https://pulumi.com logo
Join Slack
Powered by
Hello, I'm just wondering if anyone has faced simi...
# esc
b
Hello, I'm just wondering if anyone has faced similar issue. I store 500 secrets in ESC. When I use that environment, in IAC stack, it takes ages until preview or up command shows any kind of output
s
Hi @bitter-scooter-78136 šŸ‘‹ let me try to rule this out, do you also experiment a similar delay when running 
pulumi env open ...
or any other context?
b
env open is fast, it's only when used in iac stack. https://github.com/pulumi/pulumi/issues/20338 It sends separate api call for each secret, which takes 300-500ms šŸ˜ž
f
Is your ESC environment using any dynamic secret providers? I'm not able to reproduce this when importing an ESC environment in an iac stack
b
No ā€¢ I have Pulumi stack with 500 secrets
Copy code
config:
  env:secrets:
    LICENSE_KEY:
      secure: <ENCRYPTED_KEY>
    ....
Copy code
# index.ts
const secrets = config.getObject<{ [key: string]: string }>("secrets") || {};
const secretEntries = Object.entries(secretsObj).map(([key, value]) => {code which creates yaml file and saves it esc environment}
This takes really long to get running. I was hoping that when everything is in esc other stack will load fast enough
Copy code
#Pulumi.production.yaml
config:
...
environment:
  - org/production
But other stack then is taking same time to load and decrypts secrets one by one
f
I'm not able to reproduce with an essentially blank iac stack importing an ESC environment with >500 secrets. All it is doing is an Open Environment call and it shouldn't be decrypting one by one. Is your stack doing something else? If you have a minimal reproduction example, that would be super helpful. Thanks!
b
1. pulumi new 2. for i in {1..500}; do pulumi config set --path "application.$i" "$i" --secret; done index.ts
Copy code
import * as pulumi from "@pulumi/pulumi";

export const config = new pulumi.Config();

const secrets = config.requireSecretObject<Record<string, any>>("application");

pulumi.all([secrets]).apply(([secretsObj]) => {
  const secretEntries = Object.entries(secretsObj)
    .map(([key, value]) => {
      return `    ${key}:\n      fn::secret: "${value}"`;
    })
    .join("\n");

  let yamlContent = `values:
  pulumiConfig:`;
  if (secretEntries) {
    yamlContent += `\n${secretEntries}`;
  }
  return new pulumi.asset.StringAsset(yamlContent);
});
pulumi up
f
Ok thanks, I see that if you're using stack secrets, it encrypts/decrypts each one. But if your secrets are in an ESC environment, you should be able to import that into your iac stack pretty quickly
I'll bring up the issue with stack secrets with the relevant team though. It definitely could be improved
b
Thank You, but it happens the same if I import it with 
environment:
- org/production
I found a workaround, with using
Copy code
const client = esc.DefaultClient();
const clientEnv = client
      .openAndReadEnvironment("org", "project", "production")
      .then(envConfig => {
envConfig?.values?.pulumiConfig #fetching values from there
})
Then it works like a charm, but I suppose properly working 
environment:
- org/production
is how it should be working šŸ˜„
f
Right, I agree that it should be working with setting 
environment
normally. I suspect it's still loading the stack secrets
Do you still have stack secrets set in your Pulumi yaml? if they are still set, pulumi will load them all
b
No, I've removed them. Trust me, I've tried everything šŸ˜„
f
Ah, thanks for your patience, I'm finally able to reproduce šŸ™‚ will look into it
s
Thanks Eimantas! we'll take a look into this issue to improve the integration. We can follow up on the github issue. Thank you so much for all the detailed explanation. I'm glad that you have found a workaround until this gets properly fixed šŸ§‘ā€šŸ’»
Open in Slack
PreviousNext
Powered by