https://pulumi.com logo
m

many-knife-65312

06/13/2023, 5:19 PM
hi, quick question that I didn't find any docs for: what is the recommended practice for committing pulumi projects to a public repo, when those projects have secrets?
is it safe (or even advisable) to commit the pulumi config file for a stack that has secrets?
b

brainy-church-78120

06/13/2023, 5:34 PM
as long as they are encrypted, you should be good. i would recommend you give this a read. https://www.pulumi.com/docs/concepts/secrets/
m

many-knife-65312

06/13/2023, 5:35 PM
Thanks @brainy-church-78120 I skimmed that doc, and may have missed mentions of committing secrets
b

brainy-church-78120

06/13/2023, 5:36 PM
yah me too, i didn't see that specific thing called out, either. i think that would be a good addition if ur up for contributing. https://github.com/pulumi/pulumi-hugo/edit/master/themes/default/content/docs/concepts/secrets.md
m

many-knife-65312

06/13/2023, 5:37 PM
👍🏼 I'll do what I can
s

straight-arm-50771

06/13/2023, 5:44 PM
you can also use AWS or GCP Secrets Manager to store them, then have a variable fetch them on runtime
m

many-knife-65312

06/13/2023, 5:48 PM
That's a good suggestion. I was thinking about using vault. Does that also fetch at runtime?
s

straight-arm-50771

06/13/2023, 5:49 PM
yes, I tried vault also...found it to just be one more thing to maintain so went with cloud-native
m

many-knife-65312

06/13/2023, 5:51 PM
Awesome, thanks
p

purple-lawyer-93544

06/13/2023, 5:56 PM
You can also look at SOPS for the generic 'secrets in shared code' solution that isn't Pulumi specific.
s

straight-arm-50771

06/13/2023, 5:57 PM
ansible vault does the same, but not sure I'd trust it still, lol
m

many-knife-65312

06/13/2023, 5:58 PM
That looks interesting. I think our cirrusci files have that file format
s

salmon-account-74572

06/14/2023, 3:41 PM
Configuration values marked as secret are safe to commit (they’re encrypted), but using a secrets provider as suggested in this thread is an equally valid approach.
p

purple-lawyer-93544

06/14/2023, 3:52 PM
SOPS is nice for providing options, and consistent tooling (and some IDE assistance). Can go all the way from PGP to just about any provider you can think of.
m

many-knife-65312

06/14/2023, 4:46 PM
awesome, thanks for the replies all