I need your help How to avoid storing encrypted secrets in p Pulumi Community #general

I need your help. How to avoid storing encrypted s...

bitter-carpenter-93554

02/21/2023, 9:00 PM

I need your help. How to avoid storing encrypted secrets in pulumi state file? Example: in order to create Azure PostgreSQL server I need to set admin password. In this case it will be stored in state file like this:

Copy code

"type": "azure-native:dbforpostgresql/v20221201:Server",
                    "inputs": {
                        "administratorLogin": "admin",
                        "administratorLoginPassword": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c...",
                            "ciphertext": "v1:some_ecryption_here"
                        },...

Can it be set as vault path in state file? Or do you know another solution?

acoustic-truck-53557

02/21/2023, 9:09 PM

You can use pulumi secrets for that https://www.pulumi.com/docs/intro/concepts/secrets/

acoustic-truck-53557

02/21/2023, 9:10 PM

I'm working with AWS, so I have configured it to use a AWS KMS to encrypt the secrets.

acoustic-truck-53557

02/21/2023, 9:11 PM

on the pulumi state files, you end up with the base64 encrypted value, for each secret you store.

bitter-carpenter-93554

02/21/2023, 9:11 PM

and how does secrets are present in state file ?

billowy-army-68599

02/21/2023, 9:12 PM

you can’t avoid storing the API result like the login password in the statefile, that’s just how pulumi works

billowy-army-68599

02/21/2023, 9:12 PM

you can encrypt those values though, as Diogo mentioned

bitter-carpenter-93554

02/21/2023, 9:13 PM

so, in state file there is not way to have something like ?

Copy code

"administratorLoginPassword": <link to KMS or Vault>

billowy-army-68599

02/21/2023, 9:14 PM

no, any API result that comes back from the azure API gets stored in state

bitter-carpenter-93554

02/21/2023, 9:15 PM

it is same true for AWS and kubernetes providers as well, right?

bitter-carpenter-93554

02/21/2023, 9:19 PM

just want to confirm 🙂

billowy-army-68599

02/21/2023, 9:19 PM

yep, any provider response will be stored in state, but a secret value will be encrypted

bitter-carpenter-93554

02/21/2023, 9:19 PM

Thank you

bitter-carpenter-93554

02/21/2023, 9:21 PM

one more question, do you know by any chance if it possible to avoid encrypted sensitive data in Terraform state file?

billowy-army-68599

02/21/2023, 9:21 PM

no, terraform stores all these values in plaintext

billowy-army-68599

02/21/2023, 9:22 PM

so you can’t even encrypt those values

billowy-army-68599

02/21/2023, 9:22 PM

you can encrypt the data store, but the values are stored in plaintext

bitter-carpenter-93554

02/21/2023, 9:22 PM

thank you @billowy-army-68599 and @acoustic-truck-53557

2 Views

Open in Slack

Previous Next