This message was deleted.
# platform-blueprints
s
This message was deleted.
h
Hi Dolev, I'm curious... • Are you using Pulumi to store/create secrets where? (K8S cluster as secrets, AWS Secrets Manager, Hashi Vault, etc) • Are Devs adding secrets themselves via PR (they generate passwords and push to git in clear)?
d
1. Pulumi deploys K8S Secrets to our clusters. 2. Devs are adding a Pulumi Secret to the config and import that secret to the Pulumi Code that deploys are secrets. CLI
pulumi config set --secret dbPassword S3cr37
Code
const dbPassword = config.requireSecret("dbPassword");
They open a PR yes
It's encrypted by Pulumi
a
We do similar via Atlantis for Terraform, i would look for what their friction is and trying to improve on those.
m
Config Management isn't a solved problem. A couple of jobs ago, we decided to write our own, which worked, but there are others coming on the market. CloudTruth is one of them. https://www.cloudtruth.com