playbooks

home / skills / pproenca / dot-skills / pulumi

pulumi skill

/skills/.experimental/pulumi

This skill helps optimize Pulumi code for performance and reliability by applying best practices across state, graphs, components, secrets, and CI workflows.

npx playbooks add skill pproenca/dot-skills --skill pulumi

Review the files below or copy the command above to add this skill to your agents.

Files (52)
SKILL.md
5.3 KB
---
name: pulumi
description: Pulumi infrastructure as code performance and reliability guidelines. This skill should be used when writing, reviewing, or refactoring Pulumi code to ensure optimal deployment performance and infrastructure reliability. Triggers on tasks involving Pulumi stacks, components, state management, secrets configuration, resource lifecycle options, or CI/CD automation.
---

# Pulumi Best Practices

Comprehensive performance and reliability guide for Pulumi infrastructure as code, designed for AI agents and LLMs. Contains 46 rules across 8 categories, prioritized by impact to guide automated refactoring and code generation.

## When to Apply

Reference these guidelines when:
- Writing new Pulumi infrastructure code
- Designing component abstractions for reuse
- Configuring secrets and sensitive values
- Organizing stacks and cross-stack references
- Setting up CI/CD pipelines for infrastructure

## Rule Categories by Priority

| Priority | Category | Impact | Prefix |
|----------|----------|--------|--------|
| 1 | State Management and Backend | CRITICAL | `pstate-` |
| 2 | Resource Graph Optimization | CRITICAL | `graph-` |
| 3 | Component Design | HIGH | `pcomp-` |
| 4 | Secrets and Configuration | HIGH | `secrets-` |
| 5 | Stack Organization | MEDIUM-HIGH | `stack-` |
| 6 | Resource Options and Lifecycle | MEDIUM | `lifecycle-` |
| 7 | Testing and Validation | MEDIUM | `test-` |
| 8 | Automation and CI/CD | LOW-MEDIUM | `auto-` |

## Quick Reference

### 1. State Management and Backend (CRITICAL)

- `pstate-backend-selection` - Use managed backend for production stacks
- `pstate-checkpoint-skipping` - Enable checkpoint skipping for large stacks
- `pstate-stack-size` - Keep stacks under 500 resources
- `pstate-refresh-targeting` - Use targeted refresh instead of full stack
- `pstate-export-import` - Use state export/import for migrations
- `pstate-import-existing` - Import existing resources before managing

### 2. Resource Graph Optimization (CRITICAL)

- `graph-parallel-resources` - Structure resources for maximum parallelism
- `graph-output-dependencies` - Use outputs to express true dependencies
- `graph-explicit-depends` - Use dependsOn only for external dependencies
- `graph-avoid-apply-side-effects` - Avoid side effects in apply functions
- `graph-conditional-resources` - Use conditional logic at resource level
- `graph-stack-references-minimal` - Minimize stack reference depth

### 3. Component Design (HIGH)

- `pcomp-component-resources` - Use ComponentResource for reusable abstractions
- `pcomp-parent-child` - Pass parent option to child resources
- `pcomp-unique-naming` - Use name prefix pattern for unique resource names
- `pcomp-register-outputs` - Register component outputs explicitly
- `pcomp-multi-language` - Design components for multi-language consumption
- `pcomp-transformations` - Use transformations for cross-cutting concerns

### 4. Secrets and Configuration (HIGH)

- `secrets-use-secret-config` - Use secret config for sensitive values
- `secrets-avoid-state-exposure` - Prevent secret leakage in state
- `secrets-external-providers` - Use external secret managers for production
- `secrets-generate-random` - Generate secrets with random provider
- `secrets-provider-rotation` - Rotate secrets provider when team members leave
- `secrets-environment-isolation` - Isolate secrets by environment

### 5. Stack Organization (MEDIUM-HIGH)

- `stack-separation-by-lifecycle` - Separate stacks by deployment lifecycle
- `stack-references-parameterized` - Parameterize stack references
- `stack-output-minimal` - Export only required outputs
- `stack-naming-conventions` - Use consistent stack naming convention

### 6. Resource Options and Lifecycle (MEDIUM)

- `lifecycle-protect-stateful` - Protect stateful resources
- `lifecycle-delete-before-replace` - Use deleteBeforeReplace for unique constraints
- `lifecycle-retain-on-delete` - Use retainOnDelete for shared resources
- `lifecycle-ignore-changes` - Use ignoreChanges for externally managed properties
- `lifecycle-replace-on-changes` - Use replaceOnChanges for immutable dependencies
- `lifecycle-aliases` - Use aliases for safe resource renaming
- `lifecycle-custom-timeouts` - Set custom timeouts for long-running resources

### 7. Testing and Validation (MEDIUM)

- `test-unit-mocking` - Use mocks for fast unit tests
- `test-property-policies` - Use policy as code for property testing
- `test-integration-ephemeral` - Use ephemeral stacks for integration tests
- `test-preview-assertions` - Assert on preview results before deployment
- `test-stack-reference-mocking` - Mock stack references in unit tests

### 8. Automation and CI/CD (LOW-MEDIUM)

- `auto-automation-api-workflows` - Use Automation API for complex workflows
- `auto-inline-programs` - Use inline programs for dynamic infrastructure
- `auto-ci-cd-preview` - Run preview in PR checks
- `auto-deployments-api` - Use Pulumi Deployments for GitOps
- `auto-review-stacks` - Use review stacks for PR environments
- `auto-drift-detection` - Enable drift detection for production

## How to Use

Read individual reference files for detailed explanations and code examples:

- [Section definitions](references/_sections.md) - Category structure and impact levels
- [Rule template](assets/templates/_template.md) - Template for adding new rules

## Full Compiled Document

For the complete guide with all rules expanded: `AGENTS.md`

Overview

This skill provides Pulumi infrastructure-as-code performance and reliability guidelines to apply when authoring, reviewing, or refactoring Pulumi code. It prioritizes critical practices for state management and resource graph optimization, then covers component design, secrets handling, stack organization, lifecycle options, testing, and CI/CD automation. Use it to reduce deployment time, avoid state corruption, and make stacks maintainable and secure.

How this skill works

The skill inspects Pulumi-related tasks and recommends targeted rules and patterns to improve deployments and reliability. It flags state backend choices, resource graph structure, component boundaries, secrets handling, lifecycle options, testing approaches, and automation patterns. Recommendations map to short, actionable rules (prefixed by category) so an agent can apply changes or generate code with predictable impact.

When to use it

  • Writing new Pulumi stacks or resources
  • Designing reusable ComponentResources or multi-stack architectures
  • Refactoring code that causes slow or serialized deployments
  • Configuring secrets, providers, or backend state for production
  • Creating CI/CD pipelines and preview/automation workflows

Best practices

  • Use a managed or remote backend for production state and enable checkpoint skipping for very large stacks (pstate-*)
  • Structure resources for maximum parallelism and rely on outputs for dependencies rather than implicit side effects (graph-*)
  • Encapsulate reusable patterns in ComponentResource, pass parent options, register outputs, and use aliases for safe renames (pcomp-*, lifecycle-*)
  • Store secrets in secret config or external secret managers and avoid writing secrets into state or logs; rotate providers and isolate by environment (secrets-*)
  • Separate stacks by lifecycle/purpose, keep exported outputs minimal, and parameterize stack references to reduce coupling (stack-*)
  • Use ignoreChanges, deleteBeforeReplace, retainOnDelete, and custom timeouts where appropriate; protect stateful resources and prefer targeted refresh when possible (lifecycle-*)

Example use cases

  • Migrate an on-premises statefile to a managed backend and enable checkpoint skipping for a large stack
  • Refactor a monolithic stack into lifecycle-separated stacks with minimal stack references
  • Design a reusable ComponentResource with explicit outputs, parent/child relationships, and multi-language support
  • Replace secrets in code with external secret manager integrations and rotate secrets provider on offboarding
  • Add CI checks to run Pulumi preview in PRs, use review stacks for ephemeral environments, and enable drift detection for prod

FAQ

Which rule category should I start with for high-risk stacks?

Start with State Management and Resource Graph Optimization (pstate-*, graph-*). These deliver the largest reductions in deployment time and the greatest improvements to state safety.

How do I minimize downtime for immutable-resource changes?

Use lifecycle options such as deleteBeforeReplace, retainOnDelete, aliases, and replaceOnChanges to control replacement behavior and preserve critical resources during updates.