https://pulumi.com logo
Title
e

enough-leather-70274

03/01/2021, 6:54 AM
Hi folks - I'd like to use AWS Secrets Manager to auto-generate a password. However I also need access to that secret value later in my pulumi script as it's a required input when creating the dependent resource. Is this possible?
w

white-balloon-205

03/01/2021, 7:26 AM
It is possible. Depends a bit what you are trying to achieve. If you want to pass the raw secret value somewhere else - you can do that just by paid my the same value you used as an input to the SecretValue. If you instead want to pass the id of the secret, so that some other resource can look up the secret value, you can pass
<http://secret.id|secret.id>
or similar. If you have a code snippet of what you are trying - happy to provide more concrete suggestion.
e

enough-leather-70274

03/01/2021, 7:33 AM
Thanks @white-balloon-205. In the CDK I'd normally do something like the following to generate a new key/value secret.
const secret = new Secret(construct, 'my-secret-name', {
    generateSecretString: {
        excludePunctuation: true,
        generateStringKey: 'password',
    },
});
I'm now using pulumi and python, but can't see a way to specify a keyval secret type (or the template to use).
Of course with the CDK I could only get halfway. For the particular resource I want to create (Managed AD), I actually need to supply the password to that portion of the IaC script to create the resource.
the same value you used as an input to the SecretValue
This is what I want to avoid - I'd like to let SecretsManager generate the password, then have Pulumi fetch it, maybe via GetSecretVersion
Or have I got this all wrong? Should I be using Pulumi to generate/ encrypt the initial password, seed it in SecretsManager as the initial value (how do I do that?) then use that value when creating my Managed AD?
b

billowy-army-68599

03/01/2021, 7:43 AM
When I'm doing this, I generally use
pulumi.Random
to generate the password: https://www.pulumi.com/docs/reference/pkg/random/randompassword/ this marks it as secret and encrypts it in the Pulumi state, then I store that password in secrets manager
part of the issues here is that pulumi expects declarative APIs, and the
GetRandomPassword
api (https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html) isn't declarative. CDK works around that by only calling that value when required, but pulumi random provider will do basically the same thing and is also declerative
e

enough-leather-70274

03/01/2021, 7:47 AM
Yup, cool - that'll work @billowy-army-68599. The other bit I was missing on re-reading the docs is it looks like I have to create the secret and first version separately (in the CDK it's one call).
b

billowy-army-68599

03/01/2021, 7:49 AM
cdk has a contruct which wraps all of the unique calls, you could build a component resource which looks very similar to the construct, but we expose the base resources and don't have a component resource to wrap it yet
👍 1
(we are working on building more component resources, and this seems like a good candidate!)
e

enough-leather-70274

03/01/2021, 7:50 AM
np. I'll give it a spin and report back if I have any further qtns/ issues. Thanks for your prompt help!