6ed4bac5af
Adds support for additional cloud secrets providers (AWS KMS, Azure KeyVault, Google Cloud KMS, and HashiCorp Vault) as the encryption backend for Pulumi secrets. This augments the previous choice between using the app.pulumi.com-managed secrets encryption or a fully-client-side local passphrase encryption. This is implemented using the Go Cloud Development Kit support for pluggable secrets providers. Like our cloud storage backend support which also uses Go Cloud Development Kit, this PR also bleeds through to users the URI scheme's that the Go CDK defines for specifying each of secrets providers - like `awskms://alias/LukeTesting?region=us-west-2` or `azurekeyvault://mykeyvaultname.vault.azure.net/keys/mykeyname`. Also like our cloud storage backend support, this PR doesn't solve for how to configure the cloud provider client used to resolve the URIs above - the standard ambient credentials are used in both cases. Eventually, we will likely need to provide ways for both of these features to be configured independently of each other and of the providers used for resource provisioning. |
||
|---|---|---|
| .. | ||
| apitype | ||
| backend | ||
| codegen/python | ||
| diag | ||
| encoding | ||
| engine | ||
| graph | ||
| operations | ||
| resource | ||
| secrets | ||
| testing | ||
| tokens | ||
| tools | ||
| util | ||
| version | ||
| workspace | ||