Hello, I was wondering what would be the best way to handle some applications specific users/credentials with pulumi ? ie. postgres Before diving too deep in researches I could use some thoughts from you guys 🙂

that all depends on if the secret can be stored in your state

https://github.com/pulumi/kubernetes-the-prod-way/blob/34c1bfded93822e02fb2ce8365f71b50b2d2d537/azure/identity/config.ts#L26-L30 is an example of using a random string to generate the password. You can also pass in an existing password as a config value with the

pulumi config set <password> --secret

CLI command

Indeed - these are both great options.

that all depends on if the secret can be stored in your state

This part is something we are working on right now as part of https://github.com/pulumi/pulumi/issues/397. We plan to allow "secrets" to be encrypted in the checkpoint file as well, as an additional level of protection for any secrets managed via your Pulumi program.

Right, thanks @white-balloon-205 @gorgeous-egg-16927 and @busy-umbrella-36067. I was actually thinking of a way of managing the users CRUD operations and state like you do with clouds or k8s resources. Like having

PostgresUser

ComponentResource

which knows it has created a user in the postgres cluster instance and is able to update or delete it later on.