Docs suggestion: document how to rotate a RandomPassword

[ghost]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

A co-worker just asked me how we can rotate the value of a RandomPassword resource, after the value was accidentally logged in plaintext.

I’m pretty sure I need to use pulumi destroy with --target to destroy the resource and then run pulumi up to recreate it, but only about 90% sure.

Regardless, even if I was 100% sure, there are probably other folks out there who could use some guidance on this. And also when questions come up, I always like it when I can share a URL to some canonical documentation so that people can learn, and can have confidence in a process or procedure.

Affected area/feature

This provider’s docs.

[gunar]

Hey, can we can a quick but official comment on the best way to rotate password? A quick comment on this PR would help me (and others) while the updating of the documentation can be done in due time. Thanks in advance.

[gunar]

Here's a method which doesn't require you to destroy all downstream resources:

For the sake of the example, we'll assume the randomPassword was created with the name my_random_password, on the staging stack

1. Export the stack state to a json file: pulumi stack export --stack staging >stack.json
2. Edit the stack.json file
   2.1. Delete the JSON object which represent my_random_password
   2.2. Delete all references to my_random_password
   • Look for the URN similar to this urn:pulumi:staging::<project_name>::random:index/randomPassword:RandomPassword::my_random_password
   • You'll find references under dependencies: [], template: [], and possibly others
   • Delete those lines and fix any missing/extraneous commas to make the JSON valid again
3. Import the modified stack state: pulumi stack import --stack staging <stack.json
   • If you get an error asking to to use --force, go back and edit stack.json for you've missed some references to my_random_password
4. Provision the stack: pulumi up --stack staging
   • You should see it'll try and create a new randomPassword, and update the downstream dependencies

This method is useful for resources that take along time to re-create such as DNS validations and SSL certificates.

I'd kindly ask @t0yv0 and the team to provide an automated solution for this scenario.

[gunzy83]

I have not tested this myself but isn't this what the keepers option for?

The other option is to create a new RandomPassword with a new name and remove the old one. The pulumi up will then add the new one, update downstream resources and then finally delete the old resource at the end.

[adriangb]

It would be really nice to have an answer to this. I would even say it would be nice to have RandomPassword take an expiry parameter and have it auto-rotate every X amount of time.

[xenon8]

I have not tested this myself but isn't this what the keepers option for?

The other option is to create a new RandomPassword with a new name and remove the old one. The pulumi up will then add the new one, update downstream resources and then finally delete the old resource at the end.

I spent yesterday looking into the Keepers option and it is not very well documented, would it be possible to have some explanation on how best to use it?

[blampe]

https://www.pulumi.com/registry/packages/time/api-docs/rotating/ might also be relevant.

[adriangb]

I think the problem is that if I use RandomPassword as the input to DatabaseUser (fictitious, but there's many things like this) which then goes into a k8s Secret what I want to happen is:

1. Create new password.
2. Create new DatabaseUser
3. Create new Secret
4. Re-deploy with new Secret
5. Delete old Secret
6. Delete old DatabaseUser
7. Delete old RandomPassword

I'm not sure that's what would happen in practice. I'll have to try to confirm.