Channels
#general
Title
l
lemon-monkey-228
06/14/2023, 9:26 AMDoes the encryptionsalt (In the
Pulumi.<stack>.yamlc
cuddly-computer-18851
06/14/2023, 9:34 AMThe salt will change if you regenerate the stack file - but its just YAML so you can store your salts in whatever manner is acceptable.
Generally if you're storing actual secrets in the pulumi config, then you would want the salts to change.
l
lemon-monkey-228
06/14/2023, 9:35 AMI'm not regenerating the stack file, I'm just clearing the state (Stored on the local filesystem)
I could just inject an empty salt into the config when spinning up I guess
c
cuddly-computer-18851
06/14/2023, 9:36 AMIs the stack file checked in to git?
l
lemon-monkey-228
06/14/2023, 9:36 AMYeah
The secrets aren't actually 'secret' as this is just for a lab where all passwords are generated etc.
But I'm also trying to make it emulate production processes as much as possible still
c
cuddly-computer-18851
06/14/2023, 9:39 AMPersonally I don't like relying on Pulumi for secrets, I use AWS Parameter Store, or Secrets Manager.
If you're committing your stack files to Git though, I wouldn't expect there to be huge or problematic changesets.
l
lemon-monkey-228
06/14/2023, 9:40 AMWell in production pulumi projects we use the GCP Secrets Manager secrets provider and Pulumi secrets, then we parse all of the config with Zod
But in this scenario, I have a monorepo of different Pulumi projects for Kubernetes, to provision a fully-functional gitops cluster. Every time I bootstrap it via. my CLI, the encryptionsalt changes on all the repos
I'll just add a step into the CLI to set the the encryptionsalt to something static 🤷
e
echoing-dinner-19531
06/14/2023, 6:04 PMDoes the encryptionsalt (In theIt shouldn't this sounds like it might be a bug. Are you removing the state by just deleting the state files, or running destroy and/or stack rm?) change every time you (re)create the project state, and is there a way to keep this static?Pulumi.<stack>.yaml