As the world of cloud computing grows ever more complex and interconnected, the rise of Infrastructure-as-Code (IaC) seeks to take away the system-level provisioning, maintenance and management headaches that software developers are not naturally gifted with. A vocal player in this space is Pulumi. The company has now come forward with product enhancements designed to improve security, streamline automation and provide greater control over cloud resources.
Software application development engineers are (typically) good at cutting code to program and create applications. Some also sport extended skills in networking connectivity, cloud-native components and containerisation orchestration, while others still have a special flair for debugging, penetration testing, securuity or identity authentication management. Most do not describe themselves as any (or all) of that as well as being an infrastructure management specialist. This is no small part of the reason why we have seen the rise of Infrastructure-as-Code (IaC) platforms.
Pulumi’s new offerings include secure GitHub Actions integration, automated credential rotation, unified policy governance and granular access controls to help enterprises manage cloud infrastructure more securely.
What are software secrets?
Pulumi ESC now provides “automated secrets rotation” to address the challenges of managing static, long-lived credentials. This feature helps organisations minimise security risks while integrating with existing workflows. Secrets (sensitive digital authentication credentials like passwords, API keys, or encryption keys used to access protected resources or systems) can be rotated on-demand and through a rotation schedule.
All secrets are rotated with a two-secret strategy where two secrets are valid at any time, ensuring availability during credential transitions. Rotated Secrets has complete auditing and tracking of the full history of credentials, when they were rotated, and who accessed them.
The Pulumi ESC GitHub Action enables teams to inject secrets and configuration securely into GitHub Actions workflows as needed, rather than storing them as static, long-lived secrets. This approach is said to reduce the risk of credential leakage while streamlining CI/CD pipelines. The GitHub Action can download the Pulumi ESC CLI, inject all environment variables from an ESC environment, or inject specific environment variables as needed.
We’ve got your RBAC
According to Pulumi’s Claire Gaestel and Arun Loganathan, the company’s new Role-Based Access Control (RBAC) system provides fine-grained control over who can access and modify resources within an organisation. The RBAC system unifies control across all products in Pulumi Cloud and it allows organizations to define custom roles with specific permissions, apply these roles to users and teams and control access to individual resources like IaC stacks, ESC environments and Pulumi Insights (see below for context) accounts. The system also supports role-based access tokens, ensuring that automated processes only have the permissions they need.
It would be unusual for any company to talk about Infrastructure-as-Code without also talking about Policy-as-Code and Pulumi doesn’t disappoint on that level. The firm makes note of the fact that the Pulumi Insights service now extends policy as code capabilities to automatically govern all cloud resources, including those discovered outside of Infrastructure-as-Code.
“Organizations can now write policies once and apply them universally across both IaC and discovered resources in AWS, Azure, OCI and Kubernetes environments. Pulumi Insights now provides comprehensive visibility into policy violations through a dedicated dashboard, enabling quick identification and resolution of non-compliant resources. This unified approach to policy enforcement marks a significant advancement in cloud security and compliance management, offering organisations a more streamlined and effective way to maintain their infrastructure standards,” said Tyler Dunkel, writing on the engineering blog at Pulumi.
We’re in control now, right?
Pulumi has also previously expanded its arsenal to overcome Kubernetes headaches, so what with the “comprehensive visibility” that it now claims to extend and the secrets controls noted here and the wider approach to infrastructure automation that the company’s platform seeks to bring to bear, developers should be able to rest easy on their laurels and know that their lower-level system provisioning and management is all in safe hands, right?
Yes, yes, maybe, usually and probably, for now.
As the ever-growing complexity of cloud computing platforms continues to grow, spiral and skew, there will inevitably be a need for Infrastructure-as-Code players such as Pulumi and its competitors (we could mention Progress, Terraform, Puppet, Ansible and also Microsoft’s Azure Resource Manager (ARM) or Google Cloud Deployment Manager (CDM) here) to keep up with changes in formats, form factors and formulations as yet unknown. What this space, but keep your eyes focused on the infrastructure zone.
Free image use: Wikimedia Commons
