> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nuon.co/llms.txt
> Use this file to discover all available pages before exploring further.

# 009 - Action Triggers, improved configs, default secrets

> Action triggers, improved configs, default secrets.

*June 5th, 2025*

<div className="badge badge--primary">v0.19.590</div>

## Action Triggers

Action triggers are now available for all workflows. You can now use the following set of triggers:

* `pre-provision`
* `post-provision`
* `pre-reprovision`
* `post-reprovision`
* `pre-deprovision`
* `post-deprovision`
* `pre-deploy-all-components`
* `post-deploy-all-components`
* `pre-teardown-all-components`
* `post-teardown-all-components`
* `pre-deprovision-sandbox`
* `post-deprovision-sandbox`
* `pre-reprovision-sandbox`
* `post-reprovision-sandbox`
* `pre-update-inputs`
* `post-update-inputs`
* `pre-secrets-sync`
* `post-secrets-sync`

Each workflow trigger is called at the beginning or end of the workflow. In some cases, such as `pre-provision` or
`pre-reprovision` that include a stack-run, the trigger will be called right after the runner is healthy.

The following triggers require a `component_name` field to be set, as they are tied to a specific component:

* `pre-deploy-component`
* `post-deploy-component`
* `post-teardown-component`
* `pre-teardown-component`

<Note>
  `pre-component-deploy` and `post-component-deploy` have been renamed to `pre-deploy-component` and `post-deploy-component` for consistency with other triggers.
  `pre-sandbox-run` and `post-sandbox-run` have been deprecated, in favor of `pre|post-reprovision`, `pre|post-provision`, and `pre|post-deprovision`
</Note>

## Inputs, Permissions and Secrets Dirs

You can now structure configs using directories. The following fields support loading their config from either a sub-directory, or a single file:

* `secrets` - supports either a `secrets.toml` or a `secrets/` directory
* `inputs` - supports either an `inputs.toml` or an `inputs/` and `input_groups` directory.
* `permissions` - support either a `permissions.toml` or a `permissions/` directory.

The configuration format is slightly different for files that are added to a directory:

### Input

No longer requires the `[[inputs]]` syntax when added into `./inputs/input-name.toml`.

```toml theme={null}
name         = "auth_audience"
description  = "Auth0 Audience"
default      = "api.{{.nuon.install.id}}.nuon.run"
display_name = "Auth0 Audience"
group        = "auth"
```

### Input Group

No longer requires the `[[groups]]` syntax when added into `./input_groups/group-name.toml`.

```toml theme={null}
name         = "auth"
description  = "Auth0"
display_name = "Authentication Configuration."
```

### Secret

No longer requires the `[[groups]]` syntax when added into `./input_groups/group-name.toml`.

```toml theme={null}
name          = "clickhouse_cluster_pw"
display_name  = "Clickhouse Cluster Password"
description   = "Password for the Clickhouse Cluster for the Nuon CTL API User."
auto_generate = true

kubernetes_sync             = true
kubernetes_secret_namespace = "clickhouse"
kubernetes_secret_name      = "clickhouse-cluster-pw"
```

### Permissions

No longer requires the `[provision_role]`, `[deprovision_role]`, or `[maintenance_role]` syntax, but now requires a
`type`.

```toml theme={null}
type = "deprovision"
name = "{{.nuon.install.id}}-deprovision"
description = "deprovision"
display_name = "deprovision"
permissions_boundary = "./deprovision_boundary.json"

[[policies]]
managed_policy_name = "AdministratorAccess"
```

## Improved Schema

Each configuration file now supports a JSON schema that can be loaded via our api. You can now add `#:schema 
https://api.nuon.co/v1/general/config-schema?type=input` at the beginning of any Nuon config file for editor supported
TOML LSP integrations.

The following `types` are valid:

* `runner` - for use in `runner.toml`
* `sandbox` - for use in `sandbox.toml`
* `helm` - for use in any helm component toml config in `components/`.
* `docker-build` - for use in any docker-build component toml config in `components/`.
* `container-image` - for use in any container-image component toml config in `components/`.
* `terraform` - for use in any terraform component toml config in `components/`.
* `permissions` - for use in any permissions config in `permissions/`.
* `secret` - for use in any permissions config in `secrets/`.
* `input` - for use in any input config in `input/`.
* `input-group` - for use in any input config in `input_groups/`.
* `metadata` - for use in `metadata.toml`.
* `action` - for use in action defined in `actions/`.
* `stack` - for use in `stack.toml`.
* `installer` - for use in `installer.toml`.
* `full` - only useful for validating a full, parsed Nuon config.

## Component and Action Groups

You can now group components and actions using subdirectories. For now, the change is purely for configuration
management, but will soon be added into the ui and other places.

## Default Secrets

You can now provide a default for secrets that get added in a cloudformation stack.

## Fixes

* Made org creation email configurable for BYOC installs of Nuon.
* Fixed a bug where content in the `permissions` config would not look in the `./permissions` subdirectory.