This message was deleted.
# general
s
This message was deleted.
m
is it safe (or even advisable) to commit the pulumi config file for a stack that has secrets?
b
as long as they are encrypted, you should be good. i would recommend you give this a read. https://www.pulumi.com/docs/concepts/secrets/
โž• 1
m
Thanks @brainy-church-78120 I skimmed that doc, and may have missed mentions of committing secrets
b
yah me too, i didn't see that specific thing called out, either. i think that would be a good addition if ur up for contributing. https://github.com/pulumi/pulumi-hugo/edit/master/themes/default/content/docs/concepts/secrets.md
m
๐Ÿ‘๐Ÿผ I'll do what I can
s
you can also use AWS or GCP Secrets Manager to store them, then have a variable fetch them on runtime
m
That's a good suggestion. I was thinking about using vault. Does that also fetch at runtime?
s
yes, I tried vault also...found it to just be one more thing to maintain so went with cloud-native
๐Ÿ‘ 1
m
Awesome, thanks
๐Ÿ‘ 1
p
You can also look at SOPS for the generic 'secrets in shared code' solution that isn't Pulumi specific.
s
ansible vault does the same, but not sure I'd trust it still, lol
๐Ÿ˜‚ 1
m
That looks interesting. I think our cirrusci files have that file format
s
Configuration values marked as secret are safe to commit (theyโ€™re encrypted), but using a secrets provider as suggested in this thread is an equally valid approach.
p
SOPS is nice for providing options, and consistent tooling (and some IDE assistance). Can go all the way from PGP to just about any provider you can think of.
m
awesome, thanks for the replies all