Ask questionsOnly prompt for secret passphrase if I'm using secrets
If I opt into using the
passphrase backend, I'm prompted to enter my passphrase anytime I run
pulumi up, etc, even when I don't have any secrets. This was surprising to me. It seems we should only prompt if I'm actually storing secrets that'll need to be decrypted.
Answer questions ellismg
I don't think we are going to make any changes here. Because secrets can be created "from scratch" during an update (even if you have not encrypted any of your configuration values) by using
pulumi.secret we need to have a context during an update which allows you to encrypt values, because we may end up needing to write encrypted data into the checkpoint.
This means that at the start of an update, we'll need a passphrase provided. If you are using the passphrase based secrets provider, you'll have to type your password, or set
PULUMI_CONFIG_PASSPHRASE (which now has an overly specific name) in your environment. The other option is either to continue to use the Pulumi service for managing your stack's encryption, or if you'd prefer to not use the Pulumi service, use one of the providers added in #2994 which allows you to use an external key managed by AWS, GCP, Azure or Vault. Since all of these providers can be created without end user input, you'll get back the experience you had with the Pulumi service.