https://pulumi.com logo
Title
b

bumpy-bear-61087

10/28/2021, 8:42 AM
Is it possible to run pulumi locally comparable to terraform? I don't want to use a SaaS for storing sensitive state.
p

prehistoric-activity-61023

10/28/2021, 9:37 AM
l

limited-rainbow-51650

10/28/2021, 10:29 AM
@bumpy-bear-61087 don't hesitate to use the hosted platform to store your state, even secrets, but take control over how to encrypt sensitive data using Encryption Providers. https://www.pulumi.com/docs/intro/concepts/secrets/
I say this because there are still numerous problems with self-managed state backends: https://github.com/pulumi/pulumi/issues/4605
So save yourself some time fighting over bugs or inconsistencies, use the hosted platform (no, I don't get paid to say this) but configure your own encryption provider.
p

prehistoric-activity-61023

10/28/2021, 10:48 AM
@limited-rainbow-51650 you seem to be quite experienced with this one so I’m gonna ask (I was about to check it myself but I haven’t got any time to do this): when you use custom encryption provider (like KMS or Vault), does it mean that: • all the password are stored there OR • password are still stored (encrypted) in Pulumi Service but the encryption key is provided by encryption provider
l

limited-rainbow-51650

10/28/2021, 10:49 AM
@prehistoric-activity-61023 the latter one: encrypted data is stored in Pulumi Service, but you own the encryption key, not Pulumi Corp.
p

prehistoric-activity-61023

10/28/2021, 10:52 AM
that’s what I thought (since the name “encryption provider” and not “secret storage provider” for example)
l

limited-rainbow-51650

10/28/2021, 10:53 AM
Out of curiosity: is that still a problem for you?
p

prehistoric-activity-61023

10/28/2021, 10:54 AM
not for me really (right now, we’re using Pulumi Service for encryption as well)
but once we had a discussion on this Slack where the company policy forbids storing (encrypted) passwords outside of the company managed resources (even if encryption key is provided)
l

limited-rainbow-51650

10/28/2021, 10:58 AM
I understand. Although not strictly forbidden due to this split, we try to limit it as much as possible.
b

billowy-army-68599

10/28/2021, 2:52 PM
I would love to hear feedback about how we could make this more palatable to infosec orgs.
p

prehistoric-activity-61023

10/28/2021, 2:57 PM
I wish I could help but I haven’t worked with such restrictions yet. I think most people are happy with Pulumi Service. Providing your own encryption key should be more than enough for the rest. If your company requires everything to be hosted by you… you probably should have Enteprise version of pulumi deployed on-premise (it’s supported, isn’t it?).
b

bumpy-bear-61087

10/28/2021, 7:38 PM
To be fair using the GCS backend seems to do what I want 👍 Or will that still use the SaaS?
b

billowy-army-68599

10/28/2021, 8:13 PM
it won't use the SaaS no
🙌 1