This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

03/01/2021, 6:54 AM

This message was deleted.

white-balloon-205

03/01/2021, 7:26 AM

It is possible. Depends a bit what you are trying to achieve. If you want to pass the raw secret value somewhere else - you can do that just by paid my the same value you used as an input to the SecretValue. If you instead want to pass the id of the secret, so that some other resource can look up the secret value, you can pass

<http://secret.id|secret.id>

or similar. If you have a code snippet of what you are trying - happy to provide more concrete suggestion.

enough-leather-70274

03/01/2021, 7:33 AM

Thanks @white-balloon-205. In the CDK I'd normally do something like the following to generate a new key/value secret.

Copy code

const secret = new Secret(construct, 'my-secret-name', {
    generateSecretString: {
        excludePunctuation: true,
        generateStringKey: 'password',
    },
});

enough-leather-70274

03/01/2021, 7:34 AM

I'm now using pulumi and python, but can't see a way to specify a keyval secret type (or the template to use).

enough-leather-70274

03/01/2021, 7:35 AM

Of course with the CDK I could only get halfway. For the particular resource I want to create (Managed AD), I actually need to supply the password to that portion of the IaC script to create the resource.

enough-leather-70274

03/01/2021, 7:37 AM

the same value you used as an input to the SecretValue

This is what I want to avoid - I'd like to let SecretsManager generate the password, then have Pulumi fetch it, maybe via GetSecretVersion

enough-leather-70274

03/01/2021, 7:41 AM

Or have I got this all wrong? Should I be using Pulumi to generate/ encrypt the initial password, seed it in SecretsManager as the initial value (how do I do that?) then use that value when creating my Managed AD?

billowy-army-68599

03/01/2021, 7:43 AM

When I'm doing this, I generally use

pulumi.Random

to generate the password: https://www.pulumi.com/docs/reference/pkg/random/randompassword/ this marks it as secret and encrypts it in the Pulumi state, then I store that password in secrets manager

billowy-army-68599

03/01/2021, 7:46 AM

part of the issues here is that pulumi expects declarative APIs, and the

GetRandomPassword

api (https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html) isn't declarative. CDK works around that by only calling that value when required, but pulumi random provider will do basically the same thing and is also declerative

enough-leather-70274

03/01/2021, 7:47 AM

Yup, cool - that'll work @billowy-army-68599. The other bit I was missing on re-reading the docs is it looks like I have to create the secret and first version separately (in the CDK it's one call).

billowy-army-68599

03/01/2021, 7:49 AM

cdk has a contruct which wraps all of the unique calls, you could build a component resource which looks very similar to the construct, but we expose the base resources and don't have a component resource to wrap it yet

👍 1

billowy-army-68599

03/01/2021, 7:50 AM

(we are working on building more component resources, and this seems like a good candidate!)

enough-leather-70274

03/01/2021, 7:50 AM

np. I'll give it a spin and report back if I have any further qtns/ issues. Thanks for your prompt help!

Open in Slack

Previous Next