IDeployment with a sealed class

* .NET: default to args subtype rather than Args.Empty ()

* Adding system namespace for Dotnet code gen

This is required for using Obsolute attributes for deprecations

```
Iam/InstanceProfile.cs(142,10): error CS0246: The type or namespace name 'ObsoleteAttribute' could not be found (are you missing a using directive or an assembly reference?) [/Users/stack72/code/go/src/github.com/pulumi/pulumi-aws/sdk/dotnet/Pulumi.Aws.csproj]
Iam/InstanceProfile.cs(142,10): error CS0246: The type or namespace name 'Obsolete' could not be found (are you missing a using directive or an assembly reference?) [/Users/stack72/code/go/src/github.com/pulumi/pulumi-aws/sdk/dotnet/Pulumi.Aws.csproj]
```

* Fix the nullability of config type properties in C# codegen ()
2020-04-14 09:30:25 +01:00
evanboyle d3f5bbce48 go fmt 2020-03-18 17:27:02 -07:00
evanboyle f754b486b8 move pkg/resource/config -> sdk/go/common/resource/config 2020-03-18 15:03:37 -07:00
Luke Hoban 6ed4bac5af
Support additional cloud secrets providers ()
Adds support for additional cloud secrets providers (AWS KMS, Azure KeyVault, Google Cloud KMS, and HashiCorp Vault) as the encryption backend for Pulumi secrets. This augments the previous choice between using the app.pulumi.com-managed secrets encryption or a fully-client-side local passphrase encryption.

This is implemented using the Go Cloud Development Kit support for pluggable secrets providers.

Like our cloud storage backend support which also uses Go Cloud Development Kit, this PR also bleeds through to users the URI scheme's that the Go CDK defines for specifying each of secrets providers - like `awskms://alias/LukeTesting?region=us-west-2` or `azurekeyvault://mykeyvaultname.vault.azure.net/keys/mykeyname`.

Also like our cloud storage backend support, this PR doesn't solve for how to configure the cloud provider client used to resolve the URIs above - the standard ambient credentials are used in both cases. Eventually, we will likely need to provide ways for both of these features to be configured independently of each other and of the providers used for resource provisioning.
2019-08-02 16:12:16 -07:00