Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure we can rotate pulumi passphrase secrets providers #5865

Merged
merged 1 commit into from
Dec 4, 2020
Merged

Ensure we can rotate pulumi passphrase secrets providers #5865

merged 1 commit into from
Dec 4, 2020

Conversation

stack72
Copy link
Contributor

@stack72 stack72 commented Dec 4, 2020
edited
Loading

Fixes: #5452

When the user is requesting to change the secrets provider to a
passphrase provider, we now calculate that has been requested.

This means, we will prompt for a new passphrase for use in encrypting
the stack.

pulumi stack change-secrets-provider passphrase
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
Enter your new passphrase to protect config/secrets:
Re-enter your new passphrase to confirm:
Migrating old configuration and state to new secrets provider
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):

Thanks to @pierskarsenbarg for helping to drive through the workflow here!

@stack72 stack72 requested a review from justinvp December 4, 2020 14:13
@stack72 stack72 self-assigned this Dec 4, 2020
@stack72
Ensure we can rotate pulumi passphrase secrets providers
b81906c 
Fixes: #5452

When the user is requesting to change the secrets provider to a
passphrase provider, we now calculate that has been requested.

This means, we will prompt for a new passphrase for use in encrypting
the stack.

```
pulumi stack change-secrets-provider passphrase
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
Enter your new passphrase to protect config/secrets:
Re-enter your new passphrase to confirm:
Migrating old configuration and state to new secrets provider
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
```
@justinvp
Copy link
Member

justinvp commented Dec 4, 2020

After we print Migrating old configuration and state to new secrets provider, why does the user have to re-enter their new passphrase again? Is there any way we could avoid that?

Ideally, the flow would be:

pulumi stack change-secrets-provider passphrase
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
Enter your new passphrase to protect config/secrets:
Re-enter your new passphrase to confirm:
Migrating old configuration and state to new secrets provider

@stack72
Copy link
Contributor Author

stack72 commented Dec 4, 2020

After we print Migrating old configuration and state to new secrets provider, why does the user have to re-enter their new passphrase again? Is there any way we could avoid that?

Ideally, the flow would be:

pulumi stack change-secrets-provider passphrase
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
Enter your new passphrase to protect config/secrets:
Re-enter your new passphrase to confirm:
Migrating old configuration and state to new secrets provider

So the reason the user needs to do that is that they need to unlock the new secrets manager again - we don't (currently) carry the secrets manager out of createSecretsManager to make that change would be a larger diff and would potentially break some areas - we can defo look at that as a follow up

This only happens as part of the passphrase secrets manager. It used to ask twice after the new secrets manager was created (once for config and once for state) but I was able to merge those funcs

justinvp
justinvp approved these changes Dec 4, 2020
View reviewed changes
Copy link
Member

@justinvp justinvp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stack72 stack72 merged commit 12dd076 into master Dec 4, 2020
@stack72 stack72 deleted the fix-rotating-passphrase-sm branch December 4, 2020 15:21
@bokjo bokjo mentioned this pull request Mar 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinvp justinvp justinvp approved these changes

Assignees

@stack72 stack72

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

change-secrets-provider is unable to change from one passphrase to another passphrase
2 participants
@stack72 @justinvp