Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
t
tall-crowd-93084
11/05/2022, 5:01 PMHey folks I have a question about secrets, and instantiating resources.
Let's say I have a function that set up a new set of resources (hezner machine, firewall attachments, storage, dns records etc). Once the machine is set up, I will want to run an ansible playbook against it (as outlined here https://www.pulumi.com/blog/deploy-wordpress-aws-pulumi-ansible/) which in my case sets up a docker compose stack.
I would like to generate several (<10) random strings for passwords and such that will go into the
.envpulumi config set --secretm
miniature-king-36473
11/05/2022, 5:05 PMWill require that your state is stored securely as the passwords will not be encrypted in the state file.
t
tall-crowd-93084
11/05/2022, 5:09 PM@miniature-king-36473 I'm just playing with that actually. If I was to use this with the pulumi web service would that count as the stack being stored securely?
Presumably I'd just create my .env by interpolating these values?
m
miniature-king-36473
11/05/2022, 5:16 PMhttps://www.pulumi.com/docs/intro/concepts/state
mentions "Encrypted state in transit and at rest"
Yes you can interpolate them.
An alternative is to use the AWS Parameter store for the passwords and pull these down in the ansible script.
However this may be overkill for your use case.
t
tall-crowd-93084
11/05/2022, 5:17 PMThanks @miniature-king-36473 - this looks like a good solution. Is there a way to query just a part of the state? Say I wanted to just ask for the
--show-secretsm
miniature-king-36473
11/05/2022, 5:21 PMto get the passwords I would just reference the resources you create for the password - no need to query the state.
const password = new random.RandomPassword("password", {...})
// can just reference the generated password in code.
password.generatedt
tall-crowd-93084
11/05/2022, 5:22 PMGot it, I was more meaning if I as an operator wanted to look up a particular password for a service on one of the machines I've set up (say I wanted to log into a database with one of the randomly generated passwords)
m
miniature-king-36473
11/05/2022, 5:26 PMyou could publish them as an output of your stack, allowing you to retrieve them with
pulumi stack --show-secrets output [password-name]t
tall-crowd-93084
11/05/2022, 5:27 PMperfect, thanks!
@miniature-king-36473:
pulumi stack output --show-secrets -j | jq ".secrets.hasura"