Example repository on how the automation API could work. Don't expect many updates.
We assume you have the following utilities installed and configured:
- pulumi
- aws-vault
- aws-cli
Familiarise yourself with these tools before continuing.
# Authenticate with AWS
$ aws-vault exec some-aws-account
# Tell pulumi to use the KMS encryption key to encrypt the state
$ export KMS_KEY_ALIAS=pulumi-secrets-encryption-key
# Tell pulumi to use the state bucket you have created
$ export PULUMI_BACKEND_URL=s3://arno-pulumi-state-bucket-deleteme
When using a custom backend, you have to persist the StackSettings
as well. See pulumi/automation-api-examples#4 (comment).
Pulumi generates stack settings files in the form of Pulumi.yaml
and Pulumi.dev.yaml
. These files seem redundant as they are regenerated each time.
Use the AWS KMS secrets provider instead of a passphrase. See https://github.com/pulumi/automation-api-examples/blob/main/nodejs/inlineSecretsProvider-ts/index.ts#L75.
Don't use direct imports for infrastructure resources, see pulumi/pulumi-aws#772.
For example:
// won't work
import { Bucket } from "@pulumi/aws/s3";
// will work
import * as aws from "@pulumi/aws";
const bucket = new aws.s3.Bucket();
Check out the unit testing docs since there are a few gotcha's.