https://pulumi.com logo
Title
e

echoing-address-44214

03/06/2023, 3:35 AM
Hi! I am trying to import an existing password into a pulumi. The docs have some broken formatting, see https://www.pulumi.com/registry/packages/random/api-docs/randompassword/ I was trying
pulumi import "random:index/randomPassword:RandomPassword" my-name "the-password"
but I got as a result:
Diagnostics:
  random:index:RandomPassword (sch-dev-syd-ruwentest-redisredis-password):
    error: Preview failed: Cannot extract ID from "random_password" resource state: ID cannot be empty
Any ideas how to do it?
l

little-cartoon-10569

03/06/2023, 3:46 AM
Importing is for mapping a cloud (or similar "remote") resource to an ID in your state. There is no remote resource for RandomPassword, it's entirely in your state file. You don't import a RandomPassword, just create a new one.
And you can't set the value of a random password. A password with a specific value is by definition not a random password.
Just use a string for this.
e

echoing-address-44214

03/06/2023, 3:55 AM
Hmm... Maybe let me explain my use cause. I got a little helper class, which generates in AWS a Redis Cluster, a Secrets Manager Secret and a few other things. I got this currently in cloud formation. I want to migrate that to pulumi. I want to use that class to create new Redis Clusters (with password etc) but I also want to use the class to maintain existing redis clusters. For new redis clusters I need to generate a new password. But for the existing ones, I want to import a password so that the new class can take care of the redis cluster in the future
I can work around with boolean flags, but I find that rather ugly 😞
l

little-cartoon-10569

03/06/2023, 4:09 AM
You can create the password object and update the state. A better idea would be to not import the password, create the password in the normal way, and store it in a provider object like SSM Secure String Parameter or another cloud-based secret store. After you've created the store item and put in the random password, manually overwrite it in the cloud storage with the actual current password
Since the value in the cloud storage is never read into Pulumi's state, there's no drift or other variation that needs to be fixed.
e

echoing-address-44214

03/06/2023, 4:11 AM
But how does the password get into SSM secure string? I am using aws secrets manager, which is effectively the same thing
l

little-cartoon-10569

03/06/2023, 4:12 AM
Yes, use secrets manager. RandomPassword only generates a value; you then put that value into secrets manager using Pulumi's aws.secretsmanager package
Note that Pulumi doesn't manage secrets in secretsmanager: it just puts them there. It's up to you to manage them once they're there.
And one of the things you can do, is overwrite them with your preferred value.
e

echoing-address-44214

03/06/2023, 4:15 AM
So I would have a random.generatePassword resource in my stack which is effectively unused?
l

little-cartoon-10569

03/06/2023, 4:16 AM
Yes. But that is normal. Every time you rotate your passwords, they change only in your cloud provider (aws.secretsmanager). Your RandomPasword probably won't change.
You can write your code to change the RandomPassword value if you like, but it's easier just to do it using the secretsmanager console.
I think of the RandomPassword class as just a seed. It's not an actual value, just an initial value.
e

echoing-address-44214

03/06/2023, 4:22 AM
hmm elasticache/redis takes currently a string as a password (https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/replicationgroup/#authtoken_nodejs) I currently use the password for that. if I rotate the password outside of pulumi, pulumi might detect drift there
l

little-cartoon-10569

03/06/2023, 4:30 AM
No, I'm fairly confident that Pulumi doesn't care or maintain values inside secret stores like secretsmanager. It only cares about setting them up. Same as with databases: it cares about the servers, not the data.
e

echoing-address-44214

03/06/2023, 4:32 AM
ElastiCache doesn't use Secrets Manager. It takes a password directly. The only reason I am storing the password in secrets manager is for my application
Maybe I need to read in pulumi the secret from the secrets manager and pass it on to elasticache
e

echoing-dinner-19531

03/06/2023, 9:17 AM
Cannot extract ID from "random_password" resource state: ID cannot be empty
This should work, RandomPassword import just isn't working at the moment. https://github.com/pulumi/pulumi-random/issues/160