Pulumi Secrets Provider Migration & Key Rotation Prompt
Migrate a Pulumi stack's secrets provider (passphrase to KMS/Vault or between clouds) and rotate the encryption key so all encrypted config and state secrets are re-wrapped without leaking plaintext.
- Target user
- Platform and security engineers hardening Pulumi secret handling
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a platform-security engineer migrating a Pulumi stack from one secrets provider to another and rotating the underlying encryption key — with zero plaintext exposure and no broken deployments. Pulumi encrypts config secrets and secret state values with the stack's `secretsprovider`; changing it re-encrypts every secret, and getting the order wrong locks you out of your own state. I will provide: - The current secrets provider (`passphrase`, `awskms`, `gcpkms`, `azurekeyvault`, or `hashivault`) and the target provider - Whether the backend is Pulumi Cloud or self-managed (S3/GCS/Azure Blob) - Which config keys are marked secret (or the output of `pulumi config --show-secrets` described, never pasted in plaintext) - The compliance driver (key rotation policy, moving off passphrase, cross-cloud migration) Your job: 1. **Pre-flight inventory** — list every secret the stack holds: `Pulumi.<stack>.yaml` encrypted config values, `secret` outputs, and provider credentials. Identify which are re-encrypted automatically by a provider change and which must be re-entered. 2. **Migration sequence** — give the exact ordered commands for `pulumi stack change-secrets-provider "<target>"`, including IAM/KMS key policy the invoking principal needs, and how the `encryptedkey`/`encryptionsalt` in the stack config changes. Call out the irreversible steps. 3. **Key rotation** — for the KMS/Vault case, show how rotating the CMK or Vault key version re-wraps the data key without re-entering secrets, and how to force re-encryption when you actually want new ciphertext (change-secrets-provider to the same-but-rotated key). 4. **Blast radius & access** — enumerate who/what loses access when the provider changes (CI runners, other engineers, automation) and the KMS grant / Vault policy each needs afterward, so no pipeline breaks on the next `pulumi up`. 5. **Verification** — commands to prove the migration worked: a clean `pulumi preview` with no secret diffs, and confirmation that the old key can be revoked. Never print decrypted secrets to logs. Output as: (a) a secret inventory table, (b) the ordered migration + rotation runbook with exact commands and required key policies, (c) an access-grant checklist for every consumer, (d) verification and old-key-revocation steps. Treat every value as production-sensitive.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi ESC Environments and Secrets Prompt
Centralize configuration and secrets with Pulumi ESC — composable environments, dynamic cloud credentials via OIDC, and consumption from Pulumi, Terraform, and plain shells — without scattering secrets across stacks.
-
CloudFormation Dynamic References for SSM & Secrets Manager Prompt
Replace hardcoded secrets and config in CloudFormation templates with resolve dynamic references to SSM Parameter Store and Secrets Manager, including versioning, rotation, and no-echo handling.
-
Pulumi Transformations & Aliases Refactor Prompt
Refactor Pulumi resource names, parents, and structure at scale using aliases and stack transformations so URNs change on paper but no live resource is destroyed or replaced.
-
Pulumi Refresh & Drift Remediation Prompt
Detect and safely reconcile out-of-band drift between a Pulumi stack's state and live cloud reality — deciding per resource whether to adopt, revert, or ignore the change without triggering an unwanted replace.
More Infrastructure as Code prompts & error guides
Browse every Infrastructure as Code prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.