• Stars
    star
    219
  • Rank 181,133 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 1 year ago
  • Updated 23 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pulumi ESC (Environments, Secrets, and Configuration) for cloud applications and infrastructure.

Pulumi ESC (Environments, Secrets, and Configuration)

Pulumi ESC is a new product from Pulumi that manages and tames secrets and configuration complexity across all of your cloud infrastructure and application environments. Pulumi ESC introduces a new category of configuration-as-code product, motivated by our experience working with hundreds of Pulumi IaC customers to address their needs in managing secrets and configuration at scale within their Pulumi infrastructure and across other cloud applications and infrastructure projects.

Pulumi ESC enables teams to aggregate secrets and configuration from many sources, manage hierarchical collections of configuration and secrets ("environments"), and consume those configuration and secrets from a variety of different infrastructure and application services. Pulumi ESC works hand-in-hand with Pulumi IaC to simplify configuration management, but also works independently from Pulumi IaC, as a solution for managing environments, secrets and configuration for any application or infrastructure project.

For example, the Pulumi ESC CLI (esc) makes it possible to give your developers immediate, just-in-time authenticated and short-lived access to cloud credentials across any cloud provider with just a single command: esc run aws-staging -- aws s3 ls.

Pulumi ESC Overview GIF

Pulumi ESC is offered as a managed service as part of Pulumi Cloud, and this repo contains the implementation of the following key components of the ESC offering:

  1. The esc CLI: A CLI tool for managing and consuming environments, secrets and configuration using Pulumi ESC.
  2. The Pulumi ESC evaluator: The core specification and implementation of the document format for defining environments, and the syntax and semantics for evaluating environments to produce a set of configuration and secrets.

Resources

How Pulumi ESC works

Pulumi ESC Graphic V4

  1. Pulumi ESC enables you to define environments, which are collections of secrets and configuration. Each environment can be composed from multiple environments.
  2. Pulumi ESC supports a variety of configuration and secrets sources, and it has an extensible plugin model that allows third-party sources.
  3. Pulumi ESC has a rich API that allows for easy integration. Every value in an environment can be accessed from any execution environment.
  4. Every environment can be locked down with RBAC, versioned, and audited.

Building the CLI Locally

You can build the CLI locally for testing by running:

$ make install

This will produce an esc binary in your GOBIN directory.

Why Pulumi ESC?

Pulumi ESC was designed to address a set of challenges that many infrastructure and application development teams face in managing configuration and secrets across their various environments:

  • Secrets and Configuration Sprawl: Data in many systems. Challenging to audit. Lots of application-specific logic to acquire and compose configuration from multiple sources. Divergent solutions for Infrastructure and Application configuration.
  • Duplication and Copy/Paste: Secrets are duplicated in many places. Frequently coupled to application/system-specific configuration stores.
  • Too Many Long-lived Static Secrets: Long lived static credentials are over-used, exposing companies to significant security risk. Rotation is operationally challenging. Not all systems support direct integration with OIDC and other dynamic secrets provisioning systems.

Pulumi ESC was born to address these problems and needs head on. It does so through a few core design principles:

  • Hierarchical and Composable: Environments contain collections of secrets and configuration, but can also import one or more other environments. Values can be overridden, interpolated from other values, and arbitrarily nested. This allows for flexible composition and reuse, and avoids copy paste.
  • Any Secrets Provider: Support for dynamic configuration providers allow Pulumi ESC to integrate with secrets stored in any other provider. Organizations often use AWS Secrets Manager, Vault, Azure OIDC and/or 1Password plus many more sources of truth for their secrets and configuration. Pulumi ESC supports them all, providing a single interface to your configuration and secrets, no matter where their source of truth is. Pulumi ESC works with these tools to provide improved management of secrets and configuration.
  • Consume from Anywhere: The esc CLI and the Pulumi ESC Rest API enables environments to be accessed from any application, infrastructure provider, automation system. At launch, first-class integrations are available with Pulumi IaC, local environment and .env files, GitHub Actions, and more.
  • Auditable: Environments must be β€œopened” to compute and see the set of value they provide, and this action is recorded in audit logs, including a full record of how each value was sourced from within the hierarchy of environments that contributed to it.
  • Authentication and RBAC: Pulumi ESC brokers access to secrets and configuration that live in other systems, and so authentication and granular RBAC are critical to ensure robust access controls across your organization. Pulumi ESC leverages the same Pulumi Cloud identity, RBAC, Teams, SAML/SCIM and scoped access tokens that are used for Pulumi IaC today, extending these all to managing access to Environments as well as Stacks.
  • Configuration as Code: Environments are defined as YAML documents which can describe how to project and compose secrets and configuration, integrate dynamic configuration providers, and compute new configuration from other values (construing a URL from a DNS name, or concatenating multiple configuration values into a derived value). The incredible flexibility of a code-based approach over traditional point-and-click interfaces allows Pulumi ESC to offer rich expressiveness for managing complex configuration.
  • Fully Managed: Pulumi ESC is offered as a fully managed cloud service in Pulumi Cloud (and Pulumi Cloud Self-hosted in the near future). The pulumi/esc project is open source, and contains the evaluation engine for environments, the esc CLI, and in the future, the extensible plugins for source and target integrations.

More Repositories

1

pulumi

Pulumi - Infrastructure as Code in any programming language πŸš€
Go
21,443
star
2

kubespy

Tools for observing Kubernetes resources in real time, powered by Pulumi.
Go
2,689
star
3

examples

Infrastructure, containers, and serverless apps to AWS, Azure, GCP, and Kubernetes... all deployed with Pulumi
TypeScript
2,074
star
4

pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Java
358
star
5

pulumi-kubernetes

A Pulumi resource provider for Kubernetes to manage API resources and workloads in running clusters
Java
358
star
6

tf2pulumi

A tool to convert Terraform projects to Pulumi
Go
291
star
7

actions

Deploy continuously to your cloud of choice, using your favorite language, Pulumi, and GitHub!
TypeScript
237
star
8

pulumi-ai

TypeScript
225
star
9

pulumi-kubernetes-operator

A Kubernetes Operator that automates the deployment of Pulumi Stacks
Go
211
star
10

automation-api-examples

Examples for the Pulumi Automation API https://pkg.go.dev/github.com/pulumi/pulumi/sdk/v3/go/auto?tab=doc
Go
191
star
11

pulumi-awsx

AWS infrastructure best practices in component form!
TypeScript
178
star
12

pulumi-eks

A Pulumi component for easily creating and managing an Amazon EKS Cluster
Java
154
star
13

pulumi-terraform-bridge

A library allowing providers built with the Terraform Plugin SDK to be bridged into Pulumi.
Go
145
star
14

pulumi-gcp

A Google Cloud Platform (GCP) Pulumi resource package, providing multi-language access to GCP
Java
145
star
15

pulumi-kubernetesx

Kubernetes for Everyone
TypeScript
129
star
16

docs

All things Pulumi docs!
HTML
127
star
17

pulumi-azure

A Microsoft Azure Pulumi resource package, providing multi-language access to Azure
Java
123
star
18

pulumi-azure-native

Azure Native Provider
114
star
19

pulumi-cloud

A highly productive multi-cloud framework for containers, serverless, and data
TypeScript
113
star
20

pulumi-terraform

A resource package that allows Pulumi programs to use Terraform state
Go
106
star
21

kube2pulumi

Upgrade your Kubernetes YAML to a modern language
Go
105
star
22

infrastructure-as-code-workshop

Infrastructure as Code Workshop
C#
92
star
23

pulumi-aws-native

AWS Native Provider for Pulumi
Go
89
star
24

workshops

A definitive place to store all the Pulumi workshops
TypeScript
88
star
25

kubernetes-guides

Crosswalk Playbooks and Code for Teams to Manage Kubernetes in Production
TypeScript
80
star
26

crd2pulumi

Generate typed CustomResources from a Kubernetes CustomResourceDefinition
Go
74
star
27

pulumi-java

Java support for Pulumi
Java
69
star
28

pulumi-command

Java
64
star
29

pulumi-google-native

Python
64
star
30

pulumi-cloudflare

Pulumi's Cloudflare package, providing multi-language infrastructure as code for Cloudflare
Java
63
star
31

pulumi-cdk

Pulumi/CDK Interop Library
TypeScript
61
star
32

pulumi-docker

A Docker Pulumi resource package, providing multi-language access to Docker resources and building images.
Java
60
star
33

templates

Templates used by `pulumi new`
Go
58
star
34

pulumi-tf-provider-boilerplate

Boilerplate code for Terraform provider-backed Pulumi packages
Go
57
star
35

pulumi-alicloud

An AliCloud Pulumi resource package, providing multi-language access to AliCloud
Go
48
star
36

pulumi-vsphere

A Pulumi resource package for VMWare VSphere, providing multi-language access to vCenter Server and ESXi
Java
46
star
37

setup-pulumi

GitHub Action to install the Pulumi CLI
TypeScript
45
star
38

pulumi-provider-boilerplate

Boilerplate showing how to create a native Pulumi provider
Python
42
star
39

pulumi-openstack

An OpenStack Pulumi resource package, providing multi-language access to OpenStack
Java
39
star
40

pulumi-github

A Pulumi package to facilitate interacting with GitHub
Java
39
star
41

pulumi-yaml

YAML language provider for Pulumi
Go
38
star
42

pulumi-go-provider

A framework for building Go Providers for Pulumi
Go
33
star
43

pulumi-hugo

A Hugo module containing content and layouts used on pulumi.com, including hand-authored docs, the Pulumi blog, and Learn Pulumi.
CSS
32
star
44

pulumi-hcloud

A Hetzner Cloud Pulumi resource package, providing multi-language access to Hetzner Cloud
Java
32
star
45

pulumi-azure-nextgen

Next generation Microsoft Azure provider for Pulumi, providing multi-language access to Azure
29
star
46

pulumi-random

A Pulumi provider that safely enables randomness for resources
Java
29
star
47

pulumi-oci

An Oracle Cloud (OCI) Pulumi resource package, providing multi-language access to OCI
Go
28
star
48

pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
TypeScript
28
star
49

registry

The global index of everything you can do with Pulumi.
HTML
27
star
50

pulumi-dotnet

.NET support for Pulumi
C#
27
star
51

pulumi-self-hosted-installers

Repository for getting started with self-hosted Pulumi Service.
TypeScript
27
star
52

pulumi-keycloak

A KeyCloak Pulumi resource package, providing multi-language access to KeyCloak
Java
27
star
53

pulumi-postgresql

A Postgresql Pulumi resource package
Go
27
star
54

pulumi-vault

A Vault Pulumi resource package, providing multi-language access to HashiCorp Vault
Go
25
star
55

pulumictl

A swiss army knife for Pulumi development
Go
24
star
56

pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
TypeScript
24
star
57

pulumi-libvirt

Java
23
star
58

pulumi-linode

Linode resource provider for Pulumi
Java
23
star
59

pulumi-lsp

A LSP server for Pulumi YAML
Go
22
star
60

pulumi-component-provider-ts-boilerplate

Go
22
star
61

pulumi-auth0

An auth0Pulumi resource package, providing multi-language access to Auth0
Go
22
star
62

pulumi-az-pipelines-task

Azure Pipelines task extension for running Pulumi apps.
TypeScript
20
star
63

circleci

CircleCI Orbs for CI/CD using Pulumi.
JavaScript
19
star
64

pulumi-component-provider-py-boilerplate

Demonstrates building a multi-lang Pulumi component provider in Python
Python
19
star
65

pulumi-gitlab

A GitLab Pulumi resource package, providing multi-language access to GitLab
Java
18
star
66

pulumi-azuredevops

An AzureDevOps Pulumi resource package, providing multi-language access to AzureDevOps
Go
17
star
67

halloumi

Go
17
star
68

actions-example-gke-rails

Deploys a Dockerized Rails app to Kubernetes on Google, using GitHub Actions and Pulumi
HTML
17
star
69

pulumi-backstage-plugin

Pulumi plugin for Backstage
TypeScript
17
star
70

compliance-policies

A library of policies for Pulumi's Policy as Code
TypeScript
16
star
71

pulumi-datadog

An Datadog Pulumi resource package, providing multi-language access to Datadog
Go
16
star
72

pulumitv

Projects and examples related to Pulumi TV
TypeScript
15
star
73

pulumi-aws-serverless

Easy serverless programming for AWS
TypeScript
15
star
74

pulumi-azuread

A Microsoft Azure Active Directory (Azure AD) Pulumi resource package, providing multi-language access to Azure AD
Java
15
star
75

pulumi-snowflake

Go
15
star
76

pulumi-databricks

Go
15
star
77

pulumi-docker-containers

Definitions for official Pulumi Docker images.
Dockerfile
14
star
78

pulumi-component-provider-go-boilerplate

Go
14
star
79

pulumi-tailscale

Makefile
14
star
80

pulumi-kubernetes-cert-manager

A Pulumi Kubernetes CertManager component
Java
14
star
81

pulumi-pulumiservice

Go
13
star
82

eks-blueprint

Go
13
star
83

pulumi-yandex

Python
13
star
84

pulumi-mongodbatlas

A MongoDB Atlas Pulumi resource package, providing multi-language access to MongoDB Atlas
Java
12
star
85

actions-pulumify

Pulumify - A GitHub Action to continuously deploy static website previews
Python
12
star
86

devcontainer

Pulumi build and development artifacts
Makefile
12
star
87

pulumi-aiven

An Aiven Pulumi resource package, providing multi-language access to Aiven
Go
12
star
88

pulumi-kafka

A Kafka Pulumi resource package, providing multi-language access to Kafka
Java
12
star
89

pulumi-aws-static-website

TypeScript
11
star
90

pulumi-policy-opa

A bridge enabling Pulumi CrossGuard to run OPA rules
Go
11
star
91

pulumi-cloud-requests

Welcome to the public issue tracker for Pulumi Cloud (app.pulumi.com)! Feature requests and bug reports welcome!
11
star
92

pulumi-aws-apigateway

TypeScript
11
star
93

pulumi-import-aws-account-scraper

Example of using boto3 to generate JSON for pulumi import
Python
11
star
94

pulumi-query-kubernetes

A relational TypeScript SDK for querying Kubernetes resources in any cluster, either on-prem or in any cloud.
TypeScript
11
star
95

pulumi-kubernetes-ingress-nginx

A Pulumi NGINX Ingress Controller component
Python
11
star
96

pulumi-newrelic

An New Relic Pulumi resource package, providing multi-language access to New Relic
Java
10
star
97

pulumi-nomad

Go
10
star
98

tf12-vs-pulumi

A collection of HCL2 examples, rewritten to Pulumi
10
star
99

introduction-to-pulumi

An interactive workshop to get started with Pulumi
Dockerfile
10
star
100

travisqueue

Sequence Travis builds per branch
Go
9
star