So a more general question, but is there any risk in sharing the stack file, except showing the actual ressources etc? if you have sensitive outputs, sure, but other than that - does it contain sensitive data? More a general question

I don’t believe so, but you can double-check that yourself! Just use

pulumi stack export > file.json

and then review the contents. 🙂

Yes yes i know how to see the state file 😅 that is why I asked. Is it problematic to share it. Can people abuse it. Let's say i just shared it publicly. Would that be bad

I wouldn’t share it publicly. It has all the provider-specific identifiers and such for your resources in it.

That is what I am trying to gain insight in. What potential risks are associated if i were to do so?

I’m not a security professional, so I can’t really advise you on the risks associated with publicly exposing resource identifiers and other information about your cloud resources. As far as I am aware, I don’t believe it’s recommended, and I (personally) wouldn’t want to expose any information that potential attackers might use to find a weak point in my company’s infrastructure.

That's fair :) i am not intending to, but i am considering the level of encryption or security i should see the stack of. I.e. will an attack on the pulumi be an attack on me. If i had any integration with the buckets the stack is stored in, what is my risk etc. But I'll try to find answers somewhere else. I.e source code is also often not open source, but the risk isn't direct. I am mainly trying to figure out if it's comparable. I am looking into developing integrations that need to skim the stack, and i want to know what risk i am putting potential users at.