No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

all you need for Pulumi state is a GCS storage bucket, locking is handled by the consistency of the storage object

there's a bit of a chicken and egg problem doing it with Pulumi, because you need state to create that bucket too :smile:

Also, I would expect said module to include a GCP KMS setup for encrypting the secrets.

secrets aren't in plaintext in Pulumi, so you don't need to encrypt the state store

<https://www.pulumi.com/docs/intro/concepts/secrets/#configuring-secrets-encryption>

they're encrypted at runtime by the engine, you pass your key to your pulumi config:
<https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/>

Some kind of encryption provider is required for self-managed state.

so if you actually look at the state on the bucket, there's no values in plaintext

Right, but that key needs to come from somewhere. A passphrase (OK) or a GCP KMS key (better).

Hence why I’m looking for a module that just does all of this, similar to the ones that are available for Terraform.

we don't have a module for this just yet, but I can throw an example together

If it’ll only take you a few minutes, that would be appreciated

here it is in typescript:
```const keyring = new gcp.kms.KeyRing("stateEncryption", {
    location: "global",
})

const encryptionKey = new gcp.kms.CryptoKey("stateEncryption", {
    keyRing: keyring.id,
    rotationPeriod: "1000000s",
}, {
    // protect: true # you may want to turn this on!
    parent: keyring,
})

const bucket = new gcp.storage.Bucket("state", {
    versioning: {
        enabled: true,
    },
})```
You'll need to add IAM permissions too