maxmustermann/pulumi

Author SHA1 Message Date

Author	SHA1	Message	Date
Matt Ellis	3f1197ef84	Move .pulumi to root of a repository Now, instead of having a .pulumi folder next to each project, we have a single .pulumi folder in the root of the repository. This is created by running `pulumi init`. When run in a git repository, `pulumi init` will place the .pulumi file next to the .git folder, so it can be shared across all projects in a repository. When not in a git repository, it will be created in the current working directory. We also start tracking information about the repository itself, in a new `repo.json` file stored in the root of the .pulumi folder. The information we track are "owner" and "name" which map to information we use on pulumi.com. When run in a git repository with a remote named origin pointing to a GitHub project, we compute the owner and name by deconstructing information from the remote's URL. Otherwise, we just use the current user's username and the name of the current working directory as the owner and name, respectively.	2017-10-27 11:46:21 -07:00
Matt Ellis	c051da476f	Improve the US for `pulumi config` - `pulumi config ls` now does not prompt for a passphrase if there are secrets, instead ******'s are shown. `--show-secrets` can be passed to force decryption. The behavior of `pulumi config ls <key>` is unchanged, if the key is secure, we will prompt for a passphrase. - `pulumi config secret <key>` now prompts for the passphrase and verifies it before asking for the secret value. Fixes #465	2017-10-27 10:04:53 -07:00
Matt Ellis	ade366544e	Encrypt secrets in Pulumi.yaml We now encrypt secrets at rest based on a key derived from a user suplied passphrase. The system is designed in a way such that we should be able to have a different decrypter (either using a local key or some remote service in the Pulumi.com case in the future). Care is taken to ensure that we do not leak decrypted secrets into the "info" section of the checkpoint file (since we currently store the config there). In addtion, secrets are "pay for play", a passphrase is only needed when dealing with a value that's encrypted. If secure config values are not used, `pulumi` will never prompt you for a passphrase. Otherwise, we only prompt if we know we are going to need to decrypt the value. For example, `pulumi config <key>` only prompts if `<key>` is encrypted and `pulumi deploy` and friends only prompt if you are targeting a stack that has secure configuration assoicated with it. Secure values show up as unecrypted config values inside the language hosts and providers.	2017-10-24 16:48:12 -07:00

Matt Ellis

3f1197ef84

Move .pulumi to root of a repository

Now, instead of having a .pulumi folder next to each project, we have
a single .pulumi folder in the root of the repository. This is created
by running `pulumi init`.

When run in a git repository, `pulumi init` will place the .pulumi
file next to the .git folder, so it can be shared across all projects
in a repository. When not in a git repository, it will be created in
the current working directory.

We also start tracking information about the repository itself, in a
new `repo.json` file stored in the root of the .pulumi folder. The
information we track are "owner" and "name" which map to information
we use on pulumi.com.

When run in a git repository with a remote named origin pointing to a
GitHub project, we compute the owner and name by deconstructing
information from the remote's URL. Otherwise, we just use the current
user's username and the name of the current working directory as the
owner and name, respectively.

2017-10-27 11:46:21 -07:00

Matt Ellis

c051da476f

Improve the US for pulumi config

- `pulumi config ls` now does not prompt for a passphrase if there are
  secrets, instead ******'s are shown. `--show-secrets` can be passed
  to force decryption. The behavior of `pulumi config ls <key>` is
  unchanged, if the key is secure, we will prompt for a passphrase.

- `pulumi config secret <key>` now prompts for the passphrase and verifies
  it before asking for the secret value.

Fixes #465

2017-10-27 10:04:53 -07:00

Matt Ellis

ade366544e

Encrypt secrets in Pulumi.yaml

We now encrypt secrets at rest based on a key derived from a user
suplied passphrase.

The system is designed in a way such that we should be able to have a
different decrypter (either using a local key or some remote service
in the Pulumi.com case in the future).

Care is taken to ensure that we do not leak decrypted secrets into the
"info" section of the checkpoint file (since we currently store the
config there).

In addtion, secrets are "pay for play", a passphrase is only needed
when dealing with a value that's encrypted. If secure config values
are not used, `pulumi` will never prompt you for a
passphrase. Otherwise, we only prompt if we know we are going to need
to decrypt the value. For example, `pulumi config <key>` only prompts
if `<key>` is encrypted and `pulumi deploy` and friends only prompt if
you are targeting a stack that has secure configuration assoicated
with it.

Secure values show up as unecrypted config values inside the language
hosts and providers.

2017-10-24 16:48:12 -07:00

3 commits