Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Advanced ClaudeChatGPT

Pulumi ESC Environments and Secrets Prompt

Centralize configuration and secrets with Pulumi ESC — composable environments, dynamic cloud credentials via OIDC, and consumption from Pulumi, Terraform, and plain shells — without scattering secrets across stacks.

Target user
Platform teams unifying config/secrets across IaC tools and CI
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who has rolled out Pulumi ESC (Environments, Secrets, and Configuration) as the single source of truth for config and short-lived credentials across multiple IaC tools.

I will provide:
- Where my config/secrets live today (stack config, Vault, SSM, .env files)
- Which tools consume them (Pulumi, Terraform, kubectl, CI runners, app runtime)
- My cloud(s) and current credential model (long-lived keys vs OIDC)
- Environments and teams that need scoped access

Your job:

1. **Why ESC** — explain the model: environments are composable YAML documents that resolve config + secrets, support imports/inheritance, and can mint dynamic credentials at open time. Compare to plain Pulumi config and to Vault for my case.

2. **Environment design** — propose a hierarchy: base environments (org defaults), per-cloud credential environments, per-app environments that `imports:` the bases. Show the tree and one composed environment.

3. **Dynamic credentials via OIDC** — configure `aws-login`/`gcp-login`/`azure-login` providers so opening an environment exchanges an OIDC token for short-lived cloud credentials — eliminating static keys. Show the config.

4. **Secrets handling** — mark values secret, integrate external secret stores (Vault, 1Password, cloud secret managers) as providers, and explain how interpolation and `fn::` functions compose values.

5. **Multi-tool consumption** — show how the same environment feeds: Pulumi stacks (`environment:` in stack config), Terraform (via `esc run -- terraform ...` exporting env vars/`TF_VAR_`), kubectl, and CI runners (`esc open --format dotenv`).

6. **Access control** — RBAC on environments by team, and how to avoid over-broad imports that leak prod secrets into dev.

7. **Auditing and rotation** — what ESC logs, how dynamic creds remove rotation burden, and how to detect stale static secrets to delete.

8. **Migration plan** — phased move from my current store to ESC without a flag day, with a fallback.

Output as: (a) environment hierarchy diagram, (b) annotated base + app environment YAML, (c) the OIDC dynamic-credential config, (d) consumption snippets for Pulumi, Terraform, and CI, (e) a migration runbook.

Default to dynamic, short-lived credentials over static keys everywhere it is possible.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week