https://pulumi.com logo
#general
Title
# general
g

gifted-ocean-95126

05/10/2020, 2:22 PM
๐Ÿ‘‹ Hi everyone, I'm new to Pulumi and I am trying to figure out if there is a way to prevent sensitive property values from being saved in the backend state (such as by only storing a cryptographic hash, for example). My use case is that I am trying to setup DigitalOcean droplets in such a way that I can configure them with Ansible without skipping host key checking when connecting to them (
-o StrictHostKeyChecking=no
). One way to achieve this is to generate the Droplet host keys locally on my PC then apply them to the Droplets using the
user_data
droplet property. I could then add the host public keys to the Pulumi stack output and configure Ansible to check the hosts against those public keys when connecting. But, running
pulumi stack export
shows that the original
#cloud-config
file, including the private keys, is being stored in the stack state. Although I understand that the data is encrypted, storing these files is unnecessary and so I would prefer not to store them. Can I tell Pulumi to store the hashes and not the original contents of resource properties? Thank you.
b

broad-dog-22463

05/10/2020, 2:29 PM
Hey Welcome :) you will be able to use the secret engine built into Pulumi to do this import * as pulumi from "@pulumi/pulumi"; import * as random from "@pulumi/random"; const username = new random.RandomString("my-string", { length: 16, special: true, }, { // RandomString has an output of 'result' where the string actually is stored additionalSecretOutputs: ["result"] }); export const secret = username.result;
As a small example
Notice that the CustomResourceOptions includes that secret options
g

gifted-ocean-95126

05/10/2020, 2:30 PM
Hi, thanks for the response
I thought the secrets functionality was only for marking whether the items should be shown to the user or not
b

broad-dog-22463

05/10/2020, 2:33 PM
No that also encrypts in the state as well
g

gifted-ocean-95126

05/10/2020, 2:34 PM
Is this two way encryption or is it a one way hash?
b

broad-dog-22463

05/10/2020, 2:35 PM
2 way as the engine will know how to decrypt it
But you wonโ€™t be able to do it directly - the cli will need access to the kms key to be able to do it
g

gifted-ocean-95126

05/10/2020, 2:38 PM
I can see that this is quite secure
Still, is there no way to choose how the information is stored? For example, the Terraform provider hashes the value before storing it in the state (it seems the there is a setting called
StateFunc
which allows this). https://github.com/terraform-providers/terraform-provider-digitalocean/blob/726215a1fd1d897296e22b7f5c28fb3a766e0f33/digitalocean/resource_digitalocean_droplet.go#L172
b

broad-dog-22463

05/10/2020, 3:11 PM
Pulumi have a number of secrets providers
๐Ÿ™ 1
๐Ÿ‘ 1