I’m not understanding something about how Pulumi is maintaining state… when I create the

Pulumi.Main.yaml

file and populate it properly with the salt and provider, it gets wiped out when we run

pulumi preview

and instead we’re asked to set up a new encryptoin secret. Why?

% cat Pulumi.Main.yaml
secretsProvider: <awskms://alias/pulumi-test?region=us-east-1>
encryptedKey: AQICA...

# At this point, I feel like I should be able to run these commands without touching the Pulumi stack file
% AWS_PROFILE=test pulumi stack select Main
% AWS_PROFILE=test pulumi preview
Enter your passphrase to protect config/secrets:
Re-enter your passphrase to confirm:
Previewing update (Main):
     Type                 Name              Plan       Info
 +   pulumi:pulumi:Stack  test-Main  create     1 error

Diagnostics:
  pulumi:pulumi:Stack (test-Main):
  ...


% git diff Pulumi.Main.yaml
diff --git a/Pulumi.Main.yaml b/Pulumi.Main.yaml
index 0d430bd..98d817a 100644
--- a/Pulumi.Main.yaml
+++ b/Pulumi.Main.yaml
@@ -1,4 +1 @@
-# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".
-
-secretsProvider: <awskms://alias/pulumi-test?region=us-east-1>
-encryptedKey: AQICA...
+encryptionsalt: v1:nuttCXvqPEk=:v1:4F50TOCEoSSsTDPr:X0CVw0CTdnbHmO0QBzBlP/O0HYqKJA==

The configuration keys for setting up a secret provider are

secretsprovider

and

encryptedkey

(no capitalization) - your settings as written in your config file are not registering and the service is attempting to create a key for you.

ok wait .. lemme double check that, hopefully its a simple error..

automation api uses the convention of the language. in ts that might be

secretsProvider

, in python it'll be

secrets_provider

, in go it'll be

SecretsProvider

, etc.