8000 fix: decrypt postgres password for use in connection string by qdzlug · Pull Request #41 · nginxinc/kic-reference-architectures · GitHub
[go: up one dir, main page]
Skip to content
This repository was archived by the owner on Oct 8, 2025. It is now read-only.

fix: decrypt postgres password for use in connection string #41

Merged
merged 5 commits into from
Jul 27, 2021
Merged

fix: decrypt postgres password for use in connection string #41

merged 5 commits into from
Jul 27, 2021

Conversation

qdzlug
Copy link
Contributor
@qdzlug qdzlug commented Jul 26, 2021

Proposed changes

This addresses a bug introduced with #30 - the password is part of the connection string, but pulumi does not decrypt it for use in the string concatenation needed to build it. This has been fixed by using the Output.unsecret method.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have written my commit messages in the Conventional Commits format.
  • I have read the CONTRIBUTING doc
  • I have added tests (when possible) that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto master
  • I will ensure my PR is targeting the master branch and pulling from my branch from my own fork

@qdzlug qdzlug requested a review from dekobon July 26, 2021 23:14
dekobon
dekobon suggested changes Jul 27, 2021
View reviewed changes
pulumi/aws/anthos/__main__.py Outdated
# The database password is a secret, and in order to use it in a string concat
# we need to decrypt the password with Output.unsecret() before we use it.
# This function provides the logic to accomplish this.
accounts_db_uri = pulumi.Output.unsecret(accounts_pwd).apply(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider modifying this such that Pulumi continues to use secrets:

def create_pg_uri(password_object):
    user = str(accounts_admin)
    password = str(password_object)
    database = str(accounts_db)
    uri = f'postgresql://{user}:{password}@accounts-db:5432/{database}'
    return pulumi.Output.secret(uri)


accounts_db_uri = pulumi.Output.unsecret(accounts_pwd).apply(create_pg_uri)

< E880 /span> Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed; that's a great example construct for this use case.

pulumi/aws/anthos/__main__.py Outdated
# ./config/Pulumi.STACKNAME.yaml
config = pulumi.Config('anthos')
demo_pwd = config.require_secret('demo_pwd')

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's delete the demo_login and demo_pwd bits.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done and updated in all other locations and configs.

aedb325 
fix: remove demo login/pwd from config and fix secret logic
@qdzlug
Copy link
Contributor Author
qdzlug commented Jul 27, 2021

Running full test overnight.

@dekobon dekobon merged commit a2d334b into nginxinc:master Jul 27, 2021
@qdzlug qdzlug mentioned this pull request Jul 27, 2021
Closed
@qdzlug qdzlug deleted the jayreview branch August 10, 2021 13:49
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@dekobon dekobon dekobon approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qdzlug @dekobon
0