https://pulumi.com logo
Title
f

flat-insurance-25294

01/15/2020, 3:12 PM
Since pulumi isn’t automatically setting the password, is there a way to generate a UUID with pulumi that is persisted so it doesn’t keep changing the password? Changing the password as a form of rotation isn’t a bad idea, but it does create a gap where the applications are either using the old password or then new password before RDS has changed.
c

colossal-plastic-46140

01/15/2020, 3:13 PM
The password could be a pulumi secret that you pass into your stack https://www.pulumi.com/docs/intro/concepts/config/
f

flat-insurance-25294

01/15/2020, 3:14 PM
@colossal-plastic-46140 Yeah I am trying to get away from loading stuff into the stack
It bothers me, since I should be able to set configs directly from pulumi instead of cli.
c

colossal-plastic-46140

01/15/2020, 3:19 PM
I was under the impression that in these cases where you have an RDS and lets say 5 apps that use this RDS. I think you have a couple of options 1. Create a shared stack, that has the config details for the user/pass 2. Once creating a random password, you use that login to create a bunch of new logins for your services 3. Ditch logins all together and use IAM roles. This is a caveat that everything needs to be inside AWS
f

flat-insurance-25294

01/15/2020, 3:19 PM
We don’t have that scenario
r

rhythmic-camera-25993

01/15/2020, 3:20 PM
I'm thinking of using the randomPassword module to set a static secret for the master password, but using secret manager to manage database users for each application's read and write roles, then enabling secret rotation for those secrets since RDS rotation is a built-in lambda
f

flat-insurance-25294

01/15/2020, 3:21 PM
We want to keep things simple and just attach the password (and others) as files on a mounted volume. Using the RandomPassword generator works fine for that. It actually solves my issue. The concern is rotation and making sure applications are up to date. ConfigMap changes are not hot reloaded so it’s tricky.
r

rhythmic-camera-25993

01/15/2020, 3:22 PM
ah, you're using k8s. my apologies. yeah that sounds like it would work pretty well then. set up a file watcher in your app for when the secret value changes and you're all set 👍
g

gentle-diamond-70147

01/15/2020, 3:27 PM
The
pulumi.Random
provider was built for this exact purpose.