Use Typed Configuration Access

Beginner

All Pulumi configuration access must use typed methods (requireNumber, requireSecret, getBoolean) — never use untyped get() without validation in production infrastructure code.

File Patterns

**/Pulumi*.yaml**/index.ts**/__main__.py**/main.go

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Use Typed Configuration Access

## Rule
All configuration values MUST be accessed with typed methods. Secrets MUST use `requireSecret()`. Required values MUST use `require*()` methods that fail fast on missing config.

## Good Examples
```typescript
const config = new pulumi.Config();

// Required values — fail fast if missing
const region = config.require("region");
const instanceCount = config.requireNumber("instanceCount");
const dbPassword = config.requireSecret("dbPassword");

// Optional values with defaults
const enableMonitoring = config.getBoolean("enableMonitoring") ?? true;
const logLevel = config.get("logLevel") ?? "warn";
const maxRetries = config.getNumber("maxRetries") ?? 3;
```

## Bad Examples
```typescript
// BAD: Untyped access, no validation
const region = config.get("region");  // Could be undefined!
const count = config.get("count");    // Returns string, not number

// BAD: Secret accessed as plain text
const password = config.require("dbPassword");  // Should use requireSecret

// BAD: No default for optional values
const logLevel = config.get("logLevel");  // undefined if not set
```

## Configuration Checklist
1. All passwords, tokens, keys use `requireSecret()` or `getSecret()`
2. All required values use `require*()` methods
3. All numbers use `requireNumber()` or `getNumber()`
4. All booleans use `requireBoolean()` or `getBoolean()`
5. All optional values have sensible defaults

## Enforcement
- TypeScript compiler catches type mismatches
- Pulumi CrossGuard policies for secret validation
- Code review checklist for configuration access patterns

FAQ

Discussion

Loading comments...

# Use Typed Configuration Access ## Rule All configuration values MUST be accessed with typed methods. Secrets MUST use `requireSecret()`. Required values MUST use `require*()` methods that fail fast on missing config. ## Good Examples ```typescript const config = new pulumi.Config(); // Required values — fail fast if missing const region = config.require("region"); const instanceCount = config.requireNumber("instanceCount"); const dbPassword = config.requireSecret("dbPassword"); // Optional values with defaults const enableMonitoring = config.getBoolean("enableMonitoring") ?? true; const logLevel = config.get("logLevel") ?? "warn"; const maxRetries = config.getNumber("maxRetries") ?? 3; ``` ## Bad Examples ```typescript // BAD: Untyped access, no validation const region = config.get("region"); // Could be undefined! const count = config.get("count"); // Returns string, not number // BAD: Secret accessed as plain text const password = config.require("dbPassword"); // Should use requireSecret // BAD: No default for optional values const logLevel = config.get("logLevel"); // undefined if not set ``` ## Configuration Checklist 1. All passwords, tokens, keys use `requireSecret()` or `getSecret()` 2. All required values use `require*()` methods 3. All numbers use `requireNumber()` or `getNumber()` 4. All booleans use `requireBoolean()` or `getBoolean()` 5. All optional values have sensible defaults ## Enforcement - TypeScript compiler catches type mismatches - Pulumi CrossGuard policies for secret validation - Code review checklist for configuration access patterns