cc04cd6581
In the Pulumi Cloud, there is no guarantee that two stacks will share the same encryption key. This means that encrypted config can not be shared across stacks (in the Pulumi.yaml) file. To mimic this behavior in the local experience, we now use a unique key per stack. When upgrading an existing project, for any stack with existing secrets, we copy the existing key into this stack. Future stacks will get thier own encryption key. This strikes a balance between expediency of implementation, the end user UX and not having to make a breaking change. As part of this change, I have introduced a CHANGELOG.md file in the root of the repository and added a small note about the change to it. Fixes #769
612 B
612 B
v0.10.0
Added
Changed
- For local stacks, Pulumi now uses a seperate encryption key for each stack instead of one shared for all stacks, to
encrypt secrets. You are now able to use a different passphrase between two stacks. In addition, the top level
encryptionsalt
member of thePulumi.yaml
is removed and salts are stored per stack inPulumi.yaml
. Pulumi will automatically re-use the existing key for any local stacks in the Pulumi.yaml file which have encrypted, but future stacks will have new keys generated. There is no impact to stacks deployed using the Pulumi Cloud.