Pulumi SDK
Infrastructure as Code platform using real programming languages (TypeScript, Python, Go, C#, Java) instead of YAML/DSL. Deploy cloud resources (AWS, Azure, GCP, Kubernetes, 100+ providers) using familiar language features — conditionals, loops, functions, and type checking. Supports both declarative stacks and Pulumi Automation API for programmatic IaC from agent code.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Pulumi ESC for secrets management. State files may contain sensitive resource outputs — encrypt state backend. SOC2 Type II certified. OIDC federation for CI/CD environments avoids long-lived credentials.
⚡ Reliability
Best When
You want to manage cloud infrastructure using real programming languages with full type checking, IDE support, and Automation API for programmatic deployment from agent code.
Avoid When
Your team is fully invested in Terraform/OpenTofu — Pulumi is a different paradigm; migration is possible but costly.
Use Cases
- • Provision cloud infrastructure for agent deployments programmatically using Pulumi Automation API from Python or TypeScript code
- • Define agent runtime environments (Lambda, Fargate, Kubernetes) as typed TypeScript/Python infrastructure code
- • Build self-service infrastructure agents that create and destroy cloud resources on demand via Pulumi Automation API
- • Manage agent data infrastructure (S3 buckets, databases, queues) with drift detection and automated remediation
- • Test infrastructure changes in ephemeral Pulumi stacks before promoting to production agent environments
Not For
- • Teams committed to Terraform — Pulumi has a Terraform migration path but is not Terraform-compatible; existing Terraform codebases require migration
- • Simple single-resource deployments — AWS CDK, CloudFormation, or Terraform may be simpler for simple use cases
- • Applications requiring air-gapped environments without Pulumi state backend access — self-hosted backends require additional setup
Interface
Authentication
PULUMI_ACCESS_TOKEN environment variable for Pulumi Cloud backend. OIDC support for CI/CD environments. Cloud credentials (AWS, Azure, GCP) configured separately via cloud provider auth.
Pricing
Free tier generous for small teams. Self-hosted backend (S3, Azure Blob, local) is always free with OSS Pulumi. Cloud backend adds history, drift detection, and collaboration.
Agent Metadata
Known Gotchas
- ⚠ Pulumi Automation API runs in-process — the stack program executes in the same process as the calling agent; panics/exceptions in the program crash the agent process
- ⚠ State file locking prevents concurrent stack updates — running multiple Automation API updates on the same stack simultaneously deadlocks; use one update at a time per stack
- ⚠ Cloud provider credentials must be available when Automation API runs — agent must have AWS/Azure/GCP credentials configured in its execution environment
- ⚠ Dynamic providers and resource transforms can produce state drift that requires manual state manipulation (pulumi state delete) — test dynamic providers thoroughly before production use
- ⚠ Stack outputs are only available after a successful up() call — previews don't compute output values; agent code must handle missing output values during preview
- ⚠ Pulumi programs can inadvertently destroy resources if the program changes which resources are declared — always run preview before up() in production agent automations
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Pulumi SDK.
Scores are editorial opinions as of 2026-03-06.