Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
b
bitter-carpenter-93554
02/21/2023, 9:00 PMI need your help. How to avoid storing encrypted secrets in pulumi state file?
Example: in order to create Azure PostgreSQL server I need to set admin password. In this case it will be stored in state file like this:
"type": "azure-native:dbforpostgresql/v20221201:Server",
"inputs": {
"administratorLogin": "admin",
"administratorLoginPassword": {
"4dabf18193072939515e22adb298388d": "1b47061264138c...",
"ciphertext": "v1:some_ecryption_here"
},...a
acoustic-truck-53557
02/21/2023, 9:09 PMYou can use pulumi secrets for that https://www.pulumi.com/docs/intro/concepts/secrets/
I'm working with AWS, so I have configured it to use a AWS KMS to encrypt the secrets.
on the pulumi state files, you end up with the base64 encrypted value, for each secret you store.
b
bitter-carpenter-93554
02/21/2023, 9:11 PMand how does secrets are present in state file ?
b
billowy-army-68599
02/21/2023, 9:12 PMyou can’t avoid storing the API result like the login password in the statefile, that’s just how pulumi works
you can encrypt those values though, as Diogo mentioned
b
bitter-carpenter-93554
02/21/2023, 9:13 PMso, in state file there is not way to have something like ?
"administratorLoginPassword": <link to KMS or Vault>b
billowy-army-68599
02/21/2023, 9:14 PMno, any API result that comes back from the azure API gets stored in state
b
bitter-carpenter-93554
02/21/2023, 9:15 PMit is same true for AWS and kubernetes providers as well, right?
just want to confirm 🙂
b
billowy-army-68599
02/21/2023, 9:19 PMyep, any provider response will be stored in state, but a secret value will be encrypted
b
bitter-carpenter-93554
02/21/2023, 9:19 PMThank you
one more question, do you know by any chance if it possible to avoid encrypted sensitive data in Terraform state file?
b
billowy-army-68599
02/21/2023, 9:21 PMno, terraform stores all these values in plaintext
so you can’t even encrypt those values
you can encrypt the data store, but the values are stored in plaintext
b
bitter-carpenter-93554
02/21/2023, 9:22 PMthank you @billowy-army-68599 and @acoustic-truck-53557