Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
r
ripe-knife-11053
05/11/2021, 4:27 PMHey all, is there a Pulumi module available somewhere for setting up all the required GCS resources to host your own state?
b
billowy-army-68599
05/11/2021, 4:30 PMall you need for Pulumi state is a GCS storage bucket, locking is handled by the consistency of the storage object
there's a bit of a chicken and egg problem doing it with Pulumi, because you need state to create that bucket too 😄
r
ripe-knife-11053
05/11/2021, 4:30 PMPivoting (between state stores) is fine.
Also, I would expect said module to include a GCP KMS setup for encrypting the secrets.
b
billowy-army-68599
05/11/2021, 4:35 PMsecrets aren't in plaintext in Pulumi, so you don't need to encrypt the state store
r
ripe-knife-11053
05/11/2021, 4:36 PMSome kind of encryption provider is required for self-managed state.
b
billowy-army-68599
05/11/2021, 4:37 PMthey're encrypted at runtime by the engine, you pass your key to your pulumi config:
https://www.pulumi.com/blog/peace-of-mind-with-cloud-secret-providers/
so if you actually look at the state on the bucket, there's no values in plaintext
r
ripe-knife-11053
05/11/2021, 4:37 PMRight, but that key needs to come from somewhere. A passphrase (OK) or a GCP KMS key (better).
Hence why I’m looking for a module that just does all of this, similar to the ones that are available for Terraform.
b
billowy-army-68599
05/11/2021, 4:39 PMwe don't have a module for this just yet, but I can throw an example together
r
ripe-knife-11053
05/11/2021, 4:39 PMIf it’ll only take you a few minutes, that would be appreciated
b
billowy-army-68599
05/11/2021, 4:39 PMwhich language SDK are you using?
here it is in typescript:
const keyring = new gcp.kms.KeyRing("stateEncryption", {
location: "global",
})
const encryptionKey = new gcp.kms.CryptoKey("stateEncryption", {
keyRing: keyring.id,
rotationPeriod: "1000000s",
}, {
// protect: true # you may want to turn this on!
parent: keyring,
})
const bucket = new gcp.storage.Bucket("state", {
versioning: {
enabled: true,
},
})r
ripe-knife-11053
05/11/2021, 5:01 PMPython