Pulumi · DevOps & CI/CD Deep Dive

Anatomy

The Building Blocks

Project — a folder with code that constructs cloud resources.
Stack — a deployable instance of the project (dev, staging, prod), each with its own state and config.
Resources — instantiated as language objects (new aws.s3.Bucket("data", {...})).
Outputs & Inputs — promise-like values that thread through the resource graph.
Component resources — reusable abstractions (e.g., "a hardened RDS").
State backend — Pulumi Cloud (default), or self-host on S3/Azure Blob/etc.

Why Real Code

Loops & conditionals are just for and if — no HCL for_each gymnastics.
Type-safe APIs — full IntelliSense on every resource and property.
Unit tests with your normal test framework; mock providers for fast loops.
Package and share abstractions on npm/PyPI — no module registry to learn.
Secrets are first class — encrypted in state, decrypted only when needed.
Crosswalk libraries ("awsx", "eks") wrap common patterns at higher abstraction.

Tradeoffs

Smaller community than Terraform — fewer Stack Overflow answers, fewer ready modules.
Pulumi Cloud pricing can sneak up; self-hosted backends are an option but more ops.
Code = power = footgun. "Just write a loop" can also "just delete prod." Code review matters more, not less.
Output values are promises — chain with .apply(); can confuse newcomers.
Cross-team standardization needs discipline — every language allows different idioms.

Continue