No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

is it safe (or even advisable) to commit the pulumi config file for a stack that has secrets?

as long as they are encrypted, you should be good. i would recommend you give this a read.

<https://www.pulumi.com/docs/concepts/secrets/>

Thanks <@U01AWJN4N1K> I skimmed that doc, and may have missed mentions of committing secrets

yah me too, i didn't see that specific thing called out, either. i think that would be a good addition if ur up for contributing.

<https://github.com/pulumi/pulumi-hugo/edit/master/themes/default/content/docs/concepts/secrets.md>

you can also use AWS or GCP Secrets Manager to store them, then have a variable fetch them on runtime

That's a good suggestion. I was thinking about using vault. Does that also fetch at runtime?

yes, I tried vault also...found it to just be one more thing to maintain so went with cloud-native

<https://www.pulumi.com/registry/packages/vault/api-docs/generic/getsecret/>

You can also look at <https://github.com/mozilla/sops|SOPS >for the generic 'secrets in shared code' solution that isn't Pulumi specific.

ansible vault does the same, but not sure I'd trust it still, lol

That looks interesting. I think our cirrusci files have that file format

Configuration values marked as secret are safe to commit (they’re encrypted), but using a secrets provider as suggested in this thread is an equally valid approach.

SOPS is nice for providing options, and consistent tooling (and some IDE assistance). Can go all the way from PGP to just about any provider you can think of.