https://pulumi.com logo
Title
b

bitter-carpenter-93554

02/21/2023, 9:00 PM
I need your help. How to avoid storing encrypted secrets in pulumi state file? Example: in order to create Azure PostgreSQL server I need to set admin password. In this case it will be stored in state file like this:
"type": "azure-native:dbforpostgresql/v20221201:Server",
                    "inputs": {
                        "administratorLogin": "admin",
                        "administratorLoginPassword": {
                            "4dabf18193072939515e22adb298388d": "1b47061264138c...",
                            "ciphertext": "v1:some_ecryption_here"
                        },...
Can it be set as vault path in state file? Or do you know another solution?
a

acoustic-truck-53557

02/21/2023, 9:09 PM
You can use pulumi secrets for that https://www.pulumi.com/docs/intro/concepts/secrets/
I'm working with AWS, so I have configured it to use a AWS KMS to encrypt the secrets.
on the pulumi state files, you end up with the base64 encrypted value, for each secret you store.
b

bitter-carpenter-93554

02/21/2023, 9:11 PM
and how does secrets are present in state file ?
b

billowy-army-68599

02/21/2023, 9:12 PM
you can’t avoid storing the API result like the login password in the statefile, that’s just how pulumi works
you can encrypt those values though, as Diogo mentioned
b

bitter-carpenter-93554

02/21/2023, 9:13 PM
so, in state file there is not way to have something like ?
"administratorLoginPassword": <link to KMS or Vault>
b

billowy-army-68599

02/21/2023, 9:14 PM
no, any API result that comes back from the azure API gets stored in state
b

bitter-carpenter-93554

02/21/2023, 9:15 PM
it is same true for AWS and kubernetes providers as well, right?
just want to confirm 🙂
b

billowy-army-68599

02/21/2023, 9:19 PM
yep, any provider response will be stored in state, but a secret value will be encrypted
b

bitter-carpenter-93554

02/21/2023, 9:19 PM
Thank you
one more question, do you know by any chance if it possible to avoid encrypted sensitive data in Terraform state file?
b

billowy-army-68599

02/21/2023, 9:21 PM
no, terraform stores all these values in plaintext
so you can’t even encrypt those values
you can encrypt the data store, but the values are stored in plaintext
b

bitter-carpenter-93554

02/21/2023, 9:22 PM
thank you @billowy-army-68599 and @acoustic-truck-53557