Secret rotation docs #14106
Secret rotation docs #14106
Conversation
|
Your site preview for commit 84379be is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-84379bee.s3-website.us-west-2.amazonaws.com. |
|
|
||
| It is a best practice to define a separate environment for your rotated functions, and import them into the environments that require the rotated credentials. This allows you to manage the rotation logic in a single place, and allows for the rotated environment to be versioned separately from the rest of your configuration. Specifically, since a new revision is created on every rotation, you may want to always import the latest version of the rotated environment to ensure that the latest rotated credentials are always used. | ||
|
|
||
| Another reason to keep your rotated functions in a separate environment is that an environment containing a rotation function *cannot be rolled back*, since the rotated secrets have been deactivated. By keeping your rotation functions separate, you can ensure that the rest of your configuration can be rolled back to a previous revision if needed. |
There was a problem hiding this comment.
Rollback is still enabled?
If you are saying rollback is meaningless, then I'd word it differently
There was a problem hiding this comment.
We should disable rollback completely. But currently it is possible to click rollback - but the provider will not be updated back to the secrets that were valid at the time. We should really just disable this.
|
Your site preview for commit 9a33267 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-9a33267a.s3-website.us-west-2.amazonaws.com. |
komalali
force-pushed
the
komal/secret-rotation-docs
branch
from
bb27be4 to
4155130
Compare
|
Your site preview for commit bb27be4 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-bb27be4a.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit 4155130 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-4155130b.s3-website.us-west-2.amazonaws.com. |
|
|
||
| If multiple rotation functions are defined in a single environment, it is possible that some fail while others succeed. In these cases, a partial failure will be reported. | ||
|
|
||
| To handle partial failures, failed keys can be individually retried using the `esc rotate` command with the `--path` flag. This will allow you to retry the rotation of a specific key without affecting the rotation of other keys in the environment. |
There was a problem hiding this comment.
did we not ship the retry button?
There was a problem hiding this comment.
not yet, we have an issue to fast follow on: https://github.com/pulumi/pulumi-service/issues/25970
| @@ -11,12 +11,16 @@ menu: | |||
| weight: 2 | |||
| --- | |||
|
|
|||
| Environments can also be composed from other environments. | |||
There was a problem hiding this comment.
I noticed that we have exact same blob about importing environments in "Working with Environments" page. I think we should remove it out of there, since we have this separate page, or at least also update it there
There was a problem hiding this comment.
Since this wasn't addressed in this PR, I added a new issue: #14130
| TODO: Add example of retrying a failed key | ||
|
|
||
| {{% notes type="warning" %}} | ||
| **WARNING** Beware of double rotation in the case of partial failures. If a key is rotated twice, the first rotation will be invalidated and the second rotation will be active. This can lead to unexpected behavior if not handled correctly, for example if the rotated secret has not been updated at the consumer. |
There was a problem hiding this comment.
| **WARNING** Beware of double rotation in the case of partial failures. If a key is rotated twice, the first rotation will be invalidated and the second rotation will be active. This can lead to unexpected behavior if not handled correctly, for example if the rotated secret has not been updated at the consumer. | |
| **WARNING** Beware of double rotation in case of partial failures. If a key is rotated twice, the first rotation will be invalidated and the second rotation will be active. This can lead to downtime, if the rotated secret has not yet been pulled in by its consumers. |
I thought I was the only one who hates articles!
* Add AWS IAM Rotator docs * fixup
|
Your site preview for commit 9f7f447 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-9f7f4478.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit b3a24ce is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-b3a24ce2.s3-website.us-west-2.amazonaws.com. |
komalali
force-pushed
the
komal/secret-rotation-docs
branch
from
f9c6a0e to
ec41218
Compare
|
Your site preview for commit f9c6a0e is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-f9c6a0e7.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit ec41218 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-ec412183.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit db8f793 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-db8f7930.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit be62d12 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-be62d12a.s3-website.us-west-2.amazonaws.com. |
komalali
force-pushed
the
komal/secret-rotation-docs
branch
from
384dbf5 to
1732f98
Compare
|
Your site preview for commit 384dbf5 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-384dbf5e.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit 1732f98 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-14106-1732f989.s3-website.us-west-2.amazonaws.com. |
Proposed changes
Fixes https://github.com/pulumi/pulumi-service/issues/25530
Unreleased product version (optional)
Related issues (optional)