:wave: Hi everyone, I'm new to Pulumi and I am try...
# general
๐Ÿ‘‹ Hi everyone, I'm new to Pulumi and I am trying to figure out if there is a way to prevent sensitive property values from being saved in the backend state (such as by only storing a cryptographic hash, for example). My use case is that I am trying to setup DigitalOcean droplets in such a way that I can configure them with Ansible without skipping host key checking when connecting to them (
-o StrictHostKeyChecking=no
). One way to achieve this is to generate the Droplet host keys locally on my PC then apply them to the Droplets using the
droplet property. I could then add the host public keys to the Pulumi stack output and configure Ansible to check the hosts against those public keys when connecting. But, running
pulumi stack export
shows that the original
file, including the private keys, is being stored in the stack state. Although I understand that the data is encrypted, storing these files is unnecessary and so I would prefer not to store them. Can I tell Pulumi to store the hashes and not the original contents of resource properties? Thank you.
Hey Welcome :) you will be able to use the secret engine built into Pulumi to do this import * as pulumi from "@pulumi/pulumi"; import * as random from "@pulumi/random"; const username = new random.RandomString("my-string", { length: 16, special: true, }, { // RandomString has an output of 'result' where the string actually is stored additionalSecretOutputs: ["result"] }); export const secret = username.result;
As a small example
Notice that the CustomResourceOptions includes that secret options
Hi, thanks for the response
I thought the secrets functionality was only for marking whether the items should be shown to the user or not
No that also encrypts in the state as well
Is this two way encryption or is it a one way hash?
2 way as the engine will know how to decrypt it
But you wonโ€™t be able to do it directly - the cli will need access to the kms key to be able to do it
I can see that this is quite secure
Still, is there no way to choose how the information is stored? For example, the Terraform provider hashes the value before storing it in the state (it seems the there is a setting called
which allows this). https://github.com/terraform-providers/terraform-provider-digitalocean/blob/726215a1fd1d897296e22b7f5c28fb3a766e0f33/digitalocean/resource_digitalocean_droplet.go#L172
Pulumi have a number of secrets providers
๐Ÿ™ 1
๐Ÿ‘ 1