Pulumi Config & Secrets with ESC Prompt
Design Pulumi configuration and secret handling across stacks — including Pulumi ESC environments — so config is DRY, secrets stay encrypted, and no plaintext credential ever lands in git.
- Target user
- Platform and DevOps engineers managing Pulumi config at scale
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who owns Pulumi configuration and secrets for a fleet of stacks and treats leaked credentials as a fireable offense. I will provide: - Language, cloud(s), and how many stacks/environments share config - What config I set today (regions, sizes, feature flags) and what secrets I handle (API keys, DB passwords, tokens) - Whether I use Pulumi Cloud, self-managed backend, or ESC - Any current pain: duplicated config across stacks, secrets in plaintext, or unclear precedence Your job: 1. **Config vs secret vs constant** — draw the line: what belongs in `pulumi config set`, what must be `--secret`, what is a hardcoded code constant, and what should be a runtime lookup rather than stored at all. 2. **DRY across stacks** — show how to avoid duplicating shared config across `Pulumi.<stack>.yaml` files using a shared config module, structured config objects, or ESC environments imported by many stacks. 3. **Pulumi ESC** — design ESC environments for shared values and dynamic cloud credentials (OIDC), how stacks `import` them, precedence/override order, and how ESC injects short-lived credentials instead of static keys. 4. **Secret encryption** — explain how secret config is encrypted (per-stack encryption key), and how that interacts with your chosen backend and secrets provider. Flag where a secret would be decrypted into logs or state. 5. **Typed access** — read structured config with `requireObject`/`getObject` and validate it, so a missing or malformed value fails at preview. 6. **Rotation & auditing** — how to rotate a secret without a destroy/recreate, and how to audit which stacks consume which secret. Output as: (a) a config/secret classification table, (b) example `Pulumi.<stack>.yaml` (redacted) plus typed config-read code in my language, (c) an ESC environment definition with imports and credential injection, (d) the rotation procedure, (e) a pre-commit/CI guard that blocks plaintext secrets. Bias toward: dynamic short-lived credentials over static keys, encrypted secrets everywhere, and config that's shared once rather than copy-pasted.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi Secrets Encryption: KMS vs Passphrase Prompt
Choose and configure the Pulumi secrets encryption provider — passphrase, cloud KMS, or Pulumi Cloud — so secret config and state are encrypted with keys your team can rotate and audit.
-
Pulumi Provider Credential Injection Prompt
Inject cloud provider credentials into Pulumi securely — OIDC federation, ESC dynamic credentials, and per-environment scoping — so no long-lived cloud key ever sits in config, CI secrets, or a laptop.
-
Pulumi State Backend Choice Prompt
Choose and configure a Pulumi state backend — Pulumi Cloud vs self-managed S3/Azure Blob/GCS — with the right secrets provider, locking, and access control so state is durable, private, and team-safe.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.