Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Pulumi Difficulty: Intermediate ClaudeChatGPT

Pulumi Config & Secrets with ESC Prompt

Design Pulumi configuration and secret handling across stacks — including Pulumi ESC environments — so config is DRY, secrets stay encrypted, and no plaintext credential ever lands in git.

Target user
Platform and DevOps engineers managing Pulumi config at scale
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who owns Pulumi configuration and secrets for a fleet of stacks and treats leaked credentials as a fireable offense.

I will provide:
- Language, cloud(s), and how many stacks/environments share config
- What config I set today (regions, sizes, feature flags) and what secrets I handle (API keys, DB passwords, tokens)
- Whether I use Pulumi Cloud, self-managed backend, or ESC
- Any current pain: duplicated config across stacks, secrets in plaintext, or unclear precedence

Your job:

1. **Config vs secret vs constant** — draw the line: what belongs in `pulumi config set`, what must be `--secret`, what is a hardcoded code constant, and what should be a runtime lookup rather than stored at all.

2. **DRY across stacks** — show how to avoid duplicating shared config across `Pulumi.<stack>.yaml` files using a shared config module, structured config objects, or ESC environments imported by many stacks.

3. **Pulumi ESC** — design ESC environments for shared values and dynamic cloud credentials (OIDC), how stacks `import` them, precedence/override order, and how ESC injects short-lived credentials instead of static keys.

4. **Secret encryption** — explain how secret config is encrypted (per-stack encryption key), and how that interacts with your chosen backend and secrets provider. Flag where a secret would be decrypted into logs or state.

5. **Typed access** — read structured config with `requireObject`/`getObject` and validate it, so a missing or malformed value fails at preview.

6. **Rotation & auditing** — how to rotate a secret without a destroy/recreate, and how to audit which stacks consume which secret.

Output as: (a) a config/secret classification table, (b) example `Pulumi.<stack>.yaml` (redacted) plus typed config-read code in my language, (c) an ESC environment definition with imports and credential injection, (d) the rotation procedure, (e) a pre-commit/CI guard that blocks plaintext secrets.

Bias toward: dynamic short-lived credentials over static keys, encrypted secrets everywhere, and config that's shared once rather than copy-pasted.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Pulumi prompts & error guides

Browse every Pulumi prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.