Non-empty refresh diff on siteCredentials for azure:appservice/functionApp:FunctionApp

[t0yv0]

What happened?

Unexpected non-empty diff coming from pulumi refresh after pulumi up:

            ~ azure:appservice/functionApp:FunctionApp: (update)
                [id=/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/resourceGroups/test80404a1b/providers/Microsoft.Web/sites/teste1160a7f]
                [urn=urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:appservice/functionApp:FunctionApp::test]
                [provider=urn:pulumi:azure-topic::azure-topic::pulumi:providers:azure::default_4_42_0::e175a9bb-f08b-4ce5-b15b-e4a8a7a92d78]
                --outputs:--
              - siteCredentials            : [
              -     [0]: {
                      - password: [secret]
                      - username: "$teste1160a7f"
                    }
                ]
              + siteCredentials            : [secret]

Looks like refresh is "unmasking" username where the entire siteCredentials blob was secret before. It is possibly indicative of a bridge bug with schema-induced secret masking.

Example

This shows up in lots of examples but a simple one is ./examples/topic/index.ts. It appears that topic.onEvent is provisioning a FunctionApp under the hood for the callback.

Output of pulumi about

CLI
Version 3.97.0
Go Version go1.21.4
Go Compiler gc

Plugins
NAME VERSION
azure 4.42.0
nodejs unknown

Host
OS darwin
Version 14.1.1
Arch x86_64

This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'

Current Stack: t0yv0/azure-topic/azure-topic

TYPE URN
pulumi:pulumi:Stack urn:pulumi:azure-topic::azure-topic::pulumi:pulumi:Stack::azure-topic-azure-topic
pulumi:providers:azure urn:pulumi:azure-topic::azure-topic::pulumi:providers:azure::default_4_42_0
azure:core/resourceGroup:ResourceGroup urn:pulumi:azure-topic::azure-topic::azure:core/resourceGroup:ResourceGroup::test
azure:eventhub/namespace:Namespace urn:pulumi:azure-topic::azure-topic::azure:eventhub/namespace:Namespace::test
azure:eventhub/topic:Topic urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic::test
azure:servicehub:TopicEventSubscription urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription::test
azure:servicebus/subscription:Subscription urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicebus/subscription:Subscription::test
azure:appservice/plan:Plan urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:appservice/plan:Plan::test
azure:storage/account:Account urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:storage/account:Account::test
azure:storage/container:Container urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:storage/container:Container::test
azure:storage/blob:Blob urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:storage/blob:Blob::test
azure:appservice/functionApp:FunctionApp urn:pulumi:azure-topic::azure-topic::azure:eventhub/topic:Topic$azure:servicehub:TopicEventSubscription$azure:appservice/functionApp:FunctionApp::test

Found no pending operations associated with azure-topic

Backend
Name pulumi.com
URL https://app.pulumi.com/t0yv0
User t0yv0
Organizations t0yv0, pulumi
Token type personal

Dependencies:
NAME VERSION
@pulumi/azure 4.42.0
@pulumi/pulumi 3.99.0
@types/node 10.17.60
mime-types 2.1.35

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default

Additional context

This issue was found when trying to move toward stricter test defaults in the repository.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).