Tech Talk: Infrastructure as Code with Pulumi


Tech Talk: Pulumi
Infrastructure as Code with Pulumi

In this tech talk, you will follow along as our IT experts discuss the Pulumi Infrastructure as Code SDK and how it can be used for deployments to any cloud platform using various programming languages. You will learn about the ins and outs of the Pulumi service, how and when to use it, and how it compares with other infrastructure as code tools.

If you have any feedback relating to this tech talk, feel free to get in touch with us at

Learning Objectives

  • Obtain a foundational understanding of Pulumi
  • Learn how to use the service to deploy infrastructure to the cloud
  • Understand the differences between Pulumi and Terraform

Intended Audience

This course is intended for IT professionals or anyone considering using Pulumi to deploy and manage their infrastructure in the cloud.


  • Familiarity with the concept of infrastructure as code
  • Knowledge of JavaScript will be beneficial

- So welcome to the Pulumi Tech Talk. Some key facts about Pulumi. It's for profit and based in Seattle, founded a couple of years ago and the code is all open source. It's built upon Terraform. And they created a bridge that allows you to import Terraform providers. But they've done some cool stuff there where they allow you to do they have these super cool overlays which allow you to do Pulumi specific stuff. So not just a vanilla import, and it's not just a framework it's also hosted service and we'll be talking more about that. Okay, so moving on. You might be wondering, "Why do we need another Infrastructure as Code tool? So their key differentiators are that you can define your infrastructure using any of the four languages that it currently supports. It also allows you to do deep sort of vertically integrated operations in K8s'. So a canonical example to give is, you know, being able to specify deployment and inject a sidecar, so set up like Envoy sidecar or something like that. Yeah and, oh, see, the hosted state backend is probably the biggest differentiator. So I was trying to figure out what their motivations were. And I definitely get the sense that, you know they're trying to empower developers and engineers. Trying to, you know reduce the the overhead of getting something into production. They're also trying to make re-use easier and more likely. I think, you know, it's pretty cool that you can deploy a Pulumi package to NPM. You know, so it could be a private registry but it could also be a public one, which is pretty cool. And yeah, I've seen that with language support. I think the original motivation was that these guys wanted to be able to, they didn't like ACL, we didn't like JSON, they didn't like YAML. And they wanted to be able to use JavaScript basically, I think that was the original motivation. And they added other languages on top of that as well. The idea being that you know, switching between YAML and Heighten or YAML and JavaScript that has a cognitive cost associated with it and it's trying to reduce that. The evolution or revolution here, I think this is actually more evolution than revolution. I think this is just, it's just a continuation of things that are already happening, it's just a sort of next step. But yeah, I'm interested to know what you guys think about that. So here's a really simple example which I'm going to demonstrate for you. And this is a Hello World, Rest API. Yeah, and this is literally all the code. There's obviously dependencies and it's like a step further, this is basically everything. So without further ado I'm just going to get that going. I'm gonna leave the setup here but not much. Actually this is technically proved to what's going on here. So this is the same code we just saw. So what I've done already is create a moving project so that's why you see the STAT bar. So I'm just gonna run Pulumi up. So you can see here, it's gonna create an API gateway. We actually, if we go back to this code that's obviously not mentioned in here, this is actually using some of these fairly new fairly high level as well, just the Pulumi cloud and package. And this is actually more similar to something like Settlers where it's like you know, it's not pieces of infrastructure. It's like, it's more of a solution to a problem. So yeah, if we go back here, I'm going to say "Yes."

- [Man] So with the Pulumi cloud package, is that always targeting AWS? Or how does it know it's going to AWS?

- [Andy] That's a good question. I can configure it. Yes, there's configure option. Yeah, it's a really good question. I definitely definitely it's, well AWS is definitely the most the best supported cloud as alignment say, I think stuff like this wouldn't necessarily work as well with PCP.

- [Man 1] Okay.

- So yeah, that was pretty quick, like 37 seconds. Obviously it's pretty simple stack. So if you just test them, that works. There we go. So that's pretty cool. So obviously it's a bit of a change using code rather than Chasen or Clarity format. Yeah Terraform and Cloud Formation obviously using declarative by design. You know it wasn't, it wasn't randomly chosen to use those formats. So I think it's I think it's still a little bit controversial. I think a lot of people are coming around to it. I haven't used Terraform that much in a production environment. But the experience, the exposure I have had to it, I came across the conditional problem where you know, I just wanted to be able to make a statement and it seems, you know, unreasonable that I couldn't. And I do understand that, you know, HashiCorp, they prefer you to use their modular systems that work around that. Cause you're gonna end up with a better result. But I don't know, I think, I think Pulumi is almost like a direct response to that where, you know, sometimes you just want that you just want to leave a statement and it's just easiest thing to do and the simplest way to solve a problem. Yeah, I don't know if you've had experience with conditionals and HCL where they ask you to do like while you have to do something like if not zero, it's been a while since I've done it, but yeah. And yeah, so the argument for declarative is saying that it forces you to think upfront about what you're doing and how are you going to structure things. And that will result in higher quality, that's the argue for for. Other people say you know, developers know the requirements best and it's you know, they're better off just figuring out as they go along. So I have "Does Pulumi add value?" So the main one is their Hosted State Service. They've obviously made they've made this one of their core competencies. I think this and developing the framework is the two core competencies. Hosting State is actually a, it's surprisingly complex. When you think about it there's a lot of issues. And there's a lot of places where they can have either. CrossGuard is something that's fairly new. It's basically the equivalent of AWS config. I haven't played with it too much, but I, I, if it does what they want, what they say it does, then I think it could be very useful. In fact, I think this is probably a barrier for adoption by large enterprises. So like I can see startups or agencies adopting Pulumi, because it would definitely boost their workload. But I think any established business or large enterprise, they're gonna find gaps when compared to well, compared to something like Cloud Formation, where the state is hidden from you and definitely some, lik Terraform as well. But CrossGuard is obviously an attempt to address that. When you're using Hosted State, you can access the dashboard it's fairly simple. But it is one of those things that you don't get out the box for Terraform. And it's pretty nice to have, I guess. So this is just why I think the pros of Pulumi. Yeah, makes developers more productive. Where I see it being most useful is for those like agency work. So if someone's working on projects like a marketing site and the project's only going to last a couple of months maybe, then they can yeah, they're probably developing a JavaScript. They can set up a static website using Pulumi, whilst they're developing the code. And you know, it can all live in one file, maybe or one small project. And obviously they can use their own IDE and, you know, their code lenses or whatever whilst they're doing that. Yeah I think Pulumi has some potential to be a bit like Docker in that it can reduce the importance of opinions. So one of the great things about Docker is that you could have two developers creating two different microservices that inter-operate with each other and they could be written in different languages, using different frameworks. And it doesn't matter as long as they work together at the end of the day. Pulumi has the potential to be a bit like that, in that you can have people create different parts of infrastructure and they can do it in different languages, you know. And that would basically just reduce the amount of, you know, authoritarian, "You must do things like this" kind of, you know work issues. Loops and conditionals. I definitely think it's an improvement to have them as sort of first class. I do understand that I think Terraform has actually added loops, and they still got really hacky solution for conditionals. I think built upon Terraform is a pro, because I think I, well, I really trust Terraform so that's a big plus in my book. They're adding more languages. I think lot of the languages that are being added are basically being added by the community. When I was looking this up, there is a surprising amount of work going on to add PowerShell. Which wasn't one that I was expecting. But it actually seems to make sense, there was some solid arguments for it. I think you can make the argument that it's that modularity and drive and stuff like that are more advanced in programming languages. So you could apply that to the infrastructure code. Yeah and obviously being built upon Terraform, Pulumi supports running, you know, using parts of infrastructure in Terraform and parts in Pulumi. So that you can either migrate slowly or permanently run parts of your infrastructure in Terraform. And one of the the big events that they tout is that Pulumi is flexible. So they popularized the idea of Micro stacks. I think this comes back to where I was talking about sort of agency work, where you'd have lots of small projects. That's where a Micro stack could live in the gateway pipe and be completely self contained and would work well. I think going back to the side by side thing, where you'd have a good model might be, to have almost like a hub and spoke model, where you have VPC and advanced networking stuff in a monolithic stack. And you have applications and stuff in a, in a Micro stack and you have many of them and they all sort of, you know, feed off the main stack. So what are the cons? Documentation. Yeah, I've definitely found that Terraform docs are better. Particularly difficult to navigate doing your documentation. I never sort of, I don't really understand why. So it's like it's something that they should be able to fix, so hopefully they will. I think I guess the big one is, you know, a lot of people might look at this and think you know, "Do we really want to mix in an infra?" That's I guess an open question. It's it's the it's the, it's the value proposition of Louis. So it's whether you think it's a pro or a con is really quite broad. Pulumi is still young. I haven't seen too many rough edges myself but I, I was reading about this and a lot of people who reported some very non-descriptive error messages. Yeah and obviously in comparison to Terraform, that's a lot more rent. This is probably a big one for enterprises and large companies. If the Pulumi service is down, then your deployments stop. So that's kind of a big risk really. Stack State can be imported or exported. But really, I don't really see that as a solution because if you're doing that all the time then you're basically hosting your own state as well. So yeah. You either trust them I think, it's either all or nothing. You either trust Pulumi to host your state or you don't. And to be fair, Pulumi really does support similar options to Terraform where you can host it yourself on the next three bucket or whatever. Some developers may not want to learn advanced infrastructure. I think particularly BPC, advanced networking stuff, you know, it may not even be a good idea to allow them to do that. Yeah so, what do you guys think?

- Thanks for the talk, Andy. Coming into it I thought that I was more of a competitor to Terraform but it seems like they have the strategy to sort of work with Terraform more so than trying to upend it. So like you said earlier more of an evolution than a revolution. Yeah. Interesting strategy that they had. To me, it sounds more like AWS's CDK where they're putting infrastructure more into code. But I'd like to see what Luke thinks about it given he's our resident Terraform expert.

- Yeah, I agree. The, a lot of the Terraform doing a lot of the logical complexities is pretty muddled. That's why a lot of people up use Terragram, a lot of that logic. But yeah, I think it's pretty slick that it works well with Terraform, so you can do the conditional logic with Pulumi and then before your Terraform, that's pretty cool. One thing that I can see the nice part about Terraform is that it's written in HCL, which is very like readable and easy to pick up. So a lot of like enterprises that use Terraform to like represent their documentation, I can see that having more of a one up versus Pulumi. So yeah, I can see the trade offs for both for sure. It seems Pulumi, you can do a lot more complex things. But yeah, it seems like Terraform is more like team oriented, people that aren't really just getting into coding. Like some of the like system engineers or app engineers that are getting into infrastructure development. I could see it more beneficial for those types of roles, but yeah, I like Pulumi, that's really sweet. How can you like modulize like your, your stack? And I think you're talking about that a little bit or like you have like a stack that's like parametized you can use it in different environments with different parameters and stuff.

- Yeah so, it's quite involved, it creates, Should I stop presenting? By default it creates a deb STAT, and they, things like, so that's like across all environments Yeah, so does that answer the question?

- Yeah to do all that for, like if I wanted to, like, let's say I wanted to deploy a set of servers in one environment but I wanted to deploy like similar servers in another one, and the name of the servers is just going to change. Can I like, parametize that, reuse the same code?

- Yeah, you'd like I think the advantage of Pulumi is that you could do that using the program language.

- Oh awesome.

- So like,

- Thanks.

- You wouldn't, you wouldn't be too, it's no longer a part of the infrastructure is code talk. So you know, it's in other words, message. And then you just train the message here, so anything you can do in code, you can do to parametize it.

- The possibilities are pretty endless.

- Yeah, and I actually agree with you, I really like ACL. I like the fact it's declarative. But you know, a lot of people, obviously just want to be able to use code.

- Yeah the fact that they're I didn't know they're getting PowerShell support.

- Mm hmm.

- That's huge 'cause of the a lot of the Windows folks really they're just all about PowerShell. So that's a huge, huge market right there. That'll be really interesting. 'Cause Azure is all PowerShell. That's going to be really interesting to see the adoption.

- Yeah.

- Andy, just so I'm clear as far as multi cloud support, in that really simple config file, if you change that instead of AWS to Azure, everything would just work directly on Azure? As long as it was supported?

- As long as it's supported, yeah. We can try it now if you want.

- No, it's okay.

- I don't, I don't. Sorry go ahead.

- Sorry. Yeah when I first heard about Terraform that's sorta what I thought it was like. That I could just write the infrastructure once, and I could deploy it anywhere. But then when learned how to actually write Terraform stuff you do still have to know the intricacies of each different cloud. So that this is maybe closer to what I first thought Terraform was going to be.

- Yeah I think maybe if it was just, you know, a static website using object storage maybe that would work well in cloud, but it'd be more complicated than that. Probably isn't going to. Yeah.

- And just, about Sharing State with vanilla Terraform. You said that you can go from Terraform into Pulumi, but does it work both ways? That if you had something in Pulumi could you migrate out into Terraform? Or is there something in the state that Pulumi has that might mess up a vanilla Terraform?

- Yes, it should just be able to import and export well. So one of the interesting things that someone I read when I was researching essence. Even though you know, Pulumi appears to be imperative code rather than declarative, it is just using a Terraform state path because compiled down to that words. So it's just like a graph of resources and technically speaking under the hood it's still character. So yeah, you absolutely can. I think yeah, like there was, there's an import, export option. So you can go back and forth as much as you want.

- Cool. And what does the command workflow look like if you were to update the stack that you deployed. Would it just be another Pulumi up? Or how does it manage the changes?

- Yeah, we can try it. Yeah I mean, it works the same as Terraform. So it's going to preview that, not much has changed. All right, so it says nothing's changed. That's interesting. Cause I changed the message, but yeah, the infrastructure.

- Infrastructure hasn't changed, so.

- Yeah. Well actually the Lambda should have changed, right? 'Cause it's the Lambda that should tell me the message. Hmm. I wonder if we could pause this, oh no it did actually change, there it is. Sorry.

- Okay.

- Let's try that again. And it should change the Lambda. Yeah, and it's also changing changing all that stuff.

- Cool. Luca, you've been a bit quiet.

- I have a question regarding the host of the state. I mean, which is the difference between a user in a free market or a user of the Pulumi simple state? Am I going to lose a certain feature? Or is it the same?

- What, if you hosted yourself? Yeah, like Pulumi would say yes, and I would agree with them. I mean my last job we had a big, I remember sitting in a meeting with we had a big conversation about whether we should use Terraform, if we use Terraform how are we gonna host the state? I think particularly for large companies, it's actually it's a really big deal that you've got to do access control on the state. Pulumi offers check pointing as well. We'll say auditing, there's a lot of things to think about and with the state, the big problem so the big risk is that if it becomes compromised, that's more potentially sensitive information about your infrastructure, that you know, an attacker could use. So yeah, I think, I think there is value there, for sure. It really comes down to how much you trust them. That being said, I mean, if you, if you, if you Skype it properly and host your own state and you know, do it properly then I guess it's really sort of a one time thing. Yeah, I don't know, maybe yeah. What do you think?

- Well, I don't know, Barry you have more power handling your states. And also yeah, if Pulumi is down you can store your infrastructure. But yeah, I don't know in this case. And what about the pricing?

- Pricing, I'm not sure actually let's double check.

- I was wondering that too, 'cause you started off saying that they're for profit, but then it's open source. So I wonder if it's based on the support plan? Or if it's--

- Yeah, it's definitely like, you know, so, so it sounds like they're restricting the number of people that you use the same stack,

- Hm.

- the same stacks at one time. Yeah I mean, that's fair enough to me, you know like hosting the services are free so they gotta charge for it somehow.

- Yeah.

- Yeah, I think they're obviously aiming to be as reliable as or to be perceived as reliable as the cloud providers themselves. So you know, their people trust AWS to be up and they want people to trust them to be up.

- That under the enterprise one, it says self host available. Is that the state site host? Do you have to have enterprise licensing?

- I thought you could self host anyway. That's interesting, yeah. Yeah that's a good point. You can definitely like yeah, I'm not sure what the difference is between that and there's an option to just store the state locally. But if you do that if you do that, like that's free, if you do that you could just put that on as three, you know. I suppose you'd have to sink it down. I don't know how they restrict that.

- They are going to make you use a password and entire feature for you someplace.

- Yeah, yeah.

- You mean like regulatory requirements. If you have to keep the state on your own servers. It's kind of like Terraform Enterprise too, I guess, isn't it?

- Yeah, that's how I'm thinking of it.

- What's Terraform Enterprise like?

- So it's like you know, Terraform cloud. It's like their cloud hosted solution for storing state. And you can do some other stuff, like you can kick off the deployments and automate payments with it. But they also have that product on prem where you can host it in your own isolated environment. So then that, that product is called Terraform Enterprise. So I'm guessing it's the same thing. Maybe they're giving like a Pulumi Enterprise product that you can install on prem or in an isolated environment and use like the dashboard and stuff.

- All right, cool. It sounds like they're doing CICD as well then. I'll have to have a look at that.

- Yep you can, for Terraform cloud, you can hook it up to like get up and do triggers on whole and stuff. You like get ops workflows and stuff. And they just added like a policy compliance. It's called Terraform Sentinel. So yeah, it's interesting.

- That'd be similar to that'd be similar to CrossGuard then. So they're probably more similar than I thought. Like Terraform and Pulumi.

- Yeah.

- I think we'll wrap it up there. So thanks again, Andy, for the presentation and the demo and everyone for contributing to the discussion. Okay, thanks a lot guys, have a good day.

- Cool, thanks guys.

- Bye.

About the Author
Learning Paths

Andrew is a Labs Developer with previous experience in the Internet Service Provider, Audio Streaming, and CryptoCurrency industries. He has also been a DevOps Engineer and enjoys working with CI/CD and Kubernetes.

He holds multiple AWS certifications including Solutions Architect Associate and Professional.