May 10th, 2025

v0.19.544

Customer Secrets

Customer input secrets can be defined in your secrets.toml config. This allows you to define secrets that need to be added by users when provisioning an install via the CloudFormation stack.

You can define a secret with the following config:

[[secret]]
name = "license_key_{{.nuon.id}}"
display_name = "license key for {{.nuon.id}}"
description = "License key"

Templating can be used on any field, allowing you to dynamically namespace secrets and other things. Since secrets are synced before components are

required secrets will cause the CloudFormation Stack to fail, if not added.

Auto Generated Secrets

You can automatically generate a secret value by adding the auto_generate: true field.

For instance, to create a unique value that is configured in your cluster:

[[secret]]
name = "db_password_{{.nuon.id}}"
display_name = "Auto generated database password"
description = "Auto generated database password"

auto_generate = true

Automatic Syncing

You can automatically sync secrets into your sandbox kubernetes cluster by adding the kubernetes_sync: true value to your config.

[[secret]]
name = "license_key_{{.nuon.id}}"
display_name = "License Key"
description = "License Key"

kubernetes_sync = true
kubernetes_secret_namespace = "{{.nuon.id}}"
kubernetes_secret_name = "database-password"

Syncing can be disabled via your config, and requires that correct permissions are enabled for the Provision role in your permissions.toml.

Outputs

You can use the outputs of a synced secret using the {{.nuon.secrets}} template. The values

If you do not see your secrets in {{.nuon.secrets}}, it means you do not have syncing on. You can reference the source ARN directly using {{.nuon.install_stack.outputs}}.

If you are having trouble working with your state, we recommend adding it directly to your readme using the following block.

<details>
<summary>Full Nuon State</summary>
<pre>
{{ toPrettyJson .nuon }}
</pre>
</details>
Secret values are not available in your state, and can only be read from your application by using the source secret (AWS Secrets Manager) or the Kubernetes secret directly.

Life Cycle

Currently secrets are synced on Provision, Reprovision and ReprovisionSandbox workflows.

We currently do not automatically sync secrets. We are considering this for a future release

Fixes

  • Fixed an issue where terraform state was attempted to be displayed on all component types.
  • Fixed a bug with dependency ordering.