Syntax example

# Imports section names the environments to import. Environments are merged in order
# per JSON merge patch.
imports:
  - foo
  - bar

# Values section contains the environment's values. Values are merged onto imported
# environments per JSON merge patch.
values:
  # Values can be objects, arrays, strings, numbers, or booleans
  object:
    array: [ "hello", "world" ]
    string: esc
    number: 42
    boolean: true

  # Scalar values may be marked secret
  password:
    fn::secret: hunter2

  # Values within the environment and its imports may be referenced by interpolations
  hello: ${object}

  # Various functions may be used to manipulate values
  functions:
    - fn::join: [ ", ", ${object.array} ] # joins the array elements with the given delimiter
    - fn::toBase64: ${password}           # encodes the argument as a Base64 string
    - fn::toJSON: ${object}               # encodes the argument as a JSON string
    - fn::toString: ${object}             # encodes the argument as a string

  # Dynamic secrets can be fetched using fn::open (currently only works for AWS OIDC)
  awsCreds:
    fn::open:
      provider: aws-oidc
      inputs:
        roleArn: arn:aws:iam::086028354146:role/pulumi-deployments-oidc
        sessionName: pulumi-environments-session

  # The environmentVariables top-level key can be used to export environment variables when using
  # `env open --shell`, `env run`, or `pulumi up/preview/refresh/destroy`
  environmentVariables:
    AWS_ACCESS_KEY_ID: ${awsCreds.accessKeyId}
    AWS_SECRET_ACCESS_KEY: ${awsCreds.secretAccessKey}
    AWS_SESSION_TOKEN: ${awsCreds.sessionToken}

  # The pulumiConfig top-level key can be used to export pulumi config values for `pulumi up` etc.
  pulumiConfig:
    aws:region: us-west-2