From f01dd75a0ce3d94f33e24e71bfe70c46346fb694 Mon Sep 17 00:00:00 2001
From: Iaroslav Titov <iaro@pulumi.com>
Date: Thu, 14 Nov 2024 16:03:38 -0700
Subject: [PATCH] Fixed secrets shown in diff (#443)

### Summary
- Made sure Check method uses secrets and correctly keeps them in place.
Yaml field is forced into a secret at all times.

### Testing
- Manual test
---
 CHANGELOG_PENDING.md                 |  1 +
 provider/pkg/provider/environment.go | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
index 58e5489b..6a1508b2 100644
--- a/CHANGELOG_PENDING.md
+++ b/CHANGELOG_PENDING.md
@@ -3,5 +3,6 @@
 ### Bug Fixes
 
 - Fixed eternal drift in Webhook resource when `secret` field is supplied [#369](https://github.com/pulumi/pulumi-pulumiservice/issues/369)
+- Fixed Environment resource secrets regression [#442](https://github.com/pulumi/pulumi-pulumiservice/issues/442)
 
 ### Miscellaneous
diff --git a/provider/pkg/provider/environment.go b/provider/pkg/provider/environment.go
index 8e1f070f..50910cf2 100644
--- a/provider/pkg/provider/environment.go
+++ b/provider/pkg/provider/environment.go
@@ -218,7 +218,7 @@ func (st *PulumiServiceEnvironmentResource) Create(req *pulumirpc.CreateRequest)
 }
 
 func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (*pulumirpc.CheckResponse, error) {
-	inputMap, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
+	inputMap, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true, KeepSecrets: true})
 	if err != nil {
 		return nil, err
 	}
@@ -232,7 +232,7 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 				Reason:   fmt.Sprintf("missing required property '%s'", p),
 				Property: string(p),
 			})
-		} else if p != "yaml" && !input.IsComputed() && strings.Contains(input.StringValue(), "/") {
+		} else if p != "yaml" && !input.IsComputed() && strings.Contains(getSecretOrStringValue(input), "/") {
 			failures = append(failures, &pulumirpc.CheckFailure{
 				Reason:   fmt.Sprintf("'%s' property contains `/` illegal character", p),
 				Property: string(p),
@@ -243,6 +243,10 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 	var stringYaml string
 	inputYaml := inputMap["yaml"]
 	if !inputYaml.IsComputed() {
+		if inputYaml.IsSecret() {
+			inputYaml = inputYaml.SecretValue().Element
+		}
+
 		if inputYaml.IsAsset() {
 			yamlBytes, err := getBytesFromAsset(inputYaml.AssetValue())
 			if err != nil {
@@ -257,7 +261,7 @@ func (st *PulumiServiceEnvironmentResource) Check(req *pulumirpc.CheckRequest) (
 	trimmedYaml := strings.TrimSpace(stringYaml)
 	inputMap["yaml"] = resource.MakeSecret(resource.NewStringProperty(trimmedYaml))
 
-	inputs, err := plugin.MarshalProperties(inputMap, plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true})
+	inputs, err := plugin.MarshalProperties(inputMap, plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true, KeepSecrets: true})
 	if err != nil {
 		return nil, err
 	}