Open pcyang opened 1 month ago
Adding more context -- Pulumi.MY_STACK_NAME.yaml
is not checked in to my repository. Locally, I need to do pulumi config refresh
before I run the pulumi preview
command. It seems like I'd need way to be able to do that in pulumi action.
Okay, looks like I can just do a pulumi config refresh
right before it as a workaround for now
- name: Pulling remote config for Pulumi 🛠️
run: |
pulumi stack select MY_STACK_NAME
pulumi config refresh
- name: Preview infrastructure changes summary 📋
uses: pulumi/actions@v4
with:
command: preview
stack-name: MY_STACK_NAME
cloud-url: gs://MY_GCP_PULUMI_STATE_BUCKET
@pcyang, out of curiosity, why aren't you checking in Pulumi.MY_STACK_NAME.yaml
?
The secrets-provider
option primarily exists for use with the upsert
option (see https://github.com/pulumi/actions/issues/338):
upsert
- (optional) Allows the creation of the specified stack if it currently doesn't exist. PLEASE NOTE: This will create aPulumi.<stack-name>.yaml
file that you will need to add back to source control as part of the action if you wish to perform any further tasks with that stack.
@justinvp Thank you for the response!
We have decided against checking in Pulumi.MY_STACK_NAME.yaml
for the following reasons
We don't feel comfortable checking in the encryptedKey
included in Pulumi.MY_STACK_NAME.yaml
for secret that were encrypted using our GCP KMS Key. Encrypting the credential doesn't lower the data classification/sensitivity of the underlying content, we don't want to have that in our repository, public or private.
a. We disagree with the approach and prefer using Secret Manager solution instead. We were under the assumption that this key is only used to encrypt secret configuration specifically, and not for encrypting the rest of the stack config in the backend bucket.
b. We don't have a mechanism to disable this feature, and just using passphrase requires us to manually type in a fake/dummy/blank password or commit it to ENV even if we want to ignore the feature.
c. It also appears that key rotation triggered from GCP KMS isn't recognized by Pulumi, so we'd have to manually rotate by calling pulumi stack change-secrets-provider
.
We wanted to have hierarchical configuration, but that is currently not supported in Pulumi with Self-Managed backend state, only with Pulumi ESC. Pulumi configuration out of the box is pretty confusing with Pulumi.yaml
only copied during new stack creation, and not applying to existing stack on changes. In our case, we basically find the base Pulumi.yaml
and Pulumi.MY_STACK_NAME.yaml
useless other than just stack name creation, and we simply load adobe/himl on startup and use that instead, and track the change versioning in separate config/
files.
As state in Configuration and Secrets documentation, checking in these file is optional, and we can always fetch them using pulumi config refresh
, we see no reason for us to check in that file.
Could the documentation be updated to note that the secrets-provider
parameter is only use for upsert
and will be ignored for other case? Also would be nice if it mentioned the need to call pulumi config refresh
if the user didn't check in their stack yaml file.
What happened?
I followed the instruction in the Readme and passed in my gcpkms
secret-provider
, but I'm still getting error that ask me forPULUMI_CONFIG_PASSPHRASE
orPULUMI_CONFIG_PASSPHRASE_FILE
https://github.com/pulumi/actions?tab=readme-ov-file#configurationMy example github action step is in the example section below.
Here's the full debug error:
Am I passing it incorrectly? how do I get
pulumi preview
command to use my custom secret-provider?Example
Output of
pulumi about
Cannot do pulumi about in github action.
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).