pulumi

---
name: pulumi
description: >-
  Assists with defining and managing cloud infrastructure using Pulumi with TypeScript, Python,
  Go, or C#. Use when provisioning AWS, GCP, Azure, or Kubernetes resources with real programming
  languages instead of HCL. Trigger words: pulumi, infrastructure as code, iac, pulumi up,
  pulumi stack, cloud infrastructure, component resource.
license: Apache-2.0
compatibility: "Requires Pulumi CLI and a supported language runtime (Node.js, Python, Go, .NET)"
metadata:
  author: terminal-skills
  version: "1.0.0"
  category: devops
  tags: ["pulumi", "infrastructure-as-code", "cloud", "devops", "multi-cloud"]
---

# Pulumi

## Overview

Pulumi enables defining and managing cloud infrastructure using real programming languages (TypeScript, Python, Go, C#) instead of domain-specific languages. It supports 150+ cloud providers and allows using loops, conditionals, classes, and packages to build reusable, testable infrastructure components.

## Instructions

- When creating resources, declare them as objects (e.g., `new aws.s3.Bucket("my-bucket", {...})`) and use `pulumi.Output<T>` with `.apply()` for computed values from cloud API responses.
- When managing environments, use stacks (`pulumi stack init dev/staging/prod`) with stack-specific config for instance sizes, replica counts, and feature flags.
- When handling secrets, always use `pulumi config set --secret` for credentials and never hardcode secrets in code.
- When building reusable patterns, create Component Resources by extending `pulumi.ComponentResource` to encapsulate common infrastructure patterns (VPC module, ECS service, etc.).
- When referencing across projects, use Stack References to read outputs from other stacks for cross-project dependencies.
- When enforcing compliance, use CrossGuard policies to prevent non-compliant resources (e.g., no public S3 buckets, require encryption) in CI.
- When testing, write unit tests for Component Resources using standard test frameworks (Vitest, pytest, go test) by mocking the cloud provider and asserting resource properties.

## Examples

### Example 1: Deploy a serverless API on AWS

**User request:** "Set up an AWS Lambda API with DynamoDB using Pulumi and TypeScript"

**Actions:**
1. Scaffold project with `pulumi new aws-typescript`
2. Define DynamoDB table and Lambda function resources
3. Create API Gateway routes linked to Lambda handlers
4. Export endpoint URL as a stack output for consumption

**Output:** A serverless API with infrastructure defined and deployed via `pulumi up`.

### Example 2: Create a reusable VPC component

**User request:** "Build a reusable VPC module with Pulumi that teams can share"

**Actions:**
1. Create a Component Resource class extending `pulumi.ComponentResource`
2. Define VPC, subnets, route tables, and NAT gateway as child resources
3. Expose outputs for subnet IDs and security group references
4. Write unit tests mocking AWS provider to validate configuration

**Output:** A reusable infrastructure component that teams import as a package.

## Guidelines

- Use Component Resources for reusable patterns; do not repeat VPC/ECS/RDS configs across stacks.
- Always use `pulumi config set --secret` for credentials; never hardcode secrets in code.
- Name resources with the project and stack for unique identification across environments.
- Export important outputs (URLs, endpoints, ARNs) for cross-stack consumption.
- Write unit tests for Component Resources by mocking the cloud provider and asserting resource properties.
- Use stack-specific config for environment differences: instance sizes, replica counts, feature flags.
- Enable CrossGuard policies in CI to prevent non-compliant resources from being deployed.