Should I commit Pulumi stack files to git?

Question

I'm starting the process of re-implementing our infrastructure-as-code with Pulumi and I'm seeing the different stack configuration files (dev/test etc) in my git project. The stack config files include encryption salts however, is it safe to commit these to Git?

Answer 1

Yep, it is. From the docs:

Decrypting this ciphertext requires the encryption key that was used to create it. For stacks managed with Pulumi Cloud, these keys are obtained automatically, but only for users with read access to the stack. For self-managed backends, the keys must be supplied by the user, either by providing the stack’s current passphrase (when using the passphrase provider) or by authenticating with the stack’s encryption provider.

It’s therefore considered safe, and good practice, to check these files into source control, as doing so allows you to version your code and configuration in tandem. If you’d prefer not to check in these files, however, you can easily rebuild them, using the most recently deployed configuration, with pulumi config refresh.

The thing you need to keep secret is the passphrase itself. The salt has no use without that.

https://www.pulumi.com/docs/concepts/secrets/#committing-configuration-to-source-control