Pulumi with Node.js
Learn how to configure Pulumi with Dotenv Vault in a simple Node.js web app. This tutorial assumes you are already familiar with .env files and know how to sync them.
Initial setup
Create a pulumi.yaml file in your project root and initialize it with the following segment or let the Pulumi CLI do it all for you:
CLI
pulumi new gcp-javascript
Yaml
// pulumi.yaml
name: integration-example-pulumi-nodejs
description:
runtime:
name: nodejs
options:
typescript: false
This tutorial uses Google Cloud Build as a cloud provider but there are alternative options that you can use with Pulumi too.
Create a cloudbuild.yml file in your root folder to set your Google Cloud Build settings. Add the name, entry point, and arguments for each step you want executed.
To load your Dotenv Vault environment variables at a certain step, add an env item and reference the Substitution variable that will be set in your Google Cloud Build Triggers accordingly.
Keep in mind that Google Cloud Build Substitution variables always start with an _underscore, which makes this reference vital for your success.
In your case, the cloudbuild.yml should look like this:
Yaml
// cloudbuild.yml
steps:
- name: node
entrypoint: npm
args: ['install']
- name: node
entrypoint: npm
env:
- 'DOTENV_KEY=${_DOTENV_KEY}'
args: ['run', 'build']
Package installation
Start by installing the dotenv package with npm.
CLI
npm install dotenv --save
Reference the Vault package as early in your index.js code as possible to skip any conflicts that may arise.
Node.js
// index.js
require('dotenv').config()
console.log(process.env) // for debugging purposes. remove when ready.
You will also need to install the @pulumi/gcp and @pulumi/pulumi packages to integrate Pulumi with Google Cloud Build and vice-versa.
CLI
npm install @pulumi/gcp --save
npm install @pulumi/pulumi --save
Build the Vault
Confirm you are logged in and your Vault is synced locally by running npx dotenv-vault pull ci. Once ready, proceed by building your Vault with npx dotenv-vault build.
CLI
npx dotenv-vault build
Once Vault has finished building, it will provide you with access to its decryption keys, which you can use to interact with protected environment variables with ease.
To retrieve a key, just input npx dotenv-vault keys, followed by your preferred environment, like ci, for example. You can do the same with other environments such as development and production.
The outcome of this will be a long URL being returned. You will immediately recognize it as it always starts with dotenv://:key and ends in ?environment= with the environment you have chosen.
CLI
npx dotenv-vault keys ci
remote: Listing .env.vault decryption keys... done
dotenv://:[email protected]/vault/.env.vault?environment=ci
Set deployment
With the decryption key safely in your possession, it is time to navigate to your Google Cloud Build settings via the web interface and hop onto the Triggers section.
Create a new trigger, if you don’t have one yet and under the Configuration section set Type to either Autodetected, if you plan to use the default cloudbuild.yml filename, or Cloud Build configuration file with the appropriate yml filename.
Under the Advanced section you will find the Substitution variables where you can list _DOTENV_KEY as the key and the decryption key you obtained earlier as the value field.
Commit and push
That’s it!
Commit those changes safely to code and deploy to Pulumi.
When the build runs, it will recognize the DOTENV_KEY, decrypt the .env.vault file, and load the ci environment variables to ENV.
If a DOTENV_KEY is not set when developing on local machine, for example, it will fall back to standard Dotenv functionality.
You’ll know things worked correctly when you see 'Loading .env from encrypted .env.vault' in your Google Cloud Build logs.
