diff --git a/content/blog/introducing-esc-secret-rotation-webhooks/feature.png b/content/blog/introducing-esc-secret-rotation-webhooks/feature.png new file mode 100644 index 000000000000..5575d60c75c9 Binary files /dev/null and b/content/blog/introducing-esc-secret-rotation-webhooks/feature.png differ diff --git a/content/blog/introducing-esc-secret-rotation-webhooks/index.md b/content/blog/introducing-esc-secret-rotation-webhooks/index.md new file mode 100644 index 000000000000..2c6a72eb00c5 --- /dev/null +++ b/content/blog/introducing-esc-secret-rotation-webhooks/index.md @@ -0,0 +1,69 @@ +--- +title: "Introducing ESC Secret Rotation Webhooks" +date: 2026-06-26 +draft: false +meta_desc: "Pulumi ESC secret rotation webhooks notify your team the moment a rotation happens. Refresh dependent services immediately!" +meta_image: meta.png +feature_image: feature.png +authors: + - sean-yeh +tags: + - esc + - rotation + - secrets +schema_type: auto + +# Social media copy — auto-posted to X, LinkedIn, and Bluesky when merged to master. +# Character limits: X ~280, Bluesky 300, LinkedIn 3000. Leave blank to skip a platform. +social: + twitter: + linkedin: + bluesky: +--- + +[Pulumi ESC](/docs/esc/) centralizes your secrets and configuration, and it can [automatically rotate secrets](/docs/esc/concepts/rotators/) on a schedule so credentials never go stale. But a rotation is only useful if the systems that depend on it know it happened. ESC secret rotation webhooks close that gap by notifying you the moment a secret rotates. + + + +## Introducing secret rotation webhooks + +With [ESC webhooks](/docs/esc/concepts/webhooks/), you can react to rotations automatically. When ESC rotates an environment's secrets, a webhook can be configured to trigger on either success or failure. Use it to notify your team in Slack, refresh services that hold the old credential, or catch a failed rotation before it causes an outage. + +## How to configure + +### Pulumi Cloud Console + +Using the Pulumi Cloud Console, you can now configure webhooks for "Environment rotation succeeded" and "Environment rotation failed" in your ESC Environment's Settings page (under **Settings** -> **Notifications**). + +![ESC webhook trigger settings with "Environment rotation succeeded" and "Environment rotation failed" selected](./rotation-webhook-triggers.png) + +### Pulumi Service Provider + +You can use the Pulumi Service Provider in your Pulumi program to configure webhooks. Here is an example in TypeScript: + +```typescript +const environmentWebhook = new service.Webhook("env-webhook", { + active: true, + displayName: "env-webhook", + organizationName: "my-org", + projectName: environment.project, + environmentName: environment.name, + payloadUrl: "https://example.com", + filters: [WebhookFilters.EnvironmentRotationSucceeded, WebhookFilters.EnvironmentRotationFailed], +}) +``` + +### Pulumi CLI + +You can also use the Pulumi CLI to configure the webhook: + +``` +pulumi env webhook new my-org/project/env env-webhook \ + --url https://example.com \ + --event environment_rotation_succeeded \ + --event environment_rotation_failed +``` + +## Get started + +Secret rotation webhooks are available now for all Pulumi ESC environments. See the [webhooks documentation](/docs/esc/concepts/webhooks/) to get started, and share your feedback on our [GitHub repository](https://github.com/pulumi/esc). diff --git a/content/blog/introducing-esc-secret-rotation-webhooks/meta.png b/content/blog/introducing-esc-secret-rotation-webhooks/meta.png new file mode 100644 index 000000000000..70d841a95f1f Binary files /dev/null and b/content/blog/introducing-esc-secret-rotation-webhooks/meta.png differ diff --git a/content/blog/introducing-esc-secret-rotation-webhooks/rotation-webhook-triggers.png b/content/blog/introducing-esc-secret-rotation-webhooks/rotation-webhook-triggers.png new file mode 100644 index 000000000000..183efd7b140c Binary files /dev/null and b/content/blog/introducing-esc-secret-rotation-webhooks/rotation-webhook-triggers.png differ