Pulumi resource Generator (TS)

Pulumi resources in depth: IaC in real languages, stacks, outputs and components

Pulumi is an Infrastructure as Code platform founded in 2017 by Joe Duffy (formerly leading Microsoft's .NET languages team). Its bet is the opposite of Terraform: instead of inventing a configuration DSL, you describe infrastructure in real general-purpose languages — TypeScript, JavaScript, Python, Go, C#/.NET, Java, or YAML — and a thin runtime turns the resource graph your code constructs into actual cloud calls. You get loops, conditionals, abstractions, classes, async, types, IDE refactoring and your favorite package manager for free.

The vocabulary maps cleanly to Terraform: project (a directory with Pulumi.yaml), stack (an instance of the project — dev, staging, prod, each with its own config and state), resource (a thing to create), provider (plugin per cloud). The Pulumi runtime and CLI are open source; state lives in a backend — Pulumi Cloud (free for individuals, paid for teams) or self-hosted on S3/GCS/Azure Blob.

Resource syntax (TypeScript)

import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";

const cfg = new pulumi.Config();
const env = pulumi.getStack();

const bucket = new aws.s3.Bucket("my-bucket", {
  acl: "private",
  versioning: { enabled: true },
  tags: { Environment: env, ManagedBy: "pulumi" },
});

export const bucketName = bucket.id;
export const bucketArn  = bucket.arn;

The first string ("my-bucket") is the logical name Pulumi tracks in state. The acl, versioning, tags object literal is the resource args — same shape as the underlying provider. Exports become outputs you can read with pulumi stack output.

Outputs and the async nature of resources

Any value that Pulumi only knows after the cloud responds (an ARN, an IP, a generated ID) is wrapped in Output<T>. You cannot use them as plain strings — you compose with .apply(v => ...) or template strings via pulumi.interpolate:

const url = pulumi.interpolate`https://${bucket.bucketRegionalDomainName}`;
const policy = bucket.arn.apply(arn => JSON.stringify({
  Version: "2012-10-17",
  Statement: [{ Effect: "Allow", Resource: arn, Action: "s3:GetObject" }]
}));

Outputs preserve dependency tracking — Pulumi will not try to create the policy before the bucket exists, because the policy depends on the bucket's Output.

Components and crosswalk

Component resources are classes that encapsulate multiple primitive resources behind a clean API — Pulumi's answer to Terraform modules, but using language-native OOP. You publish them as npm/PyPI packages and consume them like any library. Crosswalk (@pulumi/awsx, @pulumi/eks) bundles best-practice components for common patterns: a VPC with sensible defaults, an EKS cluster with managed node groups, an ECS service behind an ALB.

State, stacks and secrets

• State is per-stack and lives in the backend you pick at pulumi login.
• Pulumi Cloud has free tier for individuals (200 resources max); paid for teams adds RBAC, audit log, SSO, deployments.
• Self-host on s3://bucket, gs://bucket, azblob://container, or a local file (not recommended for teams).
• Secrets are encrypted in-state out of the box (pulumi config set --secret) — no plugin needed.
• Configuration is per-stack: Pulumi.dev.yaml, Pulumi.prod.yaml.

Workflow and CI

• pulumi stack init dev — create a new stack.
• pulumi preview — equivalent of terraform plan.
• pulumi up — apply changes (with confirmation, or --yes in CI).
• pulumi destroy — delete everything in the stack.
• pulumi import — bring an existing cloud resource under Pulumi management.
• Pulumi Deployments runs up from a Git push without needing your own CI runner.

FAQ

Can I use Pulumi alongside an existing Terraform codebase? Yes. Run tf2pulumi to translate HCL to Pulumi code, or use the Terraform Bridge to consume Terraform modules from Pulumi. State is incompatible (different serialization), but resources can be imported with pulumi import.

Pulumi vs Terraform — which should I pick? Terraform/OpenTofu has the largest provider ecosystem and the largest existing module library; Pulumi is more pleasant when your team writes a lot of code (loops, abstractions, types, IDE help). Pulumi also handles secrets natively. Pick Pulumi when most of your team is comfortable with TS/Python; pick Terraform when you want the path most travelled.

Pulumi vs AWS CDK? CDK is AWS-only (with CDK for Terraform as a multi-cloud bridge). Pulumi is multi-cloud from day one with the same SDK shape. If you only run on AWS, CDK is excellent and free; if you span clouds, Pulumi is the more natural fit.

Is the pricing fair? Pulumi Cloud is free for individuals up to 200 resources, which covers most personal projects. Team and Enterprise tiers are usage-based; self-hosted backends remove that cost entirely at the price of running your own state store and losing the UI.

How do I avoid leaking secrets in state? Mark them with pulumi config set --secret; they are encrypted with the stack's passphrase or KMS key and stay encrypted in state. Avoid printing them via console.log — use pulumi.secret() on derived outputs to keep the secret marker.