Secret Rotation with Pulumi ESC

Pulumi ESC has introduced native support for secrets rotation, simplifying secrets lifecycle management, particularly for static secrets like database passwords and API keys, which require regular rotation to maintain security. The system employs a custom declarative configuration to automate secret rotation schedules through Pulumi ESC and IaC integration, allowing for seamless transitions with zero downtime by maintaining two versions—current and previous—of each secret. This solution includes a generic Rotator component that manages credential lifecycles and a Scheduler component that orchestrates rotations based on changes in the ESC environment configuration. The approach enables dynamic retrieval of updated credentials, ensuring applications automatically receive the latest credentials without additional configuration, thus offering a scalable and auditable solution that can be easily applied across multiple environments.