Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
e
echoing-address-44214
03/06/2023, 3:35 AMHi! I am trying to import an existing password into a pulumi. The docs have some broken formatting, see https://www.pulumi.com/registry/packages/random/api-docs/randompassword/ I was trying
pulumi import "random:index/randomPassword:RandomPassword" my-name "the-password"Diagnostics:
random:index:RandomPassword (sch-dev-syd-ruwentest-redisredis-password):
error: Preview failed: Cannot extract ID from "random_password" resource state: ID cannot be emptyl
little-cartoon-10569
03/06/2023, 3:46 AMImporting is for mapping a cloud (or similar "remote") resource to an ID in your state. There is no remote resource for RandomPassword, it's entirely in your state file. You don't import a RandomPassword, just create a new one.
And you can't set the value of a random password. A password with a specific value is by definition not a random password.
Just use a string for this.
e
echoing-address-44214
03/06/2023, 3:55 AMHmm... Maybe let me explain my use cause. I got a little helper class, which generates in AWS a Redis Cluster, a Secrets Manager Secret and a few other things. I got this currently in cloud formation. I want to migrate that to pulumi. I want to use that class to create new Redis Clusters (with password etc) but I also want to use the class to maintain existing redis clusters. For new redis clusters I need to generate a new password. But for the existing ones, I want to import a password so that the new class can take care of the redis cluster in the future
I can work around with boolean flags, but I find that rather ugly 😞
l
little-cartoon-10569
03/06/2023, 4:09 AMYou can create the password object and update the state.
A better idea would be to not import the password, create the password in the normal way, and store it in a provider object like SSM Secure String Parameter or another cloud-based secret store.
After you've created the store item and put in the random password, manually overwrite it in the cloud storage with the actual current password
Since the value in the cloud storage is never read into Pulumi's state, there's no drift or other variation that needs to be fixed.
e
echoing-address-44214
03/06/2023, 4:11 AMBut how does the password get into SSM secure string? I am using aws secrets manager, which is effectively the same thing
l
little-cartoon-10569
03/06/2023, 4:12 AMYes, use secrets manager. RandomPassword only generates a value; you then put that value into secrets manager using Pulumi's aws.secretsmanager package
Note that Pulumi doesn't manage secrets in secretsmanager: it just puts them there. It's up to you to manage them once they're there.
And one of the things you can do, is overwrite them with your preferred value.
e
echoing-address-44214
03/06/2023, 4:15 AMSo I would have a random.generatePassword resource in my stack which is effectively unused?
l
little-cartoon-10569
03/06/2023, 4:16 AMYes. But that is normal. Every time you rotate your passwords, they change only in your cloud provider (aws.secretsmanager). Your RandomPasword probably won't change.
You can write your code to change the RandomPassword value if you like, but it's easier just to do it using the secretsmanager console.
I think of the RandomPassword class as just a seed. It's not an actual value, just an initial value.
e
echoing-address-44214
03/06/2023, 4:22 AMhmm elasticache/redis takes currently a string as a password (https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/replicationgroup/#authtoken_nodejs) I currently use the password for that. if I rotate the password outside of pulumi, pulumi might detect drift there
l
little-cartoon-10569
03/06/2023, 4:30 AMNo, I'm fairly confident that Pulumi doesn't care or maintain values inside secret stores like secretsmanager. It only cares about setting them up. Same as with databases: it cares about the servers, not the data.
e
echoing-address-44214
03/06/2023, 4:32 AMElastiCache doesn't use Secrets Manager. It takes a password directly. The only reason I am storing the password in secrets manager is for my application
Maybe I need to read in pulumi the secret from the secrets manager and pass it on to elasticache
e
echoing-dinner-19531
03/06/2023, 9:17 AMThis should work, RandomPassword import just isn't working at the moment. https://github.com/pulumi/pulumi-random/issues/160Cannot extract ID from "random_password" resource state: ID cannot be empty