From 84fcc410695177b48d1155bcf2c69086668830f7 Mon Sep 17 00:00:00 2001 From: Sean Yeh <109418+seanyeh@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:13:35 -0600 Subject: [PATCH] Add docs on AWS Parameter Store ESC integration (#13410) * Add docs on aws parameter store esc integration * Fix wrong url * copy over from dupe PR * feedback --- .../index.md | 2 +- .../dynamic-secrets/1password-secrets.md | 2 +- .../integrations/dynamic-secrets/_index.md | 15 +-- .../dynamic-secrets/aws-parameter-store.md | 104 ++++++++++++++++++ .../dynamic-secrets/aws-secrets.md | 8 +- .../dynamic-secrets/azure-secrets.md | 8 +- .../dynamic-secrets/gcp-secrets.md | 8 +- .../dynamic-secrets/vault-secrets.md | 8 +- 8 files changed, 130 insertions(+), 25 deletions(-) create mode 100644 content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md diff --git a/content/blog/esc-table-editor-provider-config-support/index.md b/content/blog/esc-table-editor-provider-config-support/index.md index c2a09b4034b5..02c6c261ec5b 100644 --- a/content/blog/esc-table-editor-provider-config-support/index.md +++ b/content/blog/esc-table-editor-provider-config-support/index.md @@ -27,7 +27,7 @@ In our initial launch, the Table Editor allowed you to perform CRUD operations o [Pulumi ESC’s provider ecosystem](/docs/esc/providers/) is one of its most powerful features. It supports two categories of providers: - **Dynamic Cloud Provider Credentials**: Dynamically acquire credentials from cloud providers like [AWS](/docs/esc/providers/aws-login/), [Azure](/docs/esc/providers/azure-login/), [GCP](/docs/esc/providers/gcp-login/), and [Vault](/docs/esc/providers/vault-login/) at runtime, eliminating the need for static, long-lived credentials. This enhances security by removing the reliance on dotenv files, locally stored secrets, or long-lived credentials in CI/CD environments, strengthening your workflows’ overall security. -- **Dynamic Secret Retrieval**: ESC retrieves secrets from external secrets managers, such as [AWS Secrets Manager](/docs/esc/providers/aws-secrets/), [1Password](/docs/esc/providers/1password-secrets/), and [HashiCorp Vault](/docs/esc/providers/vault-login/), securely pulling them directly into your environments. Whether you are migrating or utilizing Pulumi ESC’s rich toolset, you can retrieve sensitive information at runtime and apply it seamlessly to your applications. +- **Dynamic Secret Retrieval**: ESC retrieves secrets from external secrets managers, such as [AWS Secrets Manager](/docs/esc/providers/aws-secrets/), [1Password](/docs/esc/providers/1password-secrets/), and [HashiCorp Vault](/docs/esc/providers/vault-secrets/), securely pulling them directly into your environments. Whether you are migrating or utilizing Pulumi ESC’s rich toolset, you can retrieve sensitive information at runtime and apply it seamlessly to your applications. ## Enhancing the Table Editor: Provider Configuration Support diff --git a/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md b/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md index 8223e3cf386c..c13af73e7f55 100644 --- a/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md @@ -8,7 +8,7 @@ menu: esc: identifier: 1password-secrets parent: esc-dynamic-secrets - weight: 5 + weight: 6 aliases: - /docs/pulumi-cloud/esc/providers/1password-secrets/ - /docs/esc/providers/1password-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/_index.md b/content/docs/esc/integrations/dynamic-secrets/_index.md index 62355e041c25..726a9a397a14 100644 --- a/content/docs/esc/integrations/dynamic-secrets/_index.md +++ b/content/docs/esc/integrations/dynamic-secrets/_index.md @@ -15,10 +15,11 @@ Pulumi ESC providers enable you to dynamically import secrets and configuration To learn how to set up and use each provider, follow the links below. To learn how to configure OpenID Connect (OIDC) for the providers that support it, see [OpenID Connect integration](/docs/pulumi-cloud/oidc/) in the Pulumi Cloud documentation. -| Provider | Description | -|--------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| [1password-secrets](/docs/esc/integrations/dynamic-secrets/1password-secrets/) | The `1password-secrets` provider enables you to dynamically import Secrets from 1Password into your Environment. | -| [aws-secrets](/docs/esc/integrations/dynamic-secrets/aws-secrets/) | The `aws-secrets` provider enables you to dynamically import Secrets from AWS Secrets Manager into your Environment. | -| [azure-secrets](/docs/esc/integrations/dynamic-secrets/azure-secrets/) | The `azure-secrets` provider enables you to dynamically import Secrets from Azure Key Vault into your Environment. | -| [gcp-secrets](/docs/esc/integrations/dynamic-secrets/gcp-secrets/) | The `gcp-secrets` provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. | -| [vault-secrets](/docs/esc/integrations/dynamic-secrets/vault-secrets/) | The `vault-secrets` provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. | +| Provider | Description | +|------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------| +| [1password-secrets](/docs/esc/integrations/dynamic-secrets/1password-secrets/) | The `1password-secrets` provider enables you to dynamically import Secrets from 1Password into your Environment. | +| [aws-parameter-store](/docs/pulumi-cloud/esc/providers/aws-parameter-store/) | The `aws-parameter-store` provider enables you to dynamically import parameters from AWS Parameter Store into your Environment. | +| [aws-secrets](/docs/esc/integrations/dynamic-secrets/aws-secrets/) | The `aws-secrets` provider enables you to dynamically import Secrets from AWS Secrets Manager into your Environment. | +| [azure-secrets](/docs/esc/integrations/dynamic-secrets/azure-secrets/) | The `azure-secrets` provider enables you to dynamically import Secrets from Azure Key Vault into your Environment. | +| [gcp-secrets](/docs/esc/integrations/dynamic-secrets/gcp-secrets/) | The `gcp-secrets` provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. | +| [vault-secrets](/docs/esc/integrations/dynamic-secrets/vault-secrets/) | The `vault-secrets` provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. | diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md new file mode 100644 index 000000000000..31008ce9fe19 --- /dev/null +++ b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md @@ -0,0 +1,104 @@ +--- +title: aws-parameter-store +title_tag: aws-parameter-store Pulumi ESC Provider +meta_desc: The `aws-parameter-store` provider enables you to dynamically import parameters from AWS Systems Manager - Parameter Store. +h1: aws-parameter-store +menu: + esc: + identifier: aws-parameter-store + parent: esc-dynamic-secrets + weight: 1 +aliases: + - /docs/pulumi-cloud/esc/providers/aws-parameter-store/ + - /docs/esc/providers/aws-parameter-store/ +--- + +The `aws-parameter-store` provider enables you to dynamically import parameters from AWS Systems Manager - Parameter Store into your Environment. The provider will return a map of names to parameters. + +## Example + +```yaml +aws: + login: + fn::open::aws-login: + oidc: + roleArn: arn:aws:iam::123456789:role/esc-oidc + sessionName: pulumi-environments-session + params: + fn::open::aws-parameter-store: + region: us-west-1 + login: ${aws.login} + get: + myKey: + name: /myNamespace/myKey + myKeyByVersion: + name: /myNamespace/myKey:1 + myKeyByVersionLabel: + name: /myNamespace/myKey:stable + secureKey: + name: /myNamespace/secureKey + decrypt: true + myList: + name: /myNamespace/myList + +``` + +## Configuring OIDC + +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/aws/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: + +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) + +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following: + +```json +{ + "aws": { + "login": { + "accessKeyId": "ASIA....", + "secretAccessKey": "mWdm....", + "sessionToken": "Fwo...." + }, + "params": { + "myKey": "latest value", + "myKeyByVersion": "old value", + "myKeyByVersionLabel": "stable value", + "secureKey": "secret value", + "myList": [ + "value 1", + "value 2" + ] + } + } +} +``` + +## Inputs + +| Property | Type | Description | +|----------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| `region` | string | The AWS region to use. | +| `login` | [AWSParameterStoreLogin](#awsparameterstorelogin) | Credentials to use to log in to AWS. | +| `get` | map[string][AWSParameterStoreGet](#awsparameterstoreget) | A map from names to parameters to read from AWS Parameter Store. The outputs will map each name to the parameters's data. | + +### AWSParameterStoreLogin + +| Property | Type | Description | +|-------------------|--------|---------------------------------------------| +| `accessKeyId` | string | The AWS access key ID | +| `secretAccessKey` | string | The AWS secret access key | +| `sessionToken` | string | [Optional] - The AWS session token, if any. | + +### AWSParameterStoreGet + +| Property | Type | Description | +|-----------|---------|------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `name` | string | The name of the parameter to import. To query by parameter label, use `"name": "name:label"`. To query by parameter version, use `"name": "name:version"`. | +| `decrypt` | boolean | [Optional] - Whether to decrypt the value. Only affects values of type SecureString. | + +## Outputs + +| Property | Type | Description | +|----------|--------|----------------------------------------| +| N/A | object | A map of names to imported parameters. | diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md index 22fea2269b5f..d397959d751f 100644 --- a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: aws-secrets parent: esc-dynamic-secrets - weight: 1 + weight: 2 aliases: - /docs/pulumi-cloud/esc/providers/aws-secrets/ - /docs/esc/providers/aws-secrets/ @@ -40,10 +40,10 @@ aws: To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see [Configuring OpenID Connect for AWS](/docs/pulumi-cloud/oidc/provider/aws/). Once you have completed these steps, you can validate that your configuration is working by running either of the following: -* `esc open /` command of the [Pulumi ESC CLI](/docs/esc-cli/) -* `pulumi env open /` command of the [Pulumi CLI](/docs/install/) +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) -Make sure to replace `` and `` with the values of your Pulumi organization and environment file respectively. You should see output similar to the following: +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following: ```json { diff --git a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md index 517df08cb2ac..34c63bb96361 100644 --- a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: azure-secrets parent: esc-dynamic-secrets - weight: 2 + weight: 3 aliases: - /docs/pulumi-cloud/esc/providers/azure-secrets/ - /docs/esc/providers/azure-secrets/ @@ -40,10 +40,10 @@ The `azure-secrets` provider enables you to dynamically import Secrets and Confi To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/azure/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: -* `esc open /` command of the [Pulumi ESC CLI](/docs/esc-cli/) -* `pulumi env open /` command of the [Pulumi CLI](/docs/install/) +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) -Make sure to replace `` and `` with the values of your Pulumi organization and environment file respectively. You should see output similar to the following: +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following: ```json { diff --git a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md index e49f1661e968..36ec88846c12 100644 --- a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md @@ -8,7 +8,7 @@ menu: esc: identifier: gcp-secrets parent: esc-dynamic-secrets - weight: 3 + weight: 4 aliases: - /docs/pulumi-cloud/esc/providers/gcp-secrets/ - /docs/esc/providers/gcp-secrets/ @@ -41,10 +41,10 @@ The `gcp-secrets` provider enables you to dynamically import Secrets from Google To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/gcp/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: -* `esc open /` command of the [Pulumi ESC CLI](/docs/esc-cli/) -* `pulumi env open /` command of the [Pulumi CLI](/docs/install/) +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) -Make sure to replace `` and `` with the values of your Pulumi organization and environment file respectively. You should see output similar to the following: +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following: ```json { diff --git a/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md b/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md index f9d9f425a95e..5eb9346f9df6 100644 --- a/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: vault-secrets parent: esc-dynamic-secrets - weight: 4 + weight: 5 aliases: - /docs/pulumi-cloud/esc/providers/vault-secrets/ - /docs/esc/providers/vault-secrets/ @@ -38,10 +38,10 @@ The `vault-secrets` provider enables you to dynamically import Secrets from Hash To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/vault/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: -* `esc open /` command of the [Pulumi ESC CLI](/docs/esc-cli/) -* `pulumi env open /` command of the [Pulumi CLI](/docs/install/) +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) -Make sure to replace `` and `` with the values of your Pulumi organization and environment file respectively. You should see output similar to the following: +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following: ```json {