Rotating Secret Providers
Posted on
Customers and users have asked for the ability to change the secrets manager associated with their stacks. This would allow a user to rotate their secrets providers when people leave their organization or even to be able to migrate to another secret manager of their choice. The v2.8.0 release of Pulumi adds support for this specific feature.
Let’s have a look at how to change a secrets provider for an existing stack:
pulumi stack change-secrets-provider "awskms://alias/ChangeSecretsProvider?region=us-west-2"
This command will change the secrets provider for the currently selected stack. It will
ensure that the configuration values in Pulumi.<stack>.yaml
are re-encrypted
with the new secrets provider and that the latest checkpoint (state file)
also has any secrets held within are migrated with the new secrets provider.
Creating New Stacks based on existing stacks
When creating a new stack, we added the ability to create that new stack based on the configuration of an existing stack. This means that when you need to create a new developer stack or a new stack for a different environment, then you can create that stack as follows:
pulumi stack init test --copy-config-from dev
This flag creates a new test
stack and initiates the default secrets provider for the stack. It will then
get the existing configuration from the dev stack and re-encrypt it to the test stack’s default secret provider.
We can, of course, pass a secrets provider to this new stack:
pulumi stack init test --secrets-provider="awskms://alias/ChangeSecretsProvider?region=us-west-2" --copy-config-from dev
Copying Config Between Stacks
When working on a Pulumi project that has multiple stacks, there are times that we create a configuration in one of the stacks that need to be copied to the other stacks in the project. Rather than selecting each stack individually, we can now programmatically copy the configuration between stacks. Let’s take an example where a new database password was added to the dev stack. We can copy that password to the production stack as follows:
pulumi config cp MyDatabasePassword --dest production
This ensures that the MyDatabasePassword
configuration will be re-encrypted into the production stack. If
there’s a situation where we want to copy all of the configuration between the dev
and production
stacks,
then we omit the key (MyDatabasePassword
):
pulumi config cp --dest production
We can iterate over all of the stacks that we need to copy the configuration to and the new configuration values will be encrypted as per the new stack.
Learn More
If you’d like to learn about Pulumi and manage your infrastructure through code, get started today. Pulumi is open source and free to use.
As always, you can check out our code on GitHub, follow us on Twitter, subscribe to our YouTube channel, or join our Community Slack channel if you have any questions, need support, or just want to say hello.