Pulumi Best Practices

1---2name: pulumi-best-practices3version: 1.0.04description: Load when the user is writing, reviewing, or debugging Pulumi TypeScript/Python programs; asks about Output<T> or apply() usage; wants to create ComponentResource classes; needs to refactor resources without destroying them (aliases); is setting up secrets or config; or is configuring a pulumi preview/up CI workflow. Also load for questions about resource dependency order, parent/child resource relationships, or pulumi.interpolate.5---6 7# Pulumi Best Practices8 9## When to Use This Skill10 11Invoke this skill when:12 13- Writing new Pulumi programs or components14- Reviewing Pulumi code for correctness15- Refactoring existing Pulumi infrastructure16- Debugging resource dependency issues17- Setting up configuration and secrets18 19## Practices20 21### 1. Never Create Resources Inside `apply()`22 23**Why**: Resources created inside `apply()` don't appear in `pulumi preview`, making changes unpredictable. Pulumi cannot properly track dependencies, leading to race conditions and deployment failures.24 25**Detection signals**:26 27- `new aws.` or other resource constructors inside `.apply()` callbacks28- Resource creation inside `pulumi.all([...]).apply()`29- Dynamic resource counts determined at runtime inside apply30 31**Wrong**:32 33```typescript34const bucket = new aws.s3.Bucket("bucket");35 36bucket.id.apply(bucketId => {37    // WRONG: This resource won't appear in preview38    new aws.s3.BucketObject("object", {39        bucket: bucketId,40        content: "hello",41    });42});43```44 45**Right**:46 47```typescript48const bucket = new aws.s3.Bucket("bucket");49 50// Pass the output directly - Pulumi handles the dependency51const object = new aws.s3.BucketObject("object", {52    bucket: bucket.id,  // Output<string> works here53    content: "hello",54});55```56 57**When apply is appropriate**:58 59- Transforming output values for use in tags, names, or computed strings60- Logging or debugging (not resource creation)61- Conditional logic that affects resource properties, not resource existence62 63**Reference**: https://www.pulumi.com/docs/concepts/inputs-outputs/64 65---66 67### 2. Pass Outputs Directly as Inputs68 69**Why**: Pulumi builds a directed acyclic graph (DAG) based on input/output relationships. Passing outputs directly ensures correct creation order. Unwrapping values manually breaks the dependency chain, causing resources to deploy in wrong order or reference values that don't exist yet.70 71**Detection signals**:72 73- Variables extracted from `.apply()` used later as resource inputs74- `await` on output values outside of apply75- String concatenation with outputs instead of `pulumi.interpolate`76 77**Wrong**:78 79```typescript80const vpc = new aws.ec2.Vpc("vpc", { cidrBlock: "10.0.0.0/16" });81 82// WRONG: Extracting the value breaks the dependency chain83let vpcId: string;84vpc.id.apply(id => { vpcId = id; });85 86const subnet = new aws.ec2.Subnet("subnet", {87    vpcId: vpcId,  // May be undefined, no tracked dependency88    cidrBlock: "10.0.1.0/24",89});90```91 92**Right**:93 94```typescript95const vpc = new aws.ec2.Vpc("vpc", { cidrBlock: "10.0.0.0/16" });96 97const subnet = new aws.ec2.Subnet("subnet", {98    vpcId: vpc.id,  // Pass the Output directly99    cidrBlock: "10.0.1.0/24",100});101```102 103**For string interpolation**:104 105```typescript106// WRONG107const name = bucket.id.apply(id => `prefix-${id}-suffix`);108 109// RIGHT - use pulumi.interpolate for template literals110const name = pulumi.interpolate`prefix-${bucket.id}-suffix`;111 112// RIGHT - use pulumi.concat for simple concatenation113const name = pulumi.concat("prefix-", bucket.id, "-suffix");114```115 116**Reference**: https://www.pulumi.com/docs/concepts/inputs-outputs/117 118---119 120### 3. Use Components for Related Resources121 122**Why**: ComponentResource classes group related resources into reusable, logical units. Without components, your resource graph is flat, making it hard to understand which resources belong together, reuse patterns across stacks, or reason about your infrastructure at a higher level.123 124**Detection signals**:125 126- Multiple related resources created at top level without grouping127- Repeated resource patterns across stacks that should be abstracted128- Hard to understand resource relationships from the Pulumi console129 130**Wrong**:131 132```typescript133// Flat structure - no logical grouping, hard to reuse134const bucket = new aws.s3.Bucket("app-bucket");135const bucketPolicy = new aws.s3.BucketPolicy("app-bucket-policy", {136    bucket: bucket.id,137    policy: policyDoc,138});139const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity("app-oai");140const distribution = new aws.cloudfront.Distribution("app-cdn", { /* ... */ });141```142 143**Right**:144 145```typescript146interface StaticSiteArgs {147    domain: string;148    content: pulumi.asset.AssetArchive;149}150 151class StaticSite extends pulumi.ComponentResource {152    public readonly url: pulumi.Output<string>;153 154    constructor(name: string, args: StaticSiteArgs, opts?: pulumi.ComponentResourceOptions) {155        super("myorg:components:StaticSite", name, args, opts);156 157        // Resources created here - see practice 4 for parent setup158        const bucket = new aws.s3.Bucket(`${name}-bucket`, {}, { parent: this });159        // ...160 161        this.url = distribution.domainName;162        this.registerOutputs({ url: this.url });163    }164}165 166// Reusable across stacks167const site = new StaticSite("marketing", {168    domain: "marketing.example.com",169    content: new pulumi.asset.FileArchive("./dist"),170});171```172 173**Component best practices**:174 175- Use a consistent type URN pattern: `organization:module:ComponentName`176- Call `registerOutputs()` at the end of the constructor177- Expose outputs as class properties for consumers178- Accept `ComponentResourceOptions` to allow callers to set providers, aliases, etc.179 180For in-depth component authoring guidance (args design, multi-language support, testing, distribution), use skill `pulumi-component`.181 182**Reference**: https://www.pulumi.com/docs/concepts/resources/components/183 184---185 186### 4. Always Set `parent: this` in Components187 188**Why**: When you create resources inside a ComponentResource without setting `parent: this`, those resources appear at the root level of your stack's state. This breaks the logical hierarchy, makes the Pulumi console hard to navigate, and can cause issues with aliases and refactoring. The parent relationship is what makes the component actually group its children.189 190**Detection signals**:191 192- ComponentResource classes that don't pass `{ parent: this }` to child resources193- Resources inside a component appearing at root level in the console194- Unexpected behavior when adding aliases to components195 196**Wrong**:197 198```typescript199class MyComponent extends pulumi.ComponentResource {200    constructor(name: string, opts?: pulumi.ComponentResourceOptions) {201        super("myorg:components:MyComponent", name, {}, opts);202 203        // WRONG: No parent set - this bucket appears at root level204        const bucket = new aws.s3.Bucket(`${name}-bucket`);205    }206}207```208 209**Right**:210 211```typescript212class MyComponent extends pulumi.ComponentResource {213    constructor(name: string, opts?: pulumi.ComponentResourceOptions) {214        super("myorg:components:MyComponent", name, {}, opts);215 216        // RIGHT: Parent establishes hierarchy217        const bucket = new aws.s3.Bucket(`${name}-bucket`, {}, {218            parent: this219        });220 221        const policy = new aws.s3.BucketPolicy(`${name}-policy`, {222            bucket: bucket.id,223            policy: policyDoc,224        }, {225            parent: this226        });227    }228}229```230 231**What parent: this provides**:232 233- Resources appear nested under the component in Pulumi console234- Deleting the component deletes all children235- Aliases on the component automatically apply to children236- Clear ownership in state files237 238**Reference**: https://www.pulumi.com/docs/concepts/resources/components/239 240---241 242### 5. Encrypt Secrets from Day One243 244**Why**: Secrets marked with `--secret` are encrypted in state files, masked in CLI output, and tracked through transformations. Starting with plaintext config and converting later requires credential rotation, reference updates, and audit of leaked values in logs and state history.245 246**Detection signals**:247 248- Passwords, API keys, tokens stored as plain config249- Connection strings with embedded credentials250- Private keys or certificates in plaintext251 252**Wrong**:253 254```bash255# Plaintext - will be visible in state and logs256pulumi config set databasePassword hunter2257pulumi config set apiKey sk-1234567890258```259 260**Right**:261 262```bash263# Encrypted from the start264pulumi config set --secret databasePassword hunter2265pulumi config set --secret apiKey sk-1234567890266```267 268**In code**:269 270```typescript271const config = new pulumi.Config();272 273// This retrieves a secret - the value stays encrypted274const dbPassword = config.requireSecret("databasePassword");275 276// Creating outputs from secrets preserves secrecy277const connectionString = pulumi.interpolate`postgres://user:${dbPassword}@host/db`;278// connectionString is also a secret Output279 280// Explicitly mark values as secret281const computed = pulumi.secret(someValue);282```283 284**Use Pulumi ESC for centralized secrets**:285 286```yaml287# Pulumi.yaml288environment:289  - production-secrets  # Pull from ESC environment290```291 292```bash293# ESC manages secrets centrally across stacks294esc env set production-secrets db.password --secret "hunter2"295```296 297**What qualifies as a secret**:298 299- Passwords and passphrases300- API keys and tokens301- Private keys and certificates302- Connection strings with credentials303- OAuth client secrets304- Encryption keys305 306**References**:307 308- https://www.pulumi.com/docs/concepts/secrets/309- https://www.pulumi.com/docs/esc/310 311---312 313### 6. Use Aliases When Refactoring314 315**Why**: Renaming resources, moving them into components, or changing parents causes Pulumi to see them as new resources. Without aliases, refactoring destroys and recreates resources, potentially causing downtime or data loss. Aliases preserve resource identity through refactors.316 317**Detection signals**:318 319- Resource rename without alias320- Moving resource into or out of a ComponentResource321- Changing the parent of a resource322- Preview shows delete+create when update was intended323 324**Wrong**:325 326```typescript327// Before: resource named "my-bucket"328const bucket = new aws.s3.Bucket("my-bucket");329 330// After: renamed without alias - DESTROYS THE BUCKET331const bucket = new aws.s3.Bucket("application-bucket");332```333 334**Right**:335 336```typescript337// After: renamed with alias - preserves the existing bucket338const bucket = new aws.s3.Bucket("application-bucket", {}, {339    aliases: [{ name: "my-bucket" }],340});341```342 343**Moving into a component**:344 345```typescript346// Before: top-level resource347const bucket = new aws.s3.Bucket("my-bucket");348 349// After: inside a component - needs alias with old parent350class MyComponent extends pulumi.ComponentResource {351    constructor(name: string, opts?: pulumi.ComponentResourceOptions) {352        super("myorg:components:MyComponent", name, {}, opts);353 354        const bucket = new aws.s3.Bucket("bucket", {}, {355            parent: this,356            aliases: [{357                name: "my-bucket",358                parent: pulumi.rootStackResource,  // Was at root359            }],360        });361    }362}363```364 365**Alias types**:366 367```typescript368// Simple name change369aliases: [{ name: "old-name" }]370 371// Parent change372aliases: [{ name: "resource-name", parent: oldParent }]373 374// Full URN (when you know the exact previous URN)375aliases: ["urn:pulumi:stack::project::aws:s3/bucket:Bucket::old-name"]376```377 378**Lifecycle**:379 3801. Add alias during refactor3812. Run `pulumi up` on all stacks3823. Remove alias after all stacks updated (optional, but keeps code clean)383 384**Reference**: https://www.pulumi.com/docs/iac/concepts/resources/options/aliases/385 386---387 388### 7. Preview Before Every Deployment389 390**Why**: `pulumi preview` shows exactly what will be created, updated, or destroyed. Surprises in production come from skipping preview. A resource showing "replace" when you expected "update" means imminent destruction and recreation.391 392**Detection signals**:393 394- Running `pulumi up --yes` interactively without reviewing changes395- No preview step anywhere in the CI/CD workflow for a given change396- Preview output not reviewed before merge or deployment approval397 398**Wrong**:399 400```bash401# Deploying blind402pulumi up --yes403```404 405**Right**:406 407```bash408# Always preview first409pulumi preview410 411# Review the output, then deploy412pulumi up413```414 415**What to look for in preview**:416 417- `+ create` - New resource will be created418- `~ update` - Existing resource will be modified in place419- `- delete` - Resource will be destroyed420- `+-replace` - Resource will be destroyed and recreated (potential downtime)421- `~+-replace` - Resource will be updated, then replaced422 423**Warning signs**:424 425- Unexpected `replace` operations (check for immutable property changes)426- Resources being deleted that shouldn't be427- More changes than expected from your code diff428 429**CI/CD integration**:430 431```yaml432# GitHub Actions example433jobs:434  preview:435    runs-on: ubuntu-latest436    steps:437      - uses: actions/checkout@v4438      - name: Pulumi Preview439        uses: pulumi/actions@v5440        with:441          command: preview442          stack-name: production443        env:444          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}445 446  deploy:447    needs: preview448    runs-on: ubuntu-latest449    if: github.ref == 'refs/heads/main'450    steps:451      - name: Pulumi Up452        uses: pulumi/actions@v5453        with:454          command: up455          stack-name: production456```457 458**PR workflow**:459 460- Run preview on every PR461- Post preview output as PR comment462- Require preview review before merge463- Deploy only on merge to main464 465**References**:466 467- https://www.pulumi.com/docs/cli/commands/pulumi_preview/468- https://www.pulumi.com/docs/iac/packages-and-automation/continuous-delivery/github-actions/469 470---471 472## Quick Reference473 474| Practice | Key Signal | Fix |475|----------|-----------|-----|476| No resources in apply | `new Resource()` inside `.apply()` | Move resource outside, pass Output directly |477| Pass outputs directly | Extracted values used as inputs | Use Output objects, `pulumi.interpolate` |478| Use components | Flat structure, repeated patterns | Create ComponentResource classes |479| Set parent: this | Component children at root level | Pass `{ parent: this }` to all child resources |480| Secrets from day one | Plaintext passwords/keys in config | Use `--secret` flag, ESC |481| Aliases when refactoring | Delete+create in preview | Add alias with old name/parent |482| Preview before deploy | `pulumi up --yes` | Always run `pulumi preview` first |483 484## Validation Checklist485 486When reviewing Pulumi code, verify:487 488- [ ] No resource constructors inside `apply()` callbacks489- [ ] Outputs passed directly to dependent resources490- [ ] Related resources grouped in ComponentResource classes491- [ ] Child resources have `{ parent: this }`492- [ ] Sensitive values use `config.requireSecret()` or `--secret`493- [ ] Refactored resources have aliases preserving identity494- [ ] Deployment process includes preview step495 496## Related Skills497 498- **pulumi-component**: Deep guide to authoring ComponentResource classes, designing args interfaces, multi-language support, testing, and distribution. Use skill `pulumi-component`.499- **pulumi-automation-api**: Programmatic orchestration of multiple stacks. Use skill `pulumi-automation-api`.500- **pulumi-esc**: Centralized secrets and configuration management. Use skill `pulumi-esc`.