We have started to use Pulumi and it's been mostly smooth, just some issues with EKS etc. But today I realized something that is considerably more difficult in Pulumi than in Terraform. When I create resources in Terraform I know exactly the resource name to query. This seems not be the case with Pulumi since it appends its own postfix to resource names. E.g. if I create an AWS Secret using terraform I know in my application code later on that the key is e.g. "dev-rds-password". But with Pulumi I don't know this in application code since the name is something like "dev-rds-password-b229d59" and in application code I have no idea what the postfix is. Is there some pattern for this? For now I need to look all AWS Secrets and check the tag values to find the right secret and find its name and only then I can query the secret value using that resource name.

This is actually intentional. The best practice is not to give fixed names to resources unless required, so that’s Pulumi’s default. If you need to set a fixed name, you can always pass it as

name

property.

@quiet-painter-30539 in my TF days, I wrote quite some code where in general we always added a random part. This was to prevent running over each other’s toes when multiple deployments needed to be done with the same TF code. We consistently used DataSources to lookup the correct resource via tags. The reason to do it like that was that TF complained at the DataSource when it wasn’t found, rather than later where you fix the name and assume it is there.

Ok. Is there some documentation how to use DataSources to look for the actual resource name?

In Pulumi, it is not called DataSources (this is a TF concept), but in the libraries, you have several methods prefixed with

get

. This is the Pulumi equivalent.

Ok. Thanks!

Well, just checked some docs, and Pulumi also calls them Data Sources, e.g. https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/projects/

getProject

&

getOrganizationPolicy

Just to make sure we are talking about the same thing. I was referring that I need to query the secret value in a Java application. But in Java I don't know the resource name Pulumi created. Is there some way to find this out in the Java application?

@quiet-painter-30539 is the Java application deployed via Pulumi? If so, you can pass the credential name as an env variable to the Java app during the deployment. From there, the Java app reads the env variable and queries the correct secret

In Terraform this never was a problem since we always append the environment prefix to all resources, e.g. "dev-rds-password", "qa-rds-password" etc. and there never was any name conflicts. And in Java application code we just took the prefix somewhere and added it to the resource name and this way we could query the resource in Java code. Now that there is this random postfix Pulumi creates we cannot access the resources in Java since we don't know the resource name. This might be a show-stopper for us. Nope. We don't deploy apps using Pulumi. We should be able to do deployments without Pulumi.

Then use the suggestion of Mikhail and set the

name

property of the secret in Pulumi to prevent the randomization to happen.

Yes. I guess we have to do that.