https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
l
Importing is for mapping a cloud (or similar "remote") resource to an ID in your state. There is no remote resource for RandomPassword, it's entirely in your state file. You don't import a RandomPassword, just create a new one.
And you can't set the value of a random password. A password with a specific value is by definition not a random password.
Just use a string for this.
e
Hmm... Maybe let me explain my use cause. I got a little helper class, which generates in AWS a Redis Cluster, a Secrets Manager Secret and a few other things. I got this currently in cloud formation. I want to migrate that to pulumi. I want to use that class to create new Redis Clusters (with password etc) but I also want to use the class to maintain existing redis clusters. For new redis clusters I need to generate a new password. But for the existing ones, I want to import a password so that the new class can take care of the redis cluster in the future
I can work around with boolean flags, but I find that rather ugly 😞
l
You can create the password object and update the state. A better idea would be to not import the password, create the password in the normal way, and store it in a provider object like SSM Secure String Parameter or another cloud-based secret store. After you've created the store item and put in the random password, manually overwrite it in the cloud storage with the actual current password
Since the value in the cloud storage is never read into Pulumi's state, there's no drift or other variation that needs to be fixed.
e
But how does the password get into SSM secure string? I am using aws secrets manager, which is effectively the same thing
l
Yes, use secrets manager. RandomPassword only generates a value; you then put that value into secrets manager using Pulumi's aws.secretsmanager package
Note that Pulumi doesn't manage secrets in secretsmanager: it just puts them there. It's up to you to manage them once they're there.
And one of the things you can do, is overwrite them with your preferred value.
e
So I would have a random.generatePassword resource in my stack which is effectively unused?
l
Yes. But that is normal. Every time you rotate your passwords, they change only in your cloud provider (aws.secretsmanager). Your RandomPasword probably won't change.
You can write your code to change the RandomPassword value if you like, but it's easier just to do it using the secretsmanager console.
I think of the RandomPassword class as just a seed. It's not an actual value, just an initial value.
e
hmm elasticache/redis takes currently a string as a password (https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/replicationgroup/#authtoken_nodejs) I currently use the password for that. if I rotate the password outside of pulumi, pulumi might detect drift there
l
No, I'm fairly confident that Pulumi doesn't care or maintain values inside secret stores like secretsmanager. It only cares about setting them up. Same as with databases: it cares about the servers, not the data.
e
ElastiCache doesn't use Secrets Manager. It takes a password directly. The only reason I am storing the password in secrets manager is for my application
Maybe I need to read in pulumi the secret from the secrets manager and pass it on to elasticache
e
Copy code
Cannot extract ID from "random_password" resource state: ID cannot be empty
This should work, RandomPassword import just isn't working at the moment. https://github.com/pulumi/pulumi-random/issues/160
3 Views
Open in Slack
PreviousNext
Powered by