fn::fromJSON intrinsic is not evaluated in Pulumi YAML (v3.181.0), passed through as raw object #830
Description
What happened?
When using the fn::fromJSON intrinsic in Pulumi YAML (even in the latest version, v3.181.0), the function is not evaluated. Instead, it is passed through as a raw object in both outputs and resource properties. This results in resources receiving an object like {fn::fromJSON: {value: ...}} instead of the expected parsed map.
Example
Steps to reproduce
- Create a minimal Pulumi.yaml (no Jinja2, no includes):
name: test
runtime: yaml
variables:
test_secret:
fn::fromJSON:
value: '{"foo": "bar"}'
outputs:
test_metadata: ${test_secret}
- Run
pulumi preview(tested with v3.181.0).
Expected behavior
The output should be:
Outputs:
test_metadata:
foo: bar
Actual behavior
The output is:
Outputs:
test_metadata:
fn::fromJSON:
value: (json) {
foo: "bar"
}
Additionally, a warning is shown:
Warning: 'fn::' is a reserved prefix
on Pulumi.yaml line X:
X: fn::fromJSON:
If you need to use the raw key 'fn::fromJSON', please open an issue at https://github.com/pulumi/pulumi-yaml/issues
Notes
- This happens even in pure Pulumi YAML (no Jinja2, no includes).
- The same issue occurs for other fn:: intrinsics.
- This breaks workflows that rely on parsing JSON secrets or config at runtime.
Environment
- Pulumi version: v3.181.0
- OS: macOS (Homebrew install)
- Project type: Pulumi YAML
- Minimal repro
Minimal repro
name: test
runtime: yaml
variables:
test_secret:
fn::fromJSON:
value: '{"foo": "bar"}'
outputs:
test_metadata: ${test_secret}
Output of pulumi about
CLI
Version 3.181.0
Go Version go1.24.4
Go Compiler gc
Plugins
KIND NAME VERSION
resource gcp unknown
language yaml 1.21.1
Host
OS darwin
Version 15.5
Arch arm64
This project is written in yaml
Current Stack: ****/***/*****
TYPE URN
pulumi:pulumi:Stack urn:pulumi:*****::***::pulumi:pulumi:Stack::***-*****
pulumi:providers:pulumi urn:pulumi:*****::***::pulumi:providers:pulumi::default
pulumi:providers:gcp urn:pulumi:*****::***::pulumi:providers:gcp::default
gcp:dns/managedZone:ManagedZone urn:pulumi:*****::***::gcp:dns/managedZone:ManagedZone::pulumi-zone
gcp:compute/managedSslCertificate:ManagedSslCertificate urn:pulumi:*****::***::gcp:compute/managedSslCertificate:ManagedSslCertificate::ssl-cert-***
gcp:compute/globalAddress:GlobalAddress urn:pulumi:*****::***::gcp:compute/globalAddress:GlobalAddress::static-ip-lb01
gcp:compute/network:Network urn:pulumi:*****::***::gcp:compute/network:Network::network-vpc-***
gcp:serviceaccount/account:Account urn:pulumi:*****::***::gcp:serviceaccount/account:Account::***-compute-engine
gcp:compute/address:Address urn:pulumi:*****::***::gcp:compute/address:Address::***-static-ip
gcp:storage/bucket:Bucket urn:pulumi:*****::***::gcp:storage/bucket:Bucket::pgdumps
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-cname-***-backoffice-internal
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::global-dns-record-ns
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-cname-***-storefront-internal
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-cname-***-api-internal
gcp:compute/regionInstanceTemplate:RegionInstanceTemplate urn:pulumi:*****::***::gcp:compute/regionInstanceTemplate:RegionInstanceTemplate::***-instance-template
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-record-a-lb01
gcp:compute/globalAddress:GlobalAddress urn:pulumi:*****::***::gcp:compute/globalAddress:GlobalAddress::network-vpc-***-peering-address
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-cname-***-external
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-disallow-ses
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-http
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-https
gcp:servicenetworking/connection:Connection urn:pulumi:*****::***::gcp:servicenetworking/connection:Connection::network-vpc-***-peering
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-health-check
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-internal
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-icmp
gcp:compute/firewall:Firewall urn:pulumi:*****::***::gcp:compute/firewall:Firewall::firewall-allow-ssh
gcp:compute/resourcePolicy:ResourcePolicy urn:pulumi:*****::***::gcp:compute/resourcePolicy:ResourcePolicy::***-snapshot-schedule
gcp:compute/healthCheck:HealthCheck urn:pulumi:*****::***::gcp:compute/healthCheck:HealthCheck::***-health-check
gcp:compute/uRLMap:URLMap urn:pulumi:*****::***::gcp:compute/uRLMap:URLMap::http-lb01
gcp:alloydb/cluster:Cluster urn:pulumi:*****::***::gcp:alloydb/cluster:Cluster::alloydb-***-cluster
gcp:redis/instance:Instance urn:pulumi:*****::***::gcp:redis/instance:Instance::redis-***-cache
gcp:projects/iAMMember:IAMMember urn:pulumi:*****::***::gcp:projects/iAMMember:IAMMember::***-compute-engine-role-user
gcp:projects/iAMMember:IAMMember urn:pulumi:*****::***::gcp:projects/iAMMember:IAMMember::***-compute-engine-role-secretmanager
gcp:compute/targetHttpProxy:TargetHttpProxy urn:pulumi:*****::***::gcp:compute/targetHttpProxy:TargetHttpProxy::http-proxy-lb01
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-record-a-cache-internal
gcp:compute/globalForwardingRule:GlobalForwardingRule urn:pulumi:*****::***::gcp:compute/globalForwardingRule:GlobalForwardingRule::http-forwarding-rule-lb01
gcp:compute/regionNetworkEndpointGroup:RegionNetworkEndpointGroup urn:pulumi:*****::***::gcp:compute/regionNetworkEndpointGroup:RegionNetworkEndpointGroup::***-private-service-connect-queueit-neg
gcp:compute/projectMetadata:ProjectMetadata urn:pulumi:*****::***::gcp:compute/projectMetadata:ProjectMetadata::default-ssh-keys
gcp:compute/backendService:BackendService urn:pulumi:*****::***::gcp:compute/backendService:BackendService::***-backend-service-queueit
pulumi:pulumi:StackReference urn:pulumi:*****::***::pulumi:pulumi:StackReference::base-stack
gcp:alloydb/instance:Instance urn:pulumi:*****::***::gcp:alloydb/instance:Instance::alloydb-***-primary-instance
gcp:alloydb/user:User urn:pulumi:*****::***::gcp:alloydb/user:User::alloydb-***-user-***
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-record-a-alloy-internal
gcp:alloydb/user:User urn:pulumi:*****::***::gcp:alloydb/user:User::alloydb-***-user-***
gcp:alloydb/user:User urn:pulumi:*****::***::gcp:alloydb/user:User::alloydb-***-cluster-shop-user
gcp:alloydb/user:User urn:pulumi:*****::***::gcp:alloydb/user:User::alloydb-***-user-***
gcp:alloydb/user:User urn:pulumi:*****::***::gcp:alloydb/user:User::alloydb-***-user-***
gcp:compute/instanceFromTemplate:InstanceFromTemplate urn:pulumi:*****::***::gcp:compute/instanceFromTemplate:InstanceFromTemplate::***-instance
gcp:compute/diskResourcePolicyAttachment:DiskResourcePolicyAttachment urn:pulumi:*****::***::gcp:compute/diskResourcePolicyAttachment:DiskResourcePolicyAttachment::***-snapshot-disk
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-record-a-***-external
gcp:compute/instanceGroup:InstanceGroup urn:pulumi:*****::***::gcp:compute/instanceGroup:InstanceGroup::***-instance-group
gcp:dns/recordSet:RecordSet urn:pulumi:*****::***::gcp:dns/recordSet:RecordSet::dns-record-a-***-internal
gcp:compute/backendService:BackendService urn:pulumi:*****::***::gcp:compute/backendService:BackendService::***-api-backend-service
gcp:compute/backendService:BackendService urn:pulumi:*****::***::gcp:compute/backendService:BackendService::***-backoffice-backend-service
gcp:compute/backendService:BackendService urn:pulumi:*****::***::gcp:compute/backendService:BackendService::***-storefront-backend-service
gcp:compute/uRLMap:URLMap urn:pulumi:*****::***::gcp:compute/uRLMap:URLMap::https-lb01
gcp:compute/targetHttpsProxy:TargetHttpsProxy urn:pulumi:*****::***::gcp:compute/targetHttpsProxy:TargetHttpsProxy::https-proxy-lb01
gcp:compute/globalForwardingRule:GlobalForwardingRule urn:pulumi:*****::***::gcp:compute/globalForwardingRule:GlobalForwardingRule::https-forwarding-rule-lb01
gcp:networkservices/lbTrafficExtension:LbTrafficExtension urn:pulumi:*****::***::gcp:networkservices/lbTrafficExtension:LbTrafficExtension::traffic-extension-queueit
Found no pending operations associated with ****
Backend
Name pulumi.com
URL https://app.pulumi.com/****
User ****
Organizations ****, ****
Token type personal
Dependencies:
NAME VERSION
gcp
Pulumi locates its logs in /var/folders/y4/7l3006l56wd0br5m77ntnh280000gn/T/ by default
Additional context
This issue blocks dynamic secret/config parsing in Pulumi YAML.
Workarounds (manual or scripted YAML maps) are not ideal for secrets that change frequently.
Thank you for looking into this!
Let me know if you want to add or change anything, or if you want a shorter/longer version!
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).