I need your help. How to avoid storing encrypted s...
# general
I need your help. How to avoid storing encrypted secrets in pulumi state file? Example: in order to create Azure PostgreSQL server I need to set admin password. In this case it will be stored in state file like this:
Copy code
"type": "azure-native:dbforpostgresql/v20221201:Server",
                    "inputs": {
                        "administratorLogin": "admin",
                        "administratorLoginPassword": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c...",
                            "ciphertext": "v1:some_ecryption_here"
Can it be set as vault path in state file? Or do you know another solution?
You can use pulumi secrets for that https://www.pulumi.com/docs/intro/concepts/secrets/
I'm working with AWS, so I have configured it to use a AWS KMS to encrypt the secrets.
on the pulumi state files, you end up with the base64 encrypted value, for each secret you store.
and how does secrets are present in state file ?
you can’t avoid storing the API result like the login password in the statefile, that’s just how pulumi works
you can encrypt those values though, as Diogo mentioned
so, in state file there is not way to have something like ?
Copy code
"administratorLoginPassword": <link to KMS or Vault>
no, any API result that comes back from the azure API gets stored in state
it is same true for AWS and kubernetes providers as well, right?
just want to confirm 🙂
yep, any provider response will be stored in state, but a secret value will be encrypted
Thank you
one more question, do you know by any chance if it possible to avoid encrypted sensitive data in Terraform state file?
no, terraform stores all these values in plaintext
so you can’t even encrypt those values
you can encrypt the data store, but the values are stored in plaintext
thank you @billowy-army-68599 and @acoustic-truck-53557