https://pulumi.com logo
l

lemon-monkey-228

06/14/2023, 9:26 AM
Does the encryptionsalt (In the
Pulumi.<stack>.yaml
) change every time you (re)create the project state, and is there a way to keep this static? I'm using the password secrets provider and I recreate the state to spin up a local lab, but this is causing a load of needless changes in git
c

cuddly-computer-18851

06/14/2023, 9:34 AM
The salt will change if you regenerate the stack file - but its just YAML so you can store your salts in whatever manner is acceptable. Generally if you're storing actual secrets in the pulumi config, then you would want the salts to change.
l

lemon-monkey-228

06/14/2023, 9:35 AM
I'm not regenerating the stack file, I'm just clearing the state (Stored on the local filesystem)
I could just inject an empty salt into the config when spinning up I guess
c

cuddly-computer-18851

06/14/2023, 9:36 AM
Is the stack file checked in to git?
l

lemon-monkey-228

06/14/2023, 9:36 AM
Yeah
The secrets aren't actually 'secret' as this is just for a lab where all passwords are generated etc. But I'm also trying to make it emulate production processes as much as possible still
c

cuddly-computer-18851

06/14/2023, 9:39 AM
Personally I don't like relying on Pulumi for secrets, I use AWS Parameter Store, or Secrets Manager. If you're committing your stack files to Git though, I wouldn't expect there to be huge or problematic changesets.
l

lemon-monkey-228

06/14/2023, 9:40 AM
Well in production pulumi projects we use the GCP Secrets Manager secrets provider and Pulumi secrets, then we parse all of the config with Zod
But in this scenario, I have a monorepo of different Pulumi projects for Kubernetes, to provision a fully-functional gitops cluster. Every time I bootstrap it via. my CLI, the encryptionsalt changes on all the repos
I'll just add a step into the CLI to set the the encryptionsalt to something static 🤷
e

echoing-dinner-19531

06/14/2023, 6:04 PM
Does the encryptionsalt (In the
Pulumi.<stack>.yaml
) change every time you (re)create the project state, and is there a way to keep this static?
It shouldn't this sounds like it might be a bug. Are you removing the state by just deleting the state files, or running destroy and/or stack rm?