https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
b
what state backend are you using?
no sorry, where are you storing pulumi state?
s
not sure i understand the questino, but i think the answer is on pulumi itself. The pulumi svc
yes pulumi state backend
b
okay, in that case, you can set stack permissions that allows you to define who can/can't read those values
s
i think i understand. So only users in there will be able to see outputs. So let’s say stack Services needs outputs from stack Core. Anyone in team Core can see the outputs. But not everyone in team Services will be able to read Core’s outputs. Only users who are both in teams in Core and in teams in Services can see the outputs of Core. Is this correct?
b
correct!
you can also define those teams programmatically: https://www.pulumi.com/registry/packages/pulumiservice/api-docs/team/
s
oh very cool. THank you for explaining. What does pulumi vs github teamType mean? https://www.pulumi.com/registry/packages/pulumiservice/api-docs/team/#teamtype_nodejs i don’t see such a thing in the console
b
For GitHub-backed organizations the teamType path parameter must be github. For all other organization types the teamType path parameter must be pulumi.
s
very cool. thank you
a
@billowy-army-68599 as far as I can tell this requires an Enterprise subscription, is that correct?
b
correct
s
Is there a way to allow developers to run pulumi preview against a stack, but not be able to log into the console and see the project there?
b
no, that isn't possible. Why would you want to do that though?
s
i’ll rephrase my question: Devs work on a project that they have read/write perms. The project also has a stack reference to a stack they don’t have write perms to. We would not like them to be able to view this stack in the console or get any other information about it. Just use some of its outputs. Is this possible? As opposed to having to hardcode output values into the stacks they are working on. To elaborate a little more: We want the sensitive Core infra to remain isolated. So only admins should be able to read/write to it and view it in the console. However we want some projects to be able to stack reference the cluster so that they can deploy into it. But we don’t want developers of these other projects to be able to see the Core stack in the console. It isn’t relevant to them. Only some of the outputs of the Core stack are.
b
you can only make the stack read only, you can't hide the stack completely
s
ok thank you. I guess we need to hardcode then or at least pass in values as env vars. An interesting idea would be to give a CI user read permissions only, and then users would have their code run by the CI.
a
@steep-portugal-37539 I wonder if this is solvable by using an intermediate stack (call it a demilitarized stack I guess) that references the core project and which is deployed by someone with read access to the core project, which in turn outputs only the minimal information needed for the other projects to deploy
that way someone could deploy those other projects only having read access to the demilitarized stack/project and having no access to the core project
(we have what sounds like basically the exact same requirement and I’ve been trying to think of creative ways to solve it)
s
That’s a very smart idea. Perhaps that works… I’m still thinking about it. Lmk if you try this. I would want to see how it looks in practice. I might try it myself soon
👌 1
3 Views
Open in Slack
PreviousNext
Powered by