Hey, I've recently started using Scaleway for a sm...
# contributec
calm-horse-33012
03/20/2025, 9:38 AMHey, I've recently started using Scaleway for a smaller project. We're hosting out state in a bucket on Scaleway, and we'd like to use Scaleway's KMS as the secrets provider, but as far as I can tell, there is no generic layer here, so Scaleway's KMS service should have to be implemented just like awskws, azurekms, gcpkms. etc.
If we were to throw together a PR, would the be accepted?
I can understand that it potentially would lead to bloat if every single providers specific implementation has to be implemented, but I thought I'd ask here, before going down that route.
e
echoing-dinner-19531
03/20/2025, 11:41 AMWe just use gocloud dev for secrets, so you'd need to raise a PR there first:
https://github.com/google/go-cloud/tree/master/secrets
If that got accepted and released I think it would be a pretty small PR to add it into pulumi as well. Mostly just adding to https://github.com/pulumi/pulumi/blob/275ab73ba7bb24f5163bb77ac3d145860b004bf8/pkg/secrets/cloud/manager.go and a couple of places where we list all the schemes out
I have also pondered making the whole secrets backend to use a plugins system (like resource providers), so if you can't get a PR to gocloud then this would be further fuel to actually get that plugin system built in.
c
calm-horse-33012
03/20/2025, 11:54 AMThank you for giving a detailed answer Fraser!
It really shouldn't be much code, but there will certainly be a few hoops to jump through. 🤔
It is probably a bit too soon to add Scaleway KMS support, since the service is only in beta.
Currently we're working around it by using direnv with Scaleway's secret manager, and using Pulumi's passphrase provider. Which is a fine solution, but would be even better just using a key vault.
e
echoing-dinner-19531
03/20/2025, 11:56 AMYeh this would be a win for the plugin system because the bar to reach can be a lot lower for an internal plugin you write to use a new service vs what you'd need to do to get that accepted into gocloud.
c
calm-horse-33012
03/20/2025, 11:59 AMI do feel like it should be possible for the key management services to have a generic interface...
But I guess we can just count ourselves lucky that at least S3 has become a "standard".
calm-horse-33012
03/20/2025, 12:01 PMWould be very cool with a plugin system for secret providers. But you'd of course have to weigh the business value for Pulumi as a whole, and I reckon that the value proposition would be quite low, since most customers are probably satisfied with Azure/GCP/AWS or use Pulumi ESC.
e
echoing-dinner-19531
03/20/2025, 12:10 PMlow but not zero, we have had it come up a few times
4 Views