-
Notifications
You must be signed in to change notification settings - Fork 16
Syntax example
Levi Blackstone edited this page Oct 4, 2023
·
11 revisions
# Imports section names the environments to import. Environments are merged in order
# per JSON merge patch.
imports:
- foo
- bar
# Values section contains the environment's values. Values are merged onto imported
# environments per JSON merge patch.
values:
# Values can be objects, arrays, strings, numbers, or booleans
object:
array: [ "hello", "world" ]
string: esc
number: 42
boolean: true
# Scalar values may be marked secret
password:
fn::secret: hunter2
# Values within the environment and its imports may be referenced by interpolations
hello: ${object}
# Various functions may be used to manipulate values
functions:
- fn::join: [ ", ", "${object.array}" ] # joins the array elements with the given delimiter
- fn::toBase64: ${password} # encodes the argument as a Base64 string
- fn::toJSON: ${object} # encodes the argument as a JSON string
- fn::toString: ${object} # encodes the argument as a string
# Dynamic secrets can be fetched using fn::open
awsCreds:
fn::open::aws-oidc: # Will be removed in favor of aws-login with oidc config
roleArn: arn:aws:iam::086028354146:role/pulumi-deployments-oidc
sessionName: pulumi-environments-session
# AWS Provider examples
aws:
login:
fn::open::aws-login:
oidc:
roleArn: arn:aws:iam::086028354146:role/pulumi-deployments-oidc
sessionName: pulumi-environments-session
secrets:
fn::open::aws-secrets:
login: ${aws.login}
get:
api-key:
secretId: api-key
app-secret:
secretId: app-secret
# Azure Provider examples
azure:
login:
fn::open::azure-login:
clientId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
tenantId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
subscriptionId: /subscriptions/00000000-0000-0000-0000-000000000000
oidc: true
secrets:
fn::open::azure-secrets:
login: ${azure.login}
vault: https://vault-name.vault.azure.net/type/name/version
get:
api-key:
name: api-key
app-secret:
name: app-secret
# GCP Provider examples
gcp:
login:
fn::open::gcp-login:
project: 123456789
oidc:
workloadPoolId: pulumi-esc
providerId: pulumi-esc
serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
secrets:
fn::open::gcp-secrets:
login: ${gcp.login}
access:
api-key:
name: api-key
app-secret:
name: app-secret
# Vault Provider examples
vault:
login:
fn::open::vault-login:
address: https://127.0.0.1:8200/
jwt:
role: example-role
secrets:
fn::open::vault-secrets:
login: ${vault.login}
read:
api-key:
path: api-key
app-secret:
path: app-secret
# The environmentVariables top-level key can be used to export environment variables when using
# `env open --shell`, `env run`, or `pulumi up/preview/refresh/destroy`
environmentVariables:
AWS_ACCESS_KEY_ID: ${awsCreds.accessKeyId}
AWS_SECRET_ACCESS_KEY: ${awsCreds.secretAccessKey}
AWS_SESSION_TOKEN: ${awsCreds.sessionToken}
# The pulumiConfig top-level key can be used to export pulumi config values for `pulumi up` etc.
pulumiConfig:
aws:region: us-west-2