or run

npx @tessl/cli init
Log in

Version

Files

docs

asset-management.mdautomation.mdconfiguration.mddynamic-resources.mdindex.mdlogging-diagnostics.mdoutput-system.mdprovider-development.mdresource-management.mdruntime-operations.mdstack-references.mdutilities.md

evals

scenario-1

rubric.jsontask.md

scenario-10

rubric.jsontask.md

scenario-2

rubric.jsontask.md

scenario-3

rubric.jsontask.md

scenario-4

rubric.jsontask.md

scenario-5

rubric.jsontask.md

scenario-6

rubric.jsontask.md

scenario-7

rubric.jsontask.md

scenario-8

rubric.jsontask.md

scenario-9

rubric.jsontask.md
tile.json

task.mdevals/scenario-2/

Inline Token Store

Manage short-lived secret tokens via an inline resource provider without shipping a separate plugin. Each instance persists its state to a file and surfaces the stored values as deferred outputs. State files are JSON documents that include the token, ttlSeconds, metadata, version, and lastRotated fields so lifecycle operations can round-trip values accurately.

Capabilities

Create token record

  • Creating a new instance writes a JSON file under the provided state directory using the identifier as the filename (e.g., stateDir/identifier.json), generates a random 32-byte token encoded in base64, sets version to 1, and records an ISO lastRotated timestamp; the exposed outputs mirror what is on disk. @test

Update TTL and metadata without replacement

  • Changing ttlSeconds or metadata updates the existing file in place, keeps the id and token stable, increments version, refreshes lastRotated, and persists the new values. @test

Replace on identifier change

  • Changing identifier forces a replacement: a new file is created with a freshly generated token, version resets to 1, and the old file is removed so no orphaned state remains. @test

Import existing token

  • When given an existing file path as the resource ID, the resource reads the stored token, TTL, metadata, version, and lastRotated without mutating them, then continues to honor subsequent updates and replacements based on the same lifecycle rules. @test

Implementation

@generates

API

export type AsyncValue<T> = T | Promise<T>;

export interface TokenResourceArgs {
  /** Directory where token files are persisted. */
  stateDir: string;
  /** Logical name used to derive the on-disk filename; changing this should trigger a replacement. */
  identifier: string;
  /** Time-to-live in seconds. */
  ttlSeconds: number;
  /** Optional metadata to persist alongside the token. */
  metadata?: Record<string, string>;
}

export interface TokenResourceResult {
  id: AsyncValue<string>;
  token: AsyncValue<string>;
  ttlSeconds: AsyncValue<number>;
  metadata: AsyncValue<Record<string, string>>;
  version: AsyncValue<number>;
  lastRotated: AsyncValue<string>;
}

/**
 * Infrastructure resource that stores and rotates a token using an inline provider.
 */
export class TokenResource {
  constructor(name: string, args: TokenResourceArgs);
  readonly id: AsyncValue<string>;
  readonly token: AsyncValue<string>;
  readonly ttlSeconds: AsyncValue<number>;
  readonly metadata: AsyncValue<Record<string, string>>;
  readonly version: AsyncValue<number>;
  readonly lastRotated: AsyncValue<string>;
}

Dependencies { .dependencies }

@pulumi/pulumi { .dependency }

Provides inline resource provider support for CRUD and diff lifecycles without requiring an external plugin.