Hi! I have been trying to solve a problem with handling serialized secrets on pulumi yaml files. My team consists of multiple developers and the serialized secrets are dependent on each others dev systems. We are running local k8s. Whenever we pull from our repo, the standard playbook is to run: pulumi config set --secret SomePassword password and update those secure values to the new serialized one. Is ESC the solution for handling this?

I may be off-topic but why don't you use a specific stack by developer ?

not sure if I understand the question?

It seems that each developer in your team has different values for some secret settings for your project. So I was wondering why each developer does not have its own pulumi stack : dev-patrick, dev-alexandre, dev-thomas, ... with its own secret values. But maybe I did not understand correctly your problem

Yes - ESC is the solution to this! But also @millions-journalist-34868 makes a good point if their understanding is correct. At Pulumi we use individual developer stacks for feature branch work.

I think the ability to spin up more stacks is not possible for us due to our resource credits. aka cost

You can use local state for a developer stack. It's not ideal, but it's not the worst thing in the world.

could you elaborate on "local state"?

You can store a state file locally as opposed to in Pulumi Cloud or S3: https://www.pulumi.com/docs/iac/concepts/state-and-backends/#local-filesystem

I see! thanks for sharing that. currently our setup is each dev has their own pulumi account when managing deployments and testing on their local machine. What we are hoping to solve is handling the serialized password between one system to another system. Since we share the pulumi.yaml file in our code repo

That is, they use their personal Pulumi org to manage their personal dev stacks?

correct

I don't think you're going to be able to use Pulumi ESC in this case. Pulumi ESC only works with Pulumi Cloud as a backend for IaC.

hmmm ic