https://pulumi.com logo
Title
t

tall-crowd-93084

11/05/2022, 5:01 PM
Hey folks I have a question about secrets, and instantiating resources. Let's say I have a function that set up a new set of resources (hezner machine, firewall attachments, storage, dns records etc). Once the machine is set up, I will want to run an ansible playbook against it (as outlined here https://www.pulumi.com/blog/deploy-wordpress-aws-pulumi-ansible/) which in my case sets up a docker compose stack. I would like to generate several (<10) random strings for passwords and such that will go into the
.env
file alongside docker compose. I would like those passwords to be securely stored in the state, but I don't really want to have to run a bunch of
pulumi config set --secret
commands, or generate those as a manual step. I'd also like to be able to look those values up when needed. What's my best option/architectural pattern to do this in pulumi?
m

miniature-king-36473

11/05/2022, 5:05 PM
Will require that your state is stored securely as the passwords will not be encrypted in the state file.
t

tall-crowd-93084

11/05/2022, 5:09 PM
@miniature-king-36473 I'm just playing with that actually. If I was to use this with the pulumi web service would that count as the stack being stored securely?
Presumably I'd just create my .env by interpolating these values?
m

miniature-king-36473

11/05/2022, 5:16 PM
https://www.pulumi.com/docs/intro/concepts/state mentions "Encrypted state in transit and at rest" Yes you can interpolate them. An alternative is to use the AWS Parameter store for the passwords and pull these down in the ansible script. However this may be overkill for your use case.
t

tall-crowd-93084

11/05/2022, 5:17 PM
Thanks @miniature-king-36473 - this looks like a good solution. Is there a way to query just a part of the state? Say I wanted to just ask for the
--show-secrets
of one part of the state?
m

miniature-king-36473

11/05/2022, 5:21 PM
to get the passwords I would just reference the resources you create for the password - no need to query the state.
const password = new random.RandomPassword("password", {...})

// can just reference the generated password in code.
password.generated
t

tall-crowd-93084

11/05/2022, 5:22 PM
Got it, I was more meaning if I as an operator wanted to look up a particular password for a service on one of the machines I've set up (say I wanted to log into a database with one of the randomly generated passwords)
m

miniature-king-36473

11/05/2022, 5:26 PM
you could publish them as an output of your stack, allowing you to retrieve them with
pulumi stack --show-secrets output [password-name]
t

tall-crowd-93084

11/05/2022, 5:27 PM
perfect, thanks!
@miniature-king-36473:
pulumi stack output --show-secrets -j | jq ".secrets.hasura"
perfect 🙂