https://pulumi.com logo
f

faint-motherboard-95438

12/14/2018, 1:41 PM
Hello, I was wondering what would be the best way to handle some applications specific users/credentials with pulumi ? ie. postgres Before diving too deep in researches I could use some thoughts from you guys 🙂
b

busy-umbrella-36067

12/14/2018, 4:11 PM
that all depends on if the secret can be stored in your state
if thats fine, you can just use a random string resource to feed the password
g

gorgeous-egg-16927

12/14/2018, 5:33 PM
https://github.com/pulumi/kubernetes-the-prod-way/blob/34c1bfded93822e02fb2ce8365f71b50b2d2d537/azure/identity/config.ts#L26-L30 is an example of using a random string to generate the password. You can also pass in an existing password as a config value with the
pulumi config set <password> --secret
CLI command
w

white-balloon-205

12/14/2018, 7:12 PM
Indeed - these are both great options.
that all depends on if the secret can be stored in your state
This part is something we are working on right now as part of https://github.com/pulumi/pulumi/issues/397. We plan to allow "secrets" to be encrypted in the checkpoint file as well, as an additional level of protection for any secrets managed via your Pulumi program.
f

faint-motherboard-95438

12/17/2018, 11:58 AM
Right, thanks @white-balloon-205 @gorgeous-egg-16927 and @busy-umbrella-36067. I was actually thinking of a way of managing the users CRUD operations and state like you do with clouds or k8s resources. Like having
PostgresUser
ComponentResource
which knows it has created a user in the postgres cluster instance and is able to update or delete it later on.