https://pulumi.com logo
Title
r

ripe-knife-11053

05/11/2021, 4:27 PM
Hey all, is there a Pulumi module available somewhere for setting up all the required GCS resources to host your own state?
b

billowy-army-68599

05/11/2021, 4:30 PM
all you need for Pulumi state is a GCS storage bucket, locking is handled by the consistency of the storage object
there's a bit of a chicken and egg problem doing it with Pulumi, because you need state to create that bucket too 😄
r

ripe-knife-11053

05/11/2021, 4:30 PM
Pivoting (between state stores) is fine.
Also, I would expect said module to include a GCP KMS setup for encrypting the secrets.
b

billowy-army-68599

05/11/2021, 4:35 PM
secrets aren't in plaintext in Pulumi, so you don't need to encrypt the state store
Some kind of encryption provider is required for self-managed state.
b

billowy-army-68599

05/11/2021, 4:37 PM
they're encrypted at runtime by the engine, you pass your key to your pulumi config: https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
so if you actually look at the state on the bucket, there's no values in plaintext
r

ripe-knife-11053

05/11/2021, 4:37 PM
Right, but that key needs to come from somewhere. A passphrase (OK) or a GCP KMS key (better).
Hence why I’m looking for a module that just does all of this, similar to the ones that are available for Terraform.
b

billowy-army-68599

05/11/2021, 4:39 PM
we don't have a module for this just yet, but I can throw an example together
r

ripe-knife-11053

05/11/2021, 4:39 PM
If it’ll only take you a few minutes, that would be appreciated
b

billowy-army-68599

05/11/2021, 4:39 PM
which language SDK are you using?
here it is in typescript:
const keyring = new gcp.kms.KeyRing("stateEncryption", {
    location: "global",
})

const encryptionKey = new gcp.kms.CryptoKey("stateEncryption", {
    keyRing: keyring.id,
    rotationPeriod: "1000000s",
}, {
    // protect: true # you may want to turn this on!
    parent: keyring,
})

const bucket = new gcp.storage.Bucket("state", {
    versioning: {
        enabled: true,
    },
})
You'll need to add IAM permissions too
r

ripe-knife-11053

05/11/2021, 5:01 PM
Python