I'm automating the setup of a Hashicorp Vault server, and setting up an AWS secrets backend (https://www.vaultproject.io/docs/secrets/aws) Part of that entails passing the secret key and access key of an IAM user to allow Vault to interact with AWS. I can use a

pulumi_vault.aws.SecretBackend

(https://www.pulumi.com/docs/reference/pkg/vault/aws/secretbackend/) along with a

pulumi_aws.iam.User

(https://www.pulumi.com/docs/reference/pkg/aws/iam/user/) and a

pulumi_aws.iam.AccessKey

(https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/) to do the initial setup. The wrinkle comes in where Vault allows you to automatically rotate the credentials with

vault write -f aws/config/rotate-root

(https://www.vaultproject.io/api-docs/secret/aws#rotate-root-iam-credentials). This changes what Pulumi thinks it knows about the state of the world. Things are fine as long as you continue to

pulumi up

, but once you run

pulumi refresh

, the difference is discovered, steps are taken to remediate the situation, and things get messy. Initially, I was thinking I could use Pulumi to do the initial setup, then remove the

pulumi_aws.iam.AccessKey

resource (after I had Vault rotate it the first time), and add an

ignore_changes

(https://www.pulumi.com/docs/intro/concepts/resources/#ignorechanges) option on the

pulumi_vault.aws.SecretBackend

. However, when I run

pulumi refresh

after having Vault rotate the key, it still shows that an update needs to happen. The diff doesn't show anything, but if I compare the stack outputs before and after (using

pulumi stack export

) I see a bunch of ciphertext changes that I'm having trouble making heads or tails of. I'm curious if anyone else has had any success with a similar setup in Pulumi. Is there a better way to do this using Pulumi? Or would it be better to manually create these things outside of Pulumi, and then perhaps adopt the resources into Pulumi? Thanks.

Hi, I'm mixing both AWS IAM and Hashicorp Vault in a Pulumi project

@red-fish-22980 Yeah, I've been able to do similar setup with Pulumi and it works fine. My particular concern is just about the patterns of using Pulumi to manage the IAM user and key pair that back an AWS secret method in Vault while also allowing Vault to be in charge of rotating that key. It seems as though using Pulumi for that particular bit of set-up may not be great, but I'm not sure if there's something I'm missing

Well we use HVault to manage our user and aws is only used through roles

So when you set up your AWS secrets backend in Vault, do you set it up with credentials of its own, or do you use ambient credentials (e.g., your Vault is running in AWS, and it just uses your EC2 instance credentials)? If the backend has its own credentials, what creates those? Pulumi, or a separate process?

for the moment, I create AWS credentials with an other step of my CI and I put them manually in pulumi config

OK 👍

yes I understand, I will have to do the same in the future

Well, let me know if you find something that works, and I'll do the same for you 😅

👍

what do you mean by managing a ComponentResource?

the doc is spread among tons of unusefull other topics

dependsOn is generally useful for when you have resources that logically depend on each other, but where that dependency isn't represented in the inputs for that resource. That is, A actually depends on C, but A's constructor only takes B as an argument (and B doesn't directly depend on C). I had to do this with some Vault resources when I created a Namespace, but then needed to create a number of resources inside that Namespace. Unfortunately, because of the way the underlying Terraform Vault provider is designed, you don't actually pass a Namespace as an argument; you have to use an entirely separate provider instance. Because of this, I had to explicitly wire up that dependency with a

depends_on

.

ok, I'll do