Hi. Why doesn't ESC provide a way to update a secret programmatically from within Typescript code? Am I missing something?

In the ESC SDK?

Sorry, I'm new to ESC but I've used IaC for a while. My understanding is that we interact with ESC using the Config class. Is that correct? If so, I noticed only methods for reading values, not writing them.

You can create environments using the Pulumi Cloud provider, or you can hand-write them in the Pulumi Cloud console. ESC can read from managed secrets providers (e.g. AWS Secrets Manager) or you can store the values directly in Pulumi Cloud and we'll encrypt them. You can manage the secret value using Pulumi IaC: Pulumi Cloud provider if you're storing secrets directly in Pulumi Cloud, or the AWS provider if you're reading from Secrets Manager, etc.

Sorry, digging into this further... I initially tried my hand at Kubernetes, then decided to try using Docker Swarm instead. I now see that both of them have a concept of a Secret resource. So... silly question: why would I want to store secrets in ESC or the other cloud providers when I can just store them directly in k8s or Swarm?

Because K8s does not encrypt secrets. (Not sure about Docker Swarm.)

Where's the secret stored: directly in Pulumi Cloud, or an external secret, e.g. AWS Secrets Manager?

I am using DigitalOcean, which doesn't contain its own secrets API. I assume I can use ESC on top of Docker Swarm secrets?

The value of ESC is that it allows you to access secrets that might be spread all over the place with a single authentication (your Pulumi Cloud token) and control that access centrally (with Pulumi Cloud RBAC). You can then take those values and use them in a Pulumi IaC program, or any CLI program. You can output values as Pulumi IaC config, env vars, or files (useful for Kubeconfig).

Okay, so for new projects such as mine... where I can afford to store all the secrets in one place... are you saying that I don't need ESC and I can/should just interact directly with Docker secrets?

Update the value wherever you're storing it.

I'm going to take some time to digest this 🙂 Thank you for your help...

Sorry for the late reply, I have been out. There is also the Pulumi service provider https://www.pulumi.com/registry/packages/pulumiservice/

Hey @enough-architect-32336 @stocky-restaurant-98004 - I have a similar question and just saw this thread but still unsure of the answer. We heavily use

environmentVariables

in ESC, so we can use

pulumi env

to run commands in different environments or generate

dotenv

files: pulumi env run staging -- command In our Pulumi IaC, we generate non-secret configuration values, like service URIs or IP addresses, that we also want to store in ESC. Is it possible to write these output values to existing environment in ESC(i.e

staging

,

production

,etc) from our IaC code? The psuedo code would be something like:

// create service
srv, err := cloudrunv2.NewService(...)
// save service URI as an env var in ESC
auto.SetEnv("SOME_SERVICE_URI", srv.Uri)

If not, is there a good way to achieve what we are looking for?

@salmon-carpet-1576 I think that the way I'd approach this is to use a stack output and then import than reference that in the ESC environment:

// service stack
srv, err := cloudrunv2.NewService(...)
ctx.Export("service_uri", srv.Uri)

// esc environment
values:
  stackRefs:
    fn::open::pulumi-stacks:
      stacks:
        serviceInfra:
          stack: some-service/dev
  environmentVariables:
    SOME_SERVICE_URI: ${stackRefs.serviceInfra.service_uri}

Thank you @hallowed-baker-22997! I didn't know we could reference stack outputs. I'll play around with this and see if it does the trick

here is the schema for the pulumi-stacks integration: https://www.pulumi.com/docs/esc/integrations/infrastructure/pulumi-iac/pulumi-stacks/