full-artist-27215
09/29/2021, 4:20 PMpulumi_vault.aws.SecretBackend
(https://www.pulumi.com/docs/reference/pkg/vault/aws/secretbackend/) along with a pulumi_aws.iam.User
(https://www.pulumi.com/docs/reference/pkg/aws/iam/user/) and a pulumi_aws.iam.AccessKey
(https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/) to do the initial setup.
The wrinkle comes in where Vault allows you to automatically rotate the credentials with vault write -f aws/config/rotate-root
(https://www.vaultproject.io/api-docs/secret/aws#rotate-root-iam-credentials). This changes what Pulumi thinks it knows about the state of the world. Things are fine as long as you continue to pulumi up
, but once you run pulumi refresh
, the difference is discovered, steps are taken to remediate the situation, and things get messy. Initially, I was thinking I could use Pulumi to do the initial setup, then remove the pulumi_aws.iam.AccessKey
resource (after I had Vault rotate it the first time), and add an ignore_changes
(https://www.pulumi.com/docs/intro/concepts/resources/#ignorechanges) option on the pulumi_vault.aws.SecretBackend
. However, when I run pulumi refresh
after having Vault rotate the key, it still shows that an update needs to happen. The diff doesn't show anything, but if I compare the stack outputs before and after (using pulumi stack export
) I see a bunch of ciphertext changes that I'm having trouble making heads or tails of.
I'm curious if anyone else has had any success with a similar setup in Pulumi. Is there a better way to do this using Pulumi? Or would it be better to manually create these things outside of Pulumi, and then perhaps adopt the resources into Pulumi? Thanks.red-fish-22980
10/06/2021, 2:57 PMfull-artist-27215
10/06/2021, 3:08 PMred-fish-22980
10/06/2021, 3:10 PMfull-artist-27215
10/06/2021, 3:13 PMred-fish-22980
10/06/2021, 3:15 PM* AWS Secret backend
*/
const awsBackend = new vault.aws.SecretBackend("aws", {
accessKey: cfg.require("aws_access_key"),
secretKey: cfg.requireSecret("aws_secret_key"),
region: cfg.require("aws_region")
})
full-artist-27215
10/06/2021, 3:17 PMred-fish-22980
10/06/2021, 3:19 PMfull-artist-27215
10/06/2021, 3:22 PMred-fish-22980
10/06/2021, 3:22 PMfull-artist-27215
10/06/2021, 3:23 PMred-fish-22980
10/06/2021, 3:23 PMfull-artist-27215
10/06/2021, 3:29 PMdepends_on
.red-fish-22980
10/06/2021, 3:30 PM