Fix secretsProvider not being applied to new stacks #1032
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #1032 +/- ##
==========================================
+ Coverage 53.03% 53.28% +0.24%
==========================================
Files 34 34
Lines 4646 5011 +365
==========================================
+ Hits 2464 2670 +206
- Misses 1987 2134 +147
- Partials 195 207 +12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The secretsProvider field from Stack CRs was being ignored when the agent created new stacks via SelectStack, causing Pulumi to default to passphrase encryption and fail when users specified alternative providers like HashiVault or AWS KMS. Changes: - Apply secrets provider in SelectStack when creating new stacks - Apply secrets provider in NewServer only for new stacks (not existing) - Add --secrets-provider flag to serve command for standalone usage - Clarify that secrets provider only applies to new stack creation Fixes #935 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
This commit improves the implementation and adds unit test coverage for the secretsProvider field that was added in the fix for issue #935. Changes: - Refactor SelectStack to use `pulumi stack init --secrets-provider` instead of auto.NewStack + ChangeSecretsProvider. This properly initializes the secrets provider from the beginning and avoids requiring PULUMI_CONFIG_PASSPHRASE_NEW environment variable. - Add test case "non-existent stack with create and passphrase secrets provider" to TestSelectStack that validates the secretsProvider field is properly applied when creating new stacks. - Remove t.Parallel() from TestSelectStack to allow t.Setenv() usage for setting test-specific environment variables. The test validates that when a SelectStackRequest includes both create=true and a secretsProvider value, the stack is created with the specified secrets provider configuration. Related to #935 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
…in NewServer Updated NewServer to use the same stack creation technique as SelectStack by calling `pulumi stack init --secrets-provider` instead of the two-step approach of auto.NewStack followed by ChangeSecretsProvider. This ensures the secrets provider is properly initialized from the beginning and provides consistency across both code paths. Also added test coverage in TestNewServer for the secrets provider functionality, following the same pattern used in TestSelectStack (removed t.Parallel and added setPassenv field). Related to #935 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Renamed newStackWithOptions to initStack for better clarity - Added structured debug logging throughout the function to trace: - Stack initialization start with parameters - Pulumi command execution - Stack creation success/failure - Stack selection after creation - Moved function definition after SelectStack for better code organization 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Capture stderr from pulumi stack init command and include it in error messages - Replace passphrase secrets provider tests with invalid provider tests - Invalid provider tests verify that CLI error messages are properly surfaced - Add t.Parallel() to TestNewServer and TestSelectStack for faster test execution - Remove passphrase-specific validation logic from tests This change makes the tests more effective by: 1. Testing actual error conditions that users might encounter 2. Being backend-agnostic (works regardless of default secrets provider) 3. Validating that stderr is properly captured and surfaced in errors 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
blampe
approved these changes
Oct 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #935
The
secretsProviderfield from Stack CRs was being ignored when the agent created new stacks, causing Pulumi to default to passphrase encryption and fail when users specified alternative providers like HashiVault or AWS KMS.Not in Scope:
Changes
This PR addresses the issue identified by @brycekahle where the
secretsProviderwas being sent in theSelectStackRequestfrom the workspace controller but was not being used by the agent when creating new stacks.Key Changes:
Created
initStackhelper function - Usespulumi stack init --secrets-providerto properly initialize stacks with the specified secrets provider from the beginning, instead of the two-step approach of creating the stack first and then changing the secrets provider.Fixed
SelectStackhandler - Now properly applies thesecrets_providerfield from theSelectStackRequestwhen creating new stacks by callinginitStack.Fixed
NewServer- Changed fromauto.UpsertStack+ChangeSecretsProvidertoauto.SelectStackwith fallback toinitStackfor consistent behavior across both code paths.Added
--secrets-providerflag to theservecommand for standalone usage.Testing
The integration tests verify that the
--secrets-providerargument is applied correctly topulumi stack init.TestNewServerfor creating new stacks with invalid secrets providerTestSelectStackfor creating new stacks with invalid secrets providerFiles Changed
agent/cmd/serve.go- Added--secrets-providerflag and passed it toNewServeragent/pkg/server/server.go- ImplementedinitStackhelper, refactored stack creation to properly handle thesecrets_providerfield in bothSelectStackandNewServer, added debug loggingagent/pkg/server/server_test.go- Added test coverage for invalid secrets provider scenarios🤖 Generated with Claude Code
Co-Authored-By: Claude [email protected]