<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Arun Loganathan</title><link>https://www.pulumi.com/blog/author/arun-loganathan/</link><description>Pulumi blog posts: Arun Loganathan.</description><language>en-us</language><pubDate>Fri, 22 May 2026 00:00:00 +0000</pubDate><item><title>Introducing pulumi do: Direct Resource Operations for Any Cloud</title><link>https://www.pulumi.com/blog/pulumi-do-direct-resource-operations/</link><pubDate>Fri, 22 May 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-do-direct-resource-operations/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-do-direct-resource-operations/index.png" /&gt;
&lt;p&gt;Infrastructure as code is the right model for production systems. State tracking, drift detection, and repeatable deployments all matter when you&amp;rsquo;re managing real workloads.&lt;/p&gt;
&lt;p&gt;But sometimes, you also need a quick, one-off interaction with the cloud: create a bucket or a database, look up a VPC, delete a stray resource.&lt;/p&gt;
&lt;p&gt;Today we&amp;rsquo;re introducing &lt;code&gt;pulumi do&lt;/code&gt;, a new command for direct resource operations. With &lt;code&gt;pulumi do&lt;/code&gt;, you can create, read, update, delete, and query any cloud resource from the terminal with a single command, across thousands of Pulumi-supported providers — no project, code, or state required.&lt;/p&gt;
&lt;h2 id="the-problem-sometimes-iac-is-more-than-you-need"&gt;The problem: Sometimes IaC is more than you need&lt;/h2&gt;
&lt;p&gt;When you&amp;rsquo;re managing production workloads, IaC is the proven solution. Code lets you declare complex systems, state tracking catches drift before it becomes a problem, dependency graphs sequence changes safely, and policy keeps everything in bounds. That full lifecycle, especially with the backing of a platform like Pulumi Cloud, is exactly what you want to build systems that scale.&lt;/p&gt;
&lt;p&gt;But when you (or your coding agent) need an ad-hoc Postgres database, the simplest path with IaC still takes several steps: make a directory, create a project, configure your credentials, write the code, preview, deploy. It works, but it&amp;rsquo;s not always necessary for what should be a simple operation. &lt;code&gt;pulumi do&lt;/code&gt; collapses all of those steps into one, using the same Pulumi providers, resource model, and ecosystem that powers the core Pulumi platform.&lt;/p&gt;
&lt;p&gt;Resource creation is also only part of the problem. As Joe laid out in &lt;a href="https://www.pulumi.com/blog/the-agentic-infrastructure-era/"&gt;The Agentic Infrastructure Era&lt;/a&gt;, the real challenge for AI agents isn&amp;rsquo;t with code or CLI commands, it&amp;rsquo;s with everything else: getting a cloud account, resolving credentials, wiring configuration across multiple services. &lt;a href="https://www.pulumi.com/docs/administration/organizations-teams/agent-accounts/"&gt;Agent accounts&lt;/a&gt;, also &lt;a href="https://www.pulumi.com/releases/agentic-infrastructure-era/"&gt;released this week&lt;/a&gt;, simplify this by letting an agent provision its own ephemeral Pulumi Cloud account, and &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC&lt;/a&gt; takes care of consolidating credentials across providers. Together, with &lt;code&gt;pulumi do&lt;/code&gt;, agents can now go from zero to deployed infrastructure without requiring a human in the loop — and when that one-off resource needs to grow into a more permanent system, there&amp;rsquo;s a clear graduation path back to full Pulumi IaC.&lt;/p&gt;
&lt;h2 id="what-it-looks-like"&gt;What it looks like&lt;/h2&gt;
&lt;p&gt;As an example, say you wanted to provision an S3 bucket. With the AWS CLI, you&amp;rsquo;d need to assemble an &lt;code&gt;aws s3api create-bucket&lt;/code&gt; invocation with the right set of command-line flags, region constraints, a globally unique name, and so on. With &lt;code&gt;pulumi do&lt;/code&gt;, it&amp;rsquo;s just this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket create
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;That might not look all that different on the surface — but because you&amp;rsquo;re using the Pulumi engine and resource model, you can provide a minimal set of input properties, take advantage of provider-defined defaults, and use Pulumi&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/names/"&gt;auto-naming&lt;/a&gt; feature to give the bucket a unique name automatically:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket create
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;This will create aws:s3/bucket:Bucket with the following inputs:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;bucket&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;bucket-279ea56&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;tagsAll&amp;#34;&lt;/span&gt;: &lt;span class="o"&gt;{}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Please confirm that this is what you&lt;span class="err"&gt;&amp;#39;&lt;/span&gt;d like to &lt;span class="k"&gt;do&lt;/span&gt; by typing &lt;span class="sb"&gt;`&lt;/span&gt;yes&lt;span class="sb"&gt;`&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Answer &lt;code&gt;yes&lt;/code&gt; (or just pass &lt;code&gt;--yes&lt;/code&gt;), and you&amp;rsquo;re done. To delete the bucket:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket delete bucket-279ea56 --yes
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Need to look up an existing resource? Use a &lt;a href="https://www.pulumi.com/docs/iac/concepts/functions/provider-functions/"&gt;provider function&lt;/a&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:ec2:getVpc --default
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;arn&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;arn:aws:ec2:us-west-2:663782525873:vpc/vpc-d7b311af&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;cidrBlock&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;172.31.0.0/16&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;enableDnsHostnames&amp;#34;&lt;/span&gt;: true,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;enableDnsSupport&amp;#34;&lt;/span&gt;: true,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;enableNetworkAddressUsageMetrics&amp;#34;&lt;/span&gt;: false,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;id&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;vpc-d7b311af&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; ...
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Same CLI, same output contract, same provider ecosystem.&lt;/p&gt;
&lt;h3 id="the-command-shape"&gt;The command shape&lt;/h3&gt;
&lt;p&gt;The &lt;code&gt;do&lt;/code&gt; command accepts a Pulumi resource type, or &lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/names/#types"&gt;&lt;em&gt;type token&lt;/em&gt;&lt;/a&gt;, to determine the action to take. Type tokens have the form &lt;code&gt;&amp;lt;package:module:resource&amp;gt;&lt;/code&gt;. For example, &lt;code&gt;aws:s3:Bucket&lt;/code&gt; refers to the &lt;a href="https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucket/"&gt;Amazon S3 Bucket resource&lt;/a&gt; that belongs to the &lt;code&gt;s3&lt;/code&gt; module of the &lt;code&gt;aws&lt;/code&gt; package.&lt;/p&gt;
&lt;p&gt;You can also provide a portion of the token to help you find what you&amp;rsquo;re looking for without ever having to leave the terminal:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Functions and resources &lt;span class="k"&gt;for&lt;/span&gt; the s3 module.
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Run &lt;span class="s1"&gt;&amp;#39;pulumi do &amp;lt;module/resource/function&amp;gt; --help&amp;#39;&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; more details on usage.
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Functions:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:getAccessPoint
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:getAccountPublicAccessBlock
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:getBucket
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:getBucketObject
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; ...
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Resources:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:AccessPoint
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:AccountPublicAccessBlock
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:AnalyticsConfiguration
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; aws:s3:Bucket
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; ...
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket &lt;span class="nb"&gt;read&lt;/span&gt; bucket-d20976f
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;arn&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;arn:aws:s3:::bucket-d20976f&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;bucket&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;bucket-d20976f&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;bucketDomainName&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;bucket-d20976f.s3.amazonaws.com&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;bucketNamespace&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;global&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; ...
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The package, module, and resource/function segments all come directly from the Pulumi provider schema, so &lt;code&gt;--help&lt;/code&gt; works at every level of the tree. Pass a package name, optional module, and optional function or resource type, and &lt;code&gt;do&lt;/code&gt; returns the appropriate level of detail.&lt;/p&gt;
&lt;p&gt;You can also provide the input properties of a resource in a YAML or JSON file with the &lt;code&gt;--input&lt;/code&gt; option. To create a container service in Google Cloud Run for example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# service.yaml&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;location&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;us-central1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;deletionProtection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;template&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;containers&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;image&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;us-docker.pkg.dev/cloudrun/container/hello&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; gcp:cloudrunv2:Service create &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; --input yaml &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; --input-file service.yaml
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;This will create gcp:cloudrunv2/service:Service with the following inputs:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;deletionProtection&amp;#34;&lt;/span&gt;: false,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;location&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;us-central1&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;name&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;service-b8af752&amp;#34;&lt;/span&gt;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;template&amp;#34;&lt;/span&gt;: &lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;containers&amp;#34;&lt;/span&gt;: &lt;span class="o"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;image&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;us-docker.pkg.dev/cloudrun/container/hello&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="o"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The result:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;createTime&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;2026-05-22T23:00:22.415839Z&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="err"&gt;...&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;urls&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;https://service-b8af752-921927215178.us-central1.run.app&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;https://service-b8af752-ctnulmzwoa-uc.a.run.app&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="resource-operations"&gt;Resource operations&lt;/h3&gt;
&lt;p&gt;Most resources support the full set of CRUD operations — create, read, update, delete, and list — directly from the CLI. Each operation maps to a provider CRUD method using the same provider logic a full Pulumi program would use, and resources are addressable by their cloud provider IDs:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Create a resource&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket create --yes &lt;span class="p"&gt;|&lt;/span&gt; jq -r &lt;span class="s2"&gt;&amp;#34;.name&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;bucket-4f5cb22
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Fetch it&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket &lt;span class="nb"&gt;read&lt;/span&gt; bucket-4f5cb22 &lt;span class="p"&gt;|&lt;/span&gt; jq -r &lt;span class="s2"&gt;&amp;#34;.hostedZoneId&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Z3BJ6K6RIION7M
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Update/patch it&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket patch bucket-4f5cb22 --input yaml --input-file tags.yaml
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket &lt;span class="nb"&gt;read&lt;/span&gt; bucket-4f5cb22 &lt;span class="p"&gt;|&lt;/span&gt; jq &lt;span class="s2"&gt;&amp;#34;.tags&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;key&amp;#34;&lt;/span&gt;: &lt;span class="s2"&gt;&amp;#34;value&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Delete it&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi &lt;span class="k"&gt;do&lt;/span&gt; aws:s3:Bucket delete bucket-4f5cb22
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="provider-configuration"&gt;Provider configuration&lt;/h3&gt;
&lt;p&gt;Today, &lt;code&gt;pulumi do&lt;/code&gt; resolves provider configuration — for example, applying your AWS credentials — using environment variables or credential files as supported by each individual Pulumi provider. See the &lt;a href="https://www.pulumi.com/registry/"&gt;Pulumi Registry&lt;/a&gt; for provider-specific configuration details.&lt;/p&gt;
&lt;h2 id="designed-for-humans-and-agents"&gt;Designed for humans and agents&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;ve designed &lt;code&gt;pulumi do&lt;/code&gt; to serve humans and coding agents equally well, guided by three fundamental ideas:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Consistent command structure across every provider.&lt;/strong&gt; The &lt;code&gt;do &amp;lt;package:module:type&amp;gt; &amp;lt;operation&amp;gt;&lt;/code&gt; pattern is the same for AWS, Azure, Google Cloud, Kubernetes, Cloudflare, Datadog, and every provider, including packages containing higher-level &lt;a href="https://www.pulumi.com/docs/iac/concepts/components/"&gt;component resources&lt;/a&gt;. Once an agent learns that pattern, it applies across the board.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Predictable output contract.&lt;/strong&gt; JSON on stdout, progress on stderr, consistent exit codes. An agent can parse the result programmatically without scraping human-formatted tables.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;A single CLI command that works across every cloud.&lt;/strong&gt; Many cloud and SaaS providers don&amp;rsquo;t have a full CLI at all. &lt;code&gt;pulumi do&lt;/code&gt; generates commands from the provider schema, so if a Pulumi provider exists for it, the CLI just works. Neither humans nor agents need to install, learn, or even know about cloud provider-specific tooling.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="whats-next"&gt;What&amp;rsquo;s next&lt;/h2&gt;
&lt;p&gt;Resource operations and provider functions are the foundation. The &lt;code&gt;pulumi do&lt;/code&gt; roadmap extends the same direct-operation model with credential management, state tracking, and a path to full IaC.&lt;/p&gt;
&lt;h3 id="unified-credentials-with-pulumi-esc"&gt;Unified credentials with Pulumi ESC&lt;/h3&gt;
&lt;p&gt;One of the hardest parts of multi-cloud operations is credential management. Every provider has its own authentication scheme, environment variables, and session lifecycle. An agent working across AWS, Cloudflare, and Datadog today manages three separate credential mechanisms.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;re building &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC&lt;/a&gt; integration into &lt;code&gt;pulumi do&lt;/code&gt; so you can manage credentials in one place and resolve them everywhere. ESC handles credential resolution (including OIDC-based dynamic credential generation and short-lived tokens) across all of your providers. Name the credential set, reference it, and ESC does the rest, with rotation, RBAC, and audit built in.&lt;/p&gt;
&lt;h3 id="cross-resource-references"&gt;Cross-resource references&lt;/h3&gt;
&lt;p&gt;Real infrastructure has dependencies — subnets need VPCs, security group rules need their security groups, and so on. When you&amp;rsquo;re building resources one at a time, those references need to flow between commands somehow.&lt;/p&gt;
&lt;p&gt;A future version of &lt;code&gt;pulumi do&lt;/code&gt; will let resource inputs reference outputs from previously created resources, allowing the CLI to resolve them automatically and preserve the dependency graph. Later, when the time comes to graduate to a full IaC program, the generated code contains proper resource references rather than hard-coded strings.&lt;/p&gt;
&lt;h3 id="stateful-mode-and-the-graduation-path"&gt;Stateful mode and the graduation path&lt;/h3&gt;
&lt;p&gt;Today, &lt;code&gt;pulumi do&lt;/code&gt; is stateless. Each command runs independently. A planned stateful mode will persist resource state across operations, enabling drift detection, lifecycle management, and a graduation path to full infrastructure as code.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s what we&amp;rsquo;re planning:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Zero setup.&lt;/strong&gt; Your first &lt;code&gt;pulumi do&lt;/code&gt; implicitly creates a project and stack. No manual initialization.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Accumulate resources.&lt;/strong&gt; Each operation stores resource state. After a few commands, you have a lightweight representation of your infrastructure.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Eject to a full project.&lt;/strong&gt; When the time comes, generate a Pulumi project in your chosen language with all resources imported and dependency graphs intact.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Connect to Pulumi Cloud.&lt;/strong&gt; Layer on governance, compliance, team collaboration, and deployment automation through &lt;a href="https://www.pulumi.com/product/"&gt;Pulumi Cloud&lt;/a&gt;. Resources created via &lt;code&gt;pulumi do&lt;/code&gt; can be governed by &lt;a href="https://www.pulumi.com/product/insights-governance/"&gt;Pulumi Insights&lt;/a&gt; from day one, even before you opt into full IaC.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This path works because &lt;code&gt;pulumi do&lt;/code&gt; uses the same providers, resource types, and property schemas as every other &lt;code&gt;pulumi&lt;/code&gt; operation. Provisioned cloud resources stay where they are as management capabilities are added as needed.&lt;/p&gt;
&lt;h2 id="get-started"&gt;Get started&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;pulumi do&lt;/code&gt; ships as a research preview in &lt;a href="https://github.com/pulumi/pulumi/releases/tag/v3.242.0"&gt;Pulumi CLI v3.242.0&lt;/a&gt; and later. Install or update the CLI, install a provider plugin, and start running commands. The &lt;a href="https://www.pulumi.com/docs/iac/cli/direct-resource-operations/"&gt;documentation&lt;/a&gt; has the full reference.&lt;/p&gt;
&lt;p&gt;We can&amp;rsquo;t wait to hear your feedback. &lt;a href="https://www.pulumi.com/docs/install/"&gt;Give it a try today&lt;/a&gt;, tell us what works (and what doesn&amp;rsquo;t), and help shape the CLI that agents and humans both reach for first.&lt;/p&gt;</description><author>Fraser Waters</author><author>Pat Gavlin</author><author>Arun Loganathan</author><author>Christian Nunciato</author><category>features</category><category>pulumi-cli</category><category>ai-agents</category><category>product-launches</category></item><item><title>Pulumi IAM Expands: Manage Access at Scale with Tags, Roles, and Teams</title><link>https://www.pulumi.com/blog/expanding-pulumi-iam-custom-permissions/</link><pubDate>Thu, 19 Mar 2026 10:30:00 -0700</pubDate><guid>https://www.pulumi.com/blog/expanding-pulumi-iam-custom-permissions/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/expanding-pulumi-iam-custom-permissions/index.png" /&gt;
&lt;p&gt;Since the launch of &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;Pulumi IAM&lt;/a&gt; with &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles/"&gt;custom roles&lt;/a&gt; and scoped &lt;a href="https://www.pulumi.com/docs/administration/access-identity/access-tokens/"&gt;access tokens&lt;/a&gt;, organizations have been using fine-grained permissions to secure their automation and CI/CD pipelines. As teams scale to hundreds or thousands of stacks, environments, and accounts, the next challenge is applying those permissions efficiently.&lt;/p&gt;
&lt;p&gt;Today, we&amp;rsquo;re introducing three new capabilities to help you manage permissions more dynamically at scale: &lt;strong&gt;tag-based access control&lt;/strong&gt;, &lt;strong&gt;team role assignments&lt;/strong&gt;, and &lt;strong&gt;user role assignments&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="why-tag-based-access-control"&gt;Why tag-based access control?&lt;/h2&gt;
&lt;p&gt;With custom roles, you can define granular permissions using &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/scopes"&gt;fine-grained scopes&lt;/a&gt;. However, applying those roles still requires selecting individual stacks, environments, or accounts one by one. For organizations managing a large number of Pulumi entities, this means either granting overly broad access or spending significant time on manual configuration. Tag-based access control solves this problem.&lt;/p&gt;
&lt;h2 id="whats-new"&gt;What&amp;rsquo;s new?&lt;/h2&gt;
&lt;h3 id="tag-based-access-control"&gt;Tag-based access control&lt;/h3&gt;
&lt;p&gt;You can now create rules within a custom role that dynamically grant permissions based on entity tags. This works across IaC stacks, ESC environments, and Insights accounts. For example, when a new stack is created and tagged &lt;code&gt;env:prod&lt;/code&gt;, anyone with a role containing a matching tag-based rule automatically gets the right permissions. No manual assignment required.&lt;/p&gt;
&lt;p&gt;A single role can include multiple tag-based rules, and they are evaluated with &lt;strong&gt;OR&lt;/strong&gt; logic. If an entity matches any of the rules, the permissions are granted. Within a single rule, you can combine multiple key-value conditions with implicit &lt;strong&gt;AND&lt;/strong&gt; logic for precise targeting. For example, a rule with conditions &lt;code&gt;env:prod&lt;/code&gt; and &lt;code&gt;team:payments&lt;/code&gt; ensures access is granted only to production resources owned by the payments team.&lt;/p&gt;
&lt;h3 id="team-role-assignments"&gt;Team role assignments&lt;/h3&gt;
&lt;p&gt;Custom roles can now be assigned directly to &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/teams"&gt;teams&lt;/a&gt; within your Pulumi organization. When an engineer joins a team, whether manually or via &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/scim/"&gt;SCIM provisioning&lt;/a&gt;, they automatically inherit the permissions defined in the team&amp;rsquo;s assigned roles.&lt;/p&gt;
&lt;p&gt;Teams support both &lt;strong&gt;inline permissions&lt;/strong&gt; (ad-hoc access to specific stacks, environments, or accounts) and &lt;strong&gt;role-based permissions&lt;/strong&gt; simultaneously. You can assign &lt;strong&gt;multiple roles&lt;/strong&gt; to a single team, giving you full flexibility to compose access from reusable building blocks while retaining the ability to grant one-off access where needed. If you have existing workflows built around ad-hoc assignments to teams, those continue to work exactly as before. You can adopt roles incrementally or mix both approaches on the same team.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Team admins (or users with the &lt;code&gt;team:update&lt;/code&gt; scope) can continue to manage their team&amp;rsquo;s inline permissions as they do today. However, assigning organization-level custom roles to a team requires additional permissions: &lt;code&gt;role:read&lt;/code&gt; and &lt;code&gt;role:update&lt;/code&gt;.&lt;/div&gt;
&lt;/div&gt;
&lt;h3 id="user-role-assignments"&gt;User role assignments&lt;/h3&gt;
&lt;p&gt;Custom roles can also be assigned directly to individual organization members. This is useful for users whose responsibilities span multiple teams or require permissions beyond the existing org-level &lt;code&gt;Admin&lt;/code&gt;, &lt;code&gt;Member&lt;/code&gt;, and &lt;code&gt;Billing Manager&lt;/code&gt; &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles"&gt;roles&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="how-permissions-work-together"&gt;How permissions work together&lt;/h3&gt;
&lt;p&gt;Permissions in Pulumi IAM are &lt;strong&gt;additive&lt;/strong&gt;. A user receives the union of all permissions granted to them, including permissions from roles assigned directly to them as a user and permissions from roles assigned to any team they belong to. A user on both the &amp;ldquo;SRE&amp;rdquo; and &amp;ldquo;Security&amp;rdquo; teams inherits permissions from both team roles, plus any role assigned to them individually.&lt;/p&gt;
&lt;h2 id="how-to-get-started"&gt;How to get started&lt;/h2&gt;
&lt;p&gt;Configuring tag-based access control and role assignments is done through the Pulumi Cloud console and REST API.&lt;/p&gt;
&lt;h3 id="1-create-a-custom-role-with-tag-based-rules"&gt;1. Create a custom role with tag-based rules&lt;/h3&gt;
&lt;p&gt;In Pulumi Cloud, navigate to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Roles&lt;/strong&gt; and create a new custom role. In the role configuration, add tag-based rules that define which entities the role should apply to.&lt;/p&gt;
&lt;p&gt;For example, to create a role that grants write access to all production stacks:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Click &lt;strong&gt;Create custom role&lt;/strong&gt; and give it a descriptive name (e.g., &amp;ldquo;Production Deployer&amp;rdquo;)&lt;/li&gt;
&lt;li&gt;Add a permission set (e.g., Stack Write) to the role&lt;/li&gt;
&lt;li&gt;Under entity selection, choose &lt;strong&gt;Tag-based rule&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;Set the condition: tag key &lt;code&gt;env&lt;/code&gt; equals &lt;code&gt;prod&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Save the role&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="2-assign-the-role-to-a-team"&gt;2. Assign the role to a team&lt;/h3&gt;
&lt;p&gt;Go to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Teams&lt;/strong&gt;, select a team, and assign your custom role. All team members immediately inherit the defined permissions.&lt;/p&gt;
&lt;h3 id="3-assign-a-role-to-an-individual-user"&gt;3. Assign a role to an individual user&lt;/h3&gt;
&lt;p&gt;For users with unique access requirements, go to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Members&lt;/strong&gt;, select a user, and assign a custom role directly.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Custom roles with tag-based access control"
controls
autoplay muted playsinline
loop &gt;
&lt;source src="abac-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="enforce-tagging-standards-with-pulumi-policy"&gt;Enforce tagging standards with Pulumi Policy&lt;/h2&gt;
&lt;p&gt;Tag-based access control relies on consistent tagging. If a stack is missing a tag or has an incorrect value, permissions won&amp;rsquo;t be applied as expected. &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Pulumi Policy&lt;/a&gt; closes this gap by letting you enforce tagging standards as a &lt;a href="https://www.pulumi.com/docs/insights/policy/policy-groups/"&gt;preventative policy group&lt;/a&gt;, so any &lt;code&gt;pulumi up&lt;/code&gt; on a stack with missing or invalid tags is blocked before deployment. This ensures your tag-based RBAC rules always grant the correct permissions. Policy enforces the standard, RBAC enforces the access.&lt;/p&gt;
&lt;p&gt;To learn how to write policies that validate stack tags, see &lt;a href="https://www.pulumi.com/docs/insights/policy/policy-packs/authoring/#using-stack-tags-in-policies"&gt;Using stack tags in policies&lt;/a&gt;.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Pulumi Policy currently supports tag enforcement for IaC stacks. For ESC environments and Insights accounts, tags are managed through the Pulumi Cloud console or REST API.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="availability"&gt;Availability&lt;/h2&gt;
&lt;p&gt;Tag-based access control, team role assignments, and user role assignments are available today for customers on the &lt;strong&gt;Pulumi Enterprise&lt;/strong&gt; and &lt;strong&gt;Pulumi Business Critical&lt;/strong&gt; plans. Check out our &lt;a href="https://www.pulumi.com/pricing/"&gt;pricing page&lt;/a&gt; for more details on editions and what&amp;rsquo;s included.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;With custom roles providing fine-grained permissions, tag-based rules enabling dynamic access policies, and the ability to assign roles directly to teams and users, Pulumi IAM now provides everything you need to implement automated, least-privilege access control at scale. We&amp;rsquo;re excited to see how you leverage these new capabilities to secure and streamline your cloud operations.&lt;/p&gt;
&lt;p&gt;Explore the &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac"&gt;IAM documentation&lt;/a&gt; to get started, and share your feedback in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn more&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac"&gt;RBAC overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/permission-sets"&gt;Permission sets&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/teams"&gt;Teams&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;Pulumi IAM launch blog&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/"&gt;Pulumi IAM for self-hosted&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description><author>Devon Grove</author><author>Davide Massarenti</author><author>Casey Huang</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category></item><item><title>Announcing OpenAPI support for the Pulumi Cloud REST API</title><link>https://www.pulumi.com/blog/announcing-openapi-support-pulumi-cloud/</link><pubDate>Thu, 05 Feb 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/announcing-openapi-support-pulumi-cloud/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/announcing-openapi-support-pulumi-cloud/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re thrilled to announce that the Pulumi Cloud REST API is now described by an OpenAPI 3.0 specification, and we&amp;rsquo;re just getting started.&lt;/p&gt;
&lt;p&gt;This is a feature that has been a long time coming. We have heard your requests for OpenAPI support &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/100"&gt;loud and clear&lt;/a&gt;, and we&amp;rsquo;re excited to share that not only do we have a published specification for consumption, but our API code is now built from this specification as well. Moving forward, this single source of truth unlocks better tooling, tighter integration, and a more predictable API experience for everyone.&lt;/p&gt;
&lt;p&gt;You can fetch the spec directly from the API at runtime or use it for client generation, validation, and documentation, all from one machine-readable contract.&lt;/p&gt;
&lt;h2 id="a-single-contract-for-the-pulumi-cloud-rest-api"&gt;A single contract for the Pulumi Cloud REST API&lt;/h2&gt;
&lt;p&gt;The Pulumi Cloud API powers the Pulumi CLI, the Pulumi Console, and third-party integrations. Until now, there was no single, published machine-readable description of that API. We&amp;rsquo;ve changed that. The API is now defined and served as a standard OpenAPI 3.0.3 document.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Runtime discovery&lt;/strong&gt;: You can retrieve the spec from the API itself, so your tooling always sees the same surface the service implements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Client generation&lt;/strong&gt;: Use your favorite OpenAPI tooling (e.g. OpenAPI Generator, Swagger Codegen) to generate API clients in the language of your choice.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Validation and testing&lt;/strong&gt;: Validate requests and responses, or build mocks and tests, from the same spec the service uses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Documentation&lt;/strong&gt;: The spec is the source of truth, not a separate, hand-maintained API doc that can drift from reality. Load the spec into Swagger UI, Redoc, or another viewer to browse the Pulumi Cloud API interactively.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-to-get-the-spec"&gt;How to get the spec&lt;/h2&gt;
&lt;p&gt;Send a GET request to:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;https://api.pulumi.com/api/openapi/pulumi-spec.json
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;No authentication is required. The response is the OpenAPI 3.0 document for the Pulumi Cloud API, describing the supported, documented API surface.&lt;/p&gt;
&lt;h2 id="source-of-truth-and-stability"&gt;Source of truth and stability&lt;/h2&gt;
&lt;p&gt;We do not hand-write the OpenAPI spec. We generate it from the same API definition that drives our backend and console code. When we add or change API routes or models, we regenerate the spec so the published document stays in sync with what the service actually implements. That gives you a clear, stable contract for the Pulumi Cloud API.&lt;/p&gt;
&lt;h2 id="what-we-are-building-next"&gt;What we are building next&lt;/h2&gt;
&lt;p&gt;We are using this spec as the foundation for our own tooling, and have plans to continue leveraging the spec in our toolchain long-term.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;CLI&lt;/strong&gt;: We plan to drive the Pulumi CLI’s API client from the OpenAPI spec so that CLI and API stay in lockstep.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pulumi Service Provider&lt;/strong&gt;: We are also building towards day 1 updates to the &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/"&gt;Pulumi Service Provider&lt;/a&gt; so that new and changed API resources are generated from the spec and ship in sync with the service.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Docs Enhancements&lt;/strong&gt;: Although you can load the spec using Swagger UI for your own browsing, we are intent on shipping enhancements to our &lt;a href="https://www.pulumi.com/docs/reference/cloud-rest-api/"&gt;public REST API docs&lt;/a&gt; that will keep them up-to-date according to the OpenAPI spec.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;As we ship those updates, you will get a single source of truth from API to CLI to provider.&lt;/p&gt;
&lt;p&gt;If you have questions or feedback about the OpenAPI spec or the Pulumi Cloud API, reach out in our &lt;a href="https://slack.pulumi.com/"&gt;Community Slack&lt;/a&gt; or open an issue in the &lt;a href="https://github.com/pulumi/pulumi"&gt;Pulumi repository&lt;/a&gt;. We&amp;rsquo;re excited to see what you build with it.&lt;/p&gt;</description><author>Davide Massarenti</author><author>Claire Gaestel</author><author>Devon Grove</author><author>Arun Loganathan</author><author>Zac Cook</author><category>features</category><category>pulumi-cloud</category><category>api</category></item><item><title>Pulumi IAM Now Available for Self-Hosted Pulumi Cloud</title><link>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</link><pubDate>Wed, 14 Jan 2026 11:18:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-cloud-iam-self-hosted/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce that &lt;strong&gt;Pulumi Identity and Access Management (IAM)&lt;/strong&gt; is now available for self-hosted instances of Pulumi Cloud. This foundational security capability brings the same &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;enterprise-grade access management&lt;/a&gt; we launched for Pulumi Cloud SaaS to organizations running Pulumi on their own infrastructure.&lt;/p&gt;
&lt;h2 id="enterprise-security-for-self-hosted-deployments"&gt;Enterprise Security for Self-Hosted Deployments&lt;/h2&gt;
&lt;p&gt;Self-hosted Pulumi Cloud customers can now leverage the full power of &lt;strong&gt;Custom Roles&lt;/strong&gt; and &lt;strong&gt;Granular Access Tokens&lt;/strong&gt; to implement Zero Trust security principles and least privilege access controls within their own environments. This means you can:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Define Custom Permissions&lt;/strong&gt; with fine-grained scopes (e.g., &lt;code&gt;stack:delete&lt;/code&gt;, &lt;code&gt;environment:read&lt;/code&gt;) tailored to your organization&amp;rsquo;s security requirements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Create Custom Roles&lt;/strong&gt; by combining these permissions with specific Pulumi entities (Stacks, Environments, etc.).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Generate Scoped Organization Access Tokens&lt;/strong&gt; that are precisely limited to the permissions defined in their associated roles, dramatically reducing the blast radius if credentials are compromised.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="secure-automation-for-on-premises-infrastructure"&gt;Secure Automation for On-Premises Infrastructure&lt;/h2&gt;
&lt;p&gt;This release is powerful for self-hosted Pulumi Cloud deployments where security and compliance requirements are often even more stringent. You can now:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Implement Least Privilege CI/CD:&lt;/strong&gt; Scope pipeline tokens to only the actions and resources they absolutely need, ensuring your automation follows the same security standards as your infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhance Compliance Posture:&lt;/strong&gt; Demonstrate precise, auditable control over programmatic access to auditors and security teams.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduce Operational Risk:&lt;/strong&gt; Limit the potential impact of compromised tokens by restricting them to specific roles and permissions.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="getting-started"&gt;Getting Started&lt;/h2&gt;
&lt;p&gt;Self-hosted customers can access IAM features through the same intuitive interface available in Pulumi Cloud SaaS. Navigate to &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Roles&lt;/strong&gt; to begin creating Custom Permissions and Custom Roles, then generate scoped Organization Access Tokens from &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Tokens&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;For detailed information about Pulumi IAM capabilities, including step-by-step guides and best practices, see our &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;comprehensive announcement blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn More&lt;/h2&gt;
&lt;p&gt;Explore the IAM &amp;amp; RBAC documentation to get started:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions"&gt;Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We&amp;rsquo;re committed to bringing enterprise-grade security features to all Pulumi deployments, whether in the cloud or on-premises. If you have questions or feedback, please reach out through your account representative or our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;</description><author>Davide Massarenti</author><author>Devon Grove</author><author>Casey Huang</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category><category>access-tokens</category><category>self-hosted</category></item><item><title>Pulumi 2025: Neo, Next-Gen Policies, and Platform Engineering at Scale</title><link>https://www.pulumi.com/blog/2025-product-launches/</link><pubDate>Mon, 22 Dec 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/2025-product-launches/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/2025-product-launches/index.png" /&gt;
&lt;p&gt;The era of AI-accelerated development has arrived, creating both unprecedented opportunity and unprecedented challenge. Developers ship code faster than ever, but platform teams struggle to keep pace. The velocity gap threatens to become a bottleneck.&lt;/p&gt;
&lt;p&gt;As 2025 comes to a close, let&amp;rsquo;s look back at how we addressed this challenge.&lt;/p&gt;
&lt;p&gt;This year, we took a giant leap forward to close that gap with several major innovations, including purpose-built AI for platform engineers, next-generation policy management that transforms governance into an accelerator, and the foundation for building Internal Developer Platforms that enable self-service without sacrificing control.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-neo-your-newest-platform-engineer"&gt;Pulumi Neo: Your Newest Platform Engineer&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#ai-assisted-development-everywhere"&gt;AI-Assisted Development Everywhere&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#next-generation-policy-management-ai-powered-governance-at-scale"&gt;Next-Generation Policy Management: AI-Powered Governance at Scale&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#internal-developer-platform-self-service-infrastructure-at-scale"&gt;Internal Developer Platform: Self-Service Infrastructure at Scale&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#secrets-management-taming-sprawl-at-scale"&gt;Secrets Management: Taming Sprawl at Scale&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#identity-and-access-management"&gt;Identity and Access Management&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-iac"&gt;Pulumi IaC&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#cloud-provider-support"&gt;Cloud Provider Support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#language-support"&gt;Language Support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#infrastructure-operations"&gt;Infrastructure Operations&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#kubernetes-operator"&gt;Kubernetes Operator&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#the-year-ahead"&gt;The Year Ahead&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="pulumi-neo-your-newest-platform-engineer"&gt;Pulumi Neo: Your Newest Platform Engineer&lt;/h2&gt;
&lt;p&gt;We launched &lt;a href="https://www.pulumi.com/blog/pulumi-neo/"&gt;Pulumi Neo&lt;/a&gt;, purpose-built AI specifically designed for platform engineering challenges. Neo fundamentally changed how platform engineers work.&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/9GB9M2l1OgY?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;The problem Neo solves is critical: while AI coding assistants have accelerated developers substantially, platform teams have struggled to keep pace. Every line of code that ships faster creates new platform needs - monitoring, secrets, pipelines, compliance checks. The velocity gap between development and platform teams was widening, threatening to become a bottleneck that would slow down entire organizations.&lt;/p&gt;
&lt;p&gt;Neo levels the playing field by giving platform engineers their own dedicated AI tool. Unlike generic AI coding assistants that lack infrastructure context, Neo deeply understands cloud environments, infrastructure as code, secrets management, and the unique challenges platform teams face. It speaks their language and works within their constraints.&lt;/p&gt;
&lt;p&gt;What makes Neo different is how it&amp;rsquo;s built. Neo operates on top of Pulumi&amp;rsquo;s existing platform capabilities - the same IaC, ESC, and policy features you already use for governance become Neo&amp;rsquo;s operational guardrails. It automatically respects your security and policy rules, works within your governance frameworks, and maintains the audit trails and compliance controls your organization requires. This isn&amp;rsquo;t experimental AI retrofitted with infrastructure plugins - it&amp;rsquo;s enterprise-ready intelligence built from the ground up on proven foundations.&lt;/p&gt;
&lt;p&gt;Throughout the year, we enhanced Neo with capabilities that scale your team&amp;rsquo;s expertise. &lt;a href="https://www.pulumi.com/blog/slash-commands-custom-instructions/"&gt;Custom Instructions and Slash Commands&lt;/a&gt; let you encode organizational standards once and Neo applies them automatically, while turning proven prompts into reusable shortcuts anyone can use. &lt;a href="https://www.pulumi.com/blog/neo-levels-up/"&gt;Operating Modes&lt;/a&gt; give you flexible control - from full review to autonomous execution. And &lt;a href="https://www.pulumi.com/blog/neo-levels-up/"&gt;full Pulumi CLI integration&lt;/a&gt; means Neo can handle complete infrastructure workflows, from stack operations to cloud CLI commands.&lt;/p&gt;
&lt;h3 id="ai-assisted-development-everywhere"&gt;AI-Assisted Development Everywhere&lt;/h3&gt;
&lt;p&gt;Beyond Neo, we brought AI assistance directly into development workflows throughout the year. The &lt;a href="https://www.pulumi.com/blog/mcp-server-ai-assistants/"&gt;Pulumi Model Context Protocol (MCP) Server&lt;/a&gt; connects AI-powered code assistants with Pulumi&amp;rsquo;s CLI and registry, enabling real-time resource information without leaving your editor. Use it with GitHub Copilot, Anthropic&amp;rsquo;s Claude Code, and Cursor to accelerate resource discovery and write infrastructure code faster. We enhanced this with &lt;a href="https://www.pulumi.com/blog/remote-mcp-server/"&gt;remote MCP server&lt;/a&gt; support for centralized management and &lt;a href="https://www.pulumi.com/blog/cli-ai-extensions/"&gt;CLI AI extensions&lt;/a&gt; for intelligent command-line assistance.&lt;/p&gt;
&lt;h2 id="next-generation-policy-management-ai-powered-governance-at-scale"&gt;Next-Generation Policy Management: AI-Powered Governance at Scale&lt;/h2&gt;
&lt;p&gt;With Neo giving platform teams AI superpowers, we needed to ensure AI-accelerated development remained safe and compliant. The challenge isn&amp;rsquo;t detecting security issues - it&amp;rsquo;s fixing them at scale. Most policy tools stop at detection, leaving teams with overwhelming backlogs and no scalable way to remediate violations.&lt;/p&gt;
&lt;p&gt;We ended that compromise with the &lt;a href="https://www.pulumi.com/blog/policy-next-gen/"&gt;next generation of Pulumi Policies&lt;/a&gt;. This comprehensive governance solution moves beyond detection to deliver AI-powered remediation through a two-step lifecycle:&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/mwcrOTEf1EQ?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;&lt;strong&gt;Get Clean:&lt;/strong&gt; We introduced the &lt;a href="https://www.pulumi.com/blog/policy-issue-management/"&gt;Policy Findings Hub&lt;/a&gt; that gives every stakeholder their needed view - leadership sees compliance scores, auditors get control-centric compliance views, and platform teams get a collaborative workspace to triage and track remediation. Combined with &lt;a href="https://www.pulumi.com/blog/policy-audit-scans-for-stacks/"&gt;audit scans&lt;/a&gt;, you get instant compliance baselines without blocking developers. Neo integrates directly into the Policy Findings hub to automate the fix itself, generating pull requests with exact code changes needed. For unmanaged resources, Neo even generates code to import the resource into a Pulumi stack and apply the fix.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Stay Clean:&lt;/strong&gt; We launched &lt;a href="https://www.pulumi.com/blog/policy-packs-cis-nist-pci/"&gt;pre-built compliance packs&lt;/a&gt; for &lt;strong&gt;CIS, NIST, PCI, and HITRUST&lt;/strong&gt; across AWS, Azure, and Google Cloud. These out-of-the-box policy packs let you enforce industry-standard compliance frameworks immediately without writing custom policies. They act as universal guardrails by blocking non-compliant changes during deployment. Neo can even author new custom policies - ask Neo to &amp;ldquo;create a policy that prevents overly permissive IAM roles,&amp;rdquo; and it generates the code. This is how we make AI safe to go fast.&lt;/p&gt;
&lt;h2 id="internal-developer-platform-self-service-infrastructure-at-scale"&gt;Internal Developer Platform: Self-Service Infrastructure at Scale&lt;/h2&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/3gZmKaAeppc?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;Platform engineering teams face a persistent challenge: they&amp;rsquo;re constantly responding to infrastructure requests instead of building the systems that enable self-service at scale. This reactive cycle prevents platform teams from doing their most valuable work - establishing patterns, codifying standards, and creating golden paths that empower developers without sacrificing control.&lt;/p&gt;
&lt;p&gt;We delivered the foundation to break this cycle with &lt;a href="https://www.pulumi.com/blog/announcing-pulumi-idp/"&gt;Pulumi IDP&lt;/a&gt;. Pulumi IDP provides everything platform teams need to build world-class internal developer platforms. Codify organizational standards into reusable building blocks. Give developers simple, approachable interfaces that enforce best practices automatically. Transform platform engineering from reactive ticket-taking to strategic enablement.&lt;/p&gt;
&lt;p&gt;The key is &lt;a href="https://www.pulumi.com/blog/announcing-pulumi-private-registry/"&gt;Pulumi Private Registry&lt;/a&gt;, your organization&amp;rsquo;s source of truth for golden paths and platform building blocks. Private Registry provides streamlined publishing workflows and simplified discovery, making it easy to share infrastructure abstractions across your organization. Combined with our expanded &lt;a href="https://www.pulumi.com/blog/registry-wave-2/"&gt;public registry&lt;/a&gt; (now over 150 providers and 7,500 resource types), you have comprehensive options for managing infrastructure across your entire cloud estate.&lt;/p&gt;
&lt;p&gt;What makes this powerful is &lt;a href="https://www.pulumi.com/blog/pulumi-components/"&gt;next-generation Pulumi Components&lt;/a&gt; with true cross-language support. Author infrastructure abstractions once in your preferred language, then consume them in any supported Pulumi language - including YAML for non-programmers, and soon, &lt;a href="https://www.pulumi.com/blog/all-iac-including-terraform-and-hcl/"&gt;HCL&lt;/a&gt;. Components include built-in input validation, detailed documentation, and improved error messages. This means platform teams can reach every developer in their organization regardless of language preference, scaling their expertise without scaling their team.&lt;/p&gt;
&lt;h2 id="secrets-management-taming-sprawl-at-scale"&gt;Secrets Management: Taming Sprawl at Scale&lt;/h2&gt;
&lt;p&gt;The proliferation of secrets across modern cloud environments creates massive security risks. Long-lived credentials pose significant vulnerabilities. Secrets scattered across systems make it nearly impossible to track usage or enforce consistent policies. And manual rotation processes are error-prone and rarely done.&lt;/p&gt;
&lt;p&gt;2025 saw significant expansion of Pulumi ESC to address these challenges across your entire secrets ecosystem:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Automated Rotation:&lt;/strong&gt; We launched &lt;a href="https://www.pulumi.com/blog/esc-rotated-secrets-launch/"&gt;ESC Rotated Secrets&lt;/a&gt;, automatically rotating credentials like AWS IAM access keys on flexible schedules. This eliminates manual rotation effort and significantly reduces vulnerability windows. We expanded this with &lt;a href="https://www.pulumi.com/blog/esc-db-secrets-rotation-launch/"&gt;database credential rotation&lt;/a&gt; for PostgreSQL and MySQL, including support for databases in private VPCs via AWS VPC Lambda connectors.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Universal Integration:&lt;/strong&gt; We integrated ESC with the secrets management platforms you&amp;rsquo;re already using:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-snowflake-providers-launch/"&gt;Snowflake&lt;/a&gt; - Dynamic OIDC tokens for temporary authentication plus automated RSA keypair rotation&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-infisical-providers-launch/"&gt;Infisical&lt;/a&gt; - Dynamic OIDC login and secret fetching from the open-source secrets platform&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-doppler-providers-launch/"&gt;Doppler&lt;/a&gt; - OIDC access tokens and centralized secret fetching&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For systems without native support, we launched &lt;a href="https://www.pulumi.com/blog/esc-connect/"&gt;ESC Connect&lt;/a&gt;, enabling you to build simple HTTPS adapters that integrate any custom or proprietary secret source with ESC.&lt;/p&gt;
&lt;p&gt;These integrations let you maintain existing secrets infrastructure while gaining ESC&amp;rsquo;s centralized management, audit capabilities, and governance controls. You don&amp;rsquo;t have to rip and replace - ESC works with what you have.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Better Experience:&lt;/strong&gt; We improved ESC usability throughout the year with &lt;a href="https://www.pulumi.com/blog/esc-new-onboarding/"&gt;streamlined onboarding&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/esc-open-approvals/"&gt;approval workflows&lt;/a&gt; for sensitive environments, and &lt;a href="https://www.pulumi.com/blog/esc-deletion-protection/"&gt;deletion protection&lt;/a&gt; to prevent accidents.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Security &amp;amp; Trust:&lt;/strong&gt; For organizations with strict compliance needs like HIPAA or GDPR, we launched &lt;a href="https://www.pulumi.com/blog/bring-your-own-keys-with-pulumi-esc/"&gt;Customer-Managed Keys (BYOK)&lt;/a&gt;. This allows you to bring your own encryption keys (via AWS KMS) to encrypt secrets stored in ESC, giving you full control over key lifecycles and revocation.&lt;/p&gt;
&lt;h2 id="identity-and-access-management"&gt;Identity and Access Management&lt;/h2&gt;
&lt;p&gt;Modern security demands unwavering trust in your security posture. How do you empower teams to deploy rapidly without opening doors to risk or violating compliance mandates?&lt;/p&gt;
&lt;p&gt;We launched &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;Pulumi IAM&lt;/a&gt;, embedding robust, granular security directly into your cloud development lifecycle. Pulumi IAM provides the unified framework for fine-grained authorization needed to confidently manage modern cloud infrastructure:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Custom Roles&lt;/strong&gt;: Define reusable permissions with fine-grained scopes tailored to your organization&amp;rsquo;s specific needs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Least Privilege Enforcement&lt;/strong&gt;: Control precisely who can do what on which specific resources, minimizing the impact if credentials are compromised&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secure Automation&lt;/strong&gt;: Generate scoped access tokens for CI/CD pipelines with only the necessary permissions, eliminating over-privileged service accounts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Zero Trust Foundation&lt;/strong&gt;: Verify every access request and grant minimum necessary access, implementing true Zero Trust principles&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This foundational capability enables true least-privilege for CI/CD pipelines, reduces blast radius if tokens are compromised, and provides the compliance evidence auditors require. Platform and security teams finally have the fine-grained control needed to scale Pulumi usage securely across enterprise organizations without sacrificing velocity.&lt;/p&gt;
&lt;h2 id="pulumi-iac"&gt;Pulumi IaC&lt;/h2&gt;
&lt;p&gt;Platform teams need IaC tools that keep pace with rapidly evolving cloud platforms while providing operational flexibility and reliability. This year we shipped hundreds of enhancements to Pulumi&amp;rsquo;s core IaC capabilities, from major cloud provider updates to new operational primitives that give teams more control over infrastructure lifecycles.&lt;/p&gt;
&lt;h3 id="cloud-provider-support"&gt;Cloud Provider Support&lt;/h3&gt;
&lt;p&gt;Managing multi-cloud infrastructure requires comprehensive provider support that keeps pace with rapidly evolving cloud platforms. This year we shipped major provider updates:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/announcing-7-0-of-the-pulumi-aws-provider/"&gt;AWS Provider 7.0&lt;/a&gt;&lt;/strong&gt; brought game-changing improvements: manage resources across multiple AWS regions with a single provider instance, enhanced IAM role chaining with better error handling, and simplified S3 resource management.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/azure-native-v3/"&gt;Azure Native V3&lt;/a&gt;&lt;/strong&gt; delivered a 75% reduction in SDK size while maintaining 100% Azure ARM API coverage. Faster downloads, more manageable package sizes, and improved reliability.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/gcp-v9-release/"&gt;Google Cloud Provider 9.0&lt;/a&gt;&lt;/strong&gt; brought updated API versions, new modules for AI and Google Gemini, and expanded resource support for the latest GCP services.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/announcing-direct-tf-modules/"&gt;Direct Terraform Module Support&lt;/a&gt;&lt;/strong&gt; was one of our most requested features. Execute Terraform modules directly in Pulumi without conversion, providing a seamless migration path for module-heavy projects.&lt;/p&gt;
&lt;h3 id="language-support"&gt;Language Support&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/java-1-0/"&gt;Java SDK 1.0 GA&lt;/a&gt;&lt;/strong&gt; provides first-class Java support with feature parity to other Pulumi languages, support for all current LTS Java versions, and complete Automation API support.&lt;/p&gt;
&lt;h3 id="infrastructure-operations"&gt;Infrastructure Operations&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/resource-hooks/"&gt;Resource Hooks&lt;/a&gt;&lt;/strong&gt; was one of our most requested features. Run custom code at any point in a resource&amp;rsquo;s lifecycle - before creation, after updates, before deletion. This unlocks scenarios like validation checks before deployment, triggering external systems when infrastructure changes, and custom logging and auditing.&lt;/p&gt;
&lt;p&gt;We also shipped &lt;a href="https://www.pulumi.com/blog/dependent-resource-replacements/"&gt;dependent resource replacements&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/excluding-targets-from-stack-operations/"&gt;excluding specific targets from stack operations&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/pulumi-state-taint/"&gt;state taint capabilities&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/improved-refresh-destroy-experience/"&gt;improved refresh and destroy experience&lt;/a&gt; for short-lived credentials, and &lt;a href="https://www.pulumi.com/blog/controlling-the-cli-through-environment-variables/"&gt;CLI control through environment variables&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="kubernetes-operator"&gt;Kubernetes Operator&lt;/h3&gt;
&lt;p&gt;The &lt;a href="https://www.pulumi.com/blog/pko-2-0-ga/"&gt;Pulumi Kubernetes Operator 2.0 reached GA&lt;/a&gt; with a completely rewritten, faster codebase featuring enhanced reconciliation logic, better error handling, and automatic retry for temporary failures. We continued enhancing it with &lt;a href="https://www.pulumi.com/blog/pulumi-kubernetes-operator-2-3/"&gt;version 2.3.0&lt;/a&gt; adding preview mode for validating infrastructure changes and structured configuration support for GitOps workflows.&lt;/p&gt;
&lt;h2 id="the-year-ahead"&gt;The Year Ahead&lt;/h2&gt;
&lt;p&gt;2025 was the year we gave platform engineers the tools to thrive in the age of AI-accelerated development. We ended the impossible choice between velocity and control. We transformed governance from a blocker into an accelerator. We enabled self-service without sacrificing governance.&lt;/p&gt;
&lt;p&gt;But this is just the beginning. The foundation we built this year sets the stage for even bigger innovations ahead. Neo will get smarter as it learns from infrastructure patterns across the community. Policy management will expand to more compliance frameworks. IDP will enable more sophisticated self-service workflows. ESC will integrate with more platforms.&lt;/p&gt;
&lt;p&gt;The future of platform engineering is strategic, proactive, and AI-enabled. Platform teams won&amp;rsquo;t be bottlenecks - they&amp;rsquo;ll be the strategic enablers who make sustainable velocity possible.&lt;/p&gt;
&lt;p&gt;Thank you for being part of the Pulumi community. Your feedback drives everything we build. We can&amp;rsquo;t wait to show you what comes next.&lt;/p&gt;
&lt;p&gt;Want to try these features? Check out our &lt;a href="https://www.pulumi.com/docs/"&gt;documentation&lt;/a&gt;, join our &lt;a href="https://slack.pulumi.com/"&gt;community Slack&lt;/a&gt;, or &lt;a href="https://www.pulumi.com/contact/"&gt;contact us&lt;/a&gt; to discuss how Pulumi can transform your platform engineering practice.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s to an incredible 2025, and an even better 2026!&lt;/p&gt;</description><author>Arun Loganathan</author><category>features</category><category>product-launches</category><category>pulumi-cloud</category></item><item><title>Announcing the Next Generation of Pulumi Policies: AI-Accelerated Governance for the Cloud</title><link>https://www.pulumi.com/blog/policy-next-gen/</link><pubDate>Wed, 05 Nov 2025 00:05:00 +0000</pubDate><guid>https://www.pulumi.com/blog/policy-next-gen/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/policy-next-gen/index.png" /&gt;
&lt;p&gt;The era of AI-accelerated development has created a paradox: the faster developers move, the bigger the governance challenge becomes. For years, security and platform teams have worked to &amp;ldquo;shift left,&amp;rdquo; but the tools available have been incomplete. Most focus on detection, which is necessary but not sufficient. They identify thousands of policy violations across an organization&amp;rsquo;s infrastructure but leave teams with an overwhelming backlog and no scalable way to remediate it. This creates a persistent gap between finding a problem and fixing it. The result is an impossible choice between development velocity and organizational control, forcing leadership to slow down innovation to manage risk.&lt;/p&gt;
&lt;p&gt;Today, we end that compromise.&lt;/p&gt;
&lt;p&gt;We are thrilled to announce the next generation of Pulumi Policies, a comprehensive governance solution that moves beyond detection to deliver AI-powered remediation at scale. We’re introducing a new lifecycle to secure your cloud: first, &lt;strong&gt;Get Clean&lt;/strong&gt; by using AI to fix your existing policy violations. Second, &lt;strong&gt;Stay Clean&lt;/strong&gt; by using policy as a universal guardrail that makes AI-driven development not just fast, but fundamentally safe. These are not strictly sequential steps; you can begin enforcing &amp;ldquo;Stay Clean&amp;rdquo; policies for all new infrastructure while you simultaneously work on the &amp;ldquo;Get Clean&amp;rdquo; process for your existing footprint.&lt;/p&gt;
&lt;p&gt;Watch our Launch Video:&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/mwcrOTEf1EQ?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;h2 id="part-1-get-clean---from-thousands-of-issues-to-a-compliant-state"&gt;Part 1: Get Clean - From Thousands of Issues to a Compliant State&lt;/h2&gt;
&lt;p&gt;The first step to a secure cloud is tackling the mountain of existing misconfigurations spread across your environments.&lt;/p&gt;
&lt;h3 id="first-gain-complete-visibility-with-the-new-policy-findings-hub"&gt;First, Gain Complete Visibility with the New Policy Findings Hub&lt;/h3&gt;
&lt;p&gt;To fix your issues, you first need to see them clearly. We have introduced a powerful &lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/policy-issue-management/"&gt;Policy Findings Hub&lt;/a&gt;&lt;/strong&gt; designed to give every stakeholder the exact view they need.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;The Overview Tab:&lt;/strong&gt; A high-level dashboard with compliance scores for leadership to track trends and measure your organization&amp;rsquo;s posture.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The Compliance Tab:&lt;/strong&gt; A control-centric view for auditors and infosec teams, grouping findings by policy (e.g., CIS, NIST) to simplify evidence gathering and prove compliance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The Issues Tab:&lt;/strong&gt; A collaborative workspace for platform and development teams to triage, assign, prioritize, and track the remediation of every policy issue.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This hub is powered by our flexible audit capabilities. With &lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/policy-audit-scans-for-stacks/"&gt;Audit Scans for IaC Stacks&lt;/a&gt;&lt;/strong&gt;, you can get an instant compliance baseline on all your existing Pulumi-managed infrastructure without blocking developers or re-deploying thousands of stacks. This is combined with discovery scans of your cloud accounts to give you a single, unified view of every resource, whether managed by Pulumi or not.&lt;/p&gt;
&lt;h3 id="the-solution-to-remediation-at-scale-ai-powered-fixes-with-pulumi-neo"&gt;The Solution to Remediation at Scale: AI-Powered Fixes with Pulumi Neo&lt;/h3&gt;
&lt;p&gt;Visibility creates a new problem: an overwhelming backlog. Manually fixing thousands of issues is an impossible task.&lt;/p&gt;
&lt;p&gt;This is where Pulumi Neo provides a powerful solution.&lt;/p&gt;
&lt;p&gt;Pulumi Neo, our AI platform engineer, is now integrated directly into the Policy Findings hub to automate the most difficult part of the process: the fix itself. From the Issues tab, your teams can now select a group of policy issues, assign them to Neo, and trigger a remediation flow.&lt;/p&gt;
&lt;p&gt;Neo is smart. It will:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Analyze the non-compliant resources and the policies they are violating.&lt;/li&gt;
&lt;li&gt;Understand the required configuration to make them compliant.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Generate a pull request with the exact code changes needed to fix the issues.&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Most powerfully, for an unmanaged resource discovered via a cloud scan, Neo will generate the code to &lt;strong&gt;import the resource into a Pulumi stack and apply the fix.&lt;/strong&gt; This &amp;ldquo;Import and Fix&amp;rdquo; workflow transforms unmanaged infrastructure into governed, compliant code, turning a task that could take a developer hours into a simple review-and-merge process. Your teams can finally burn down their issue backlog and achieve a state of continuous compliance.&lt;/p&gt;
&lt;h2 id="part-2-stay-clean---the-universal-guardrail-for-humans-and-ai"&gt;Part 2: Stay Clean - The Universal Guardrail for Humans and AI&lt;/h2&gt;
&lt;p&gt;Once you begin cleaning your environment, the next challenge is to &lt;em&gt;stay&lt;/em&gt; clean. As AI accelerates infrastructure creation, you need robust guardrails to ensure it doesn&amp;rsquo;t also accelerate the creation of security risks.&lt;/p&gt;
&lt;p&gt;The answer is &lt;strong&gt;Policy as &lt;em&gt;Real&lt;/em&gt; Code.&lt;/strong&gt; Pulumi Policies uses general-purpose languages like TypeScript and Python to create sophisticated guardrails that govern every change. To help you establish these controls immediately, we are launching a new suite of pre-built compliance packs authored and maintained by Pulumi experts.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Framework&lt;/th&gt;
&lt;th style="text-align: center"&gt;AWS&lt;/th&gt;
&lt;th style="text-align: center"&gt;Azure&lt;/th&gt;
&lt;th style="text-align: center"&gt;Google Cloud&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;CIS Controls v8.1&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;NIST SP 800-53 Rev. 5&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;PCI DSS v4.0&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;HITRUST CSF v11.5&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Pulumi Best Practices&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;These policies act as a universal guardrail for your entire organization by blocking non-compliant changes during &lt;code&gt;pulumi up&lt;/code&gt;, before they are ever created. Learn more about our &lt;a href="https://www.pulumi.com/blog/policy-packs-cis-nist-pci/"&gt;compliance packs&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;And now, you can even use &lt;strong&gt;Neo to author new policies&lt;/strong&gt;. You can ask Neo in plain English to &amp;ldquo;create a policy that prevents overly permissive IAM roles,&amp;rdquo; and it will generate the code for you. This creates a powerful, dynamic governance system where AI can help you build the very rules that then govern its own actions. If you then ask Neo to create an admin role, the deployment will be blocked by the policy it just helped write. This is how we make AI safe to go fast.&lt;/p&gt;
&lt;h2 id="a-new-era-of-collaboration"&gt;A New Era of Collaboration&lt;/h2&gt;
&lt;p&gt;This &amp;ldquo;Get Clean, Stay Clean&amp;rdquo; lifecycle transforms how teams work together:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Platform Teams&lt;/strong&gt; lead prevention by building real-code guardrails, proving their value with measurable compliance scores.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security Teams&lt;/strong&gt; drive the &amp;ldquo;Get Clean&amp;rdquo; process with continuous, non-blocking audit scans and use the Findings hub to manage compliance without slowing development.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="governance-that-accelerates-you"&gt;Governance That Accelerates You&lt;/h2&gt;
&lt;p&gt;The age of AI-driven development demands AI-powered governance. With this new generation of Pulumi Policies, we are providing the essential infrastructure for platform engineering teams to not just survive, but thrive. You can finally build preventative guardrails that developers love, secure your cloud at scale, and transform governance from a blocker into a business accelerator. Learn more about &lt;a href="https://www.pulumi.com/product/insights-governance/"&gt;Pulumi Insights &amp;amp; Governance capabilities&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This powerful new experience is available today. Navigate to the &lt;strong&gt;Policies&lt;/strong&gt; and &lt;strong&gt;Policy Findings&lt;/strong&gt; tab in Pulumi Cloud to explore your new governance capabilities and meet the future of platform engineering.&lt;/p&gt;
&lt;h2 id="try-pulumi-policies"&gt;Try Pulumi Policies&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Ready to try these features?&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://app.pulumi.com/signup"&gt;Sign up for Pulumi Cloud&lt;/a&gt; and start a Neo task&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/get-started/"&gt;Read the Get Started guide&lt;/a&gt; to set up and apply a policy group to stacks and clouds.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://slack.pulumi.com/"&gt;Join the Community Slack&lt;/a&gt; to share feedback on the new features&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For complete documentation, visit our &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Policies documentation&lt;/a&gt;.&lt;/p&gt;</description><author>Craig Symonds</author><author>Tyler D</author><author>Arun Loganathan</author><category>policy-as-code</category><category>features</category><category>compliance</category><category>governance</category><category>pulumi-neo</category><category>ai</category><category>platform-engineering</category></item><item><title>New Audit Policy Scans for Pulumi Stacks</title><link>https://www.pulumi.com/blog/policy-audit-scans-for-stacks/</link><pubDate>Wed, 05 Nov 2025 00:04:00 +0000</pubDate><guid>https://www.pulumi.com/blog/policy-audit-scans-for-stacks/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/policy-audit-scans-for-stacks/index.png" /&gt;
&lt;p&gt;&lt;strong&gt;Audit Policy Scans for Pulumi Stacks&lt;/strong&gt; is part of the next generation of Pulumi Policies. This capability uses policies to run compliance checks against the last successful deployment state of your stacks, providing continuous compliance monitoring without impacting your existing CI/CD workflows.&lt;/p&gt;
&lt;p&gt;Until now, Pulumi’s preventative policies have served as a critical &amp;ldquo;shift-left&amp;rdquo; gate, blocking non-compliant changes during &lt;code&gt;pulumi up&lt;/code&gt;. While essential, this created challenges for organizations wanting to roll out new governance across thousands of existing stacks. This new evaluation mode solves that problem, giving you a complete and continuous view of your IaC compliance posture without the friction.&lt;/p&gt;
&lt;h2 id="a-complete-audit-story-cloud-accounts-and-iac-stacks"&gt;A Complete Audit Story: Cloud Accounts and IaC Stacks&lt;/h2&gt;
&lt;p&gt;Pulumi&amp;rsquo;s audit philosophy is to provide complete visibility across your entire cloud footprint. We achieve this through two complementary audit modes:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit Scans for Cloud Accounts (Existing):&lt;/strong&gt; This capability scans your live cloud environments (like an AWS account or Azure subscription). Its primary purpose is to give you a holistic view of your security posture by discovering &lt;em&gt;all&lt;/em&gt; resources, including those not managed by Pulumi, and detecting configuration drift. This is how you find unmanaged, legacy, or manually-created resources that violate your policies.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit Scans for Pulumi Stacks (New):&lt;/strong&gt; The feature extends this audit power to the source of truth for your managed infrastructure: your Pulumi stacks. It evaluates the &lt;em&gt;last successfully deployed state&lt;/em&gt; of your IaC. This allows you to get an instant compliance baseline of all your managed infrastructure without having to redeploy anything, making it perfect for frictionless policy rollouts at scale.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Together, these two audit modes give you a comprehensive picture of your entire cloud estate, all feeding into one unified &lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/policy-issue-management/"&gt;Policy Findings hub&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="key-scenarios-for-audit-scans-for-stacks"&gt;Key Scenarios for Audit Scans for Stacks&lt;/h2&gt;
&lt;p&gt;This new evaluation mode for IaC stacks is designed to unlock policy adoption at scale and accelerate developer velocity. Key use cases include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Gain an instant compliance overview across all existing stacks:&lt;/strong&gt; Apply policies centrally and get immediate visibility into your compliance posture without requiring redeployment of every stack.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Accelerate policy rollouts:&lt;/strong&gt; By decoupling policy evaluation from the critical deployment path, deployments become faster and developers are unblocked. Teams still get immediate feedback on the compliance of the deployed infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Ensure continuous compliance:&lt;/strong&gt; Evaluation is automatically triggered whenever policy configurations change. This ensures the &lt;em&gt;latest policies&lt;/em&gt; are always evaluated against the &lt;em&gt;latest deployed infrastructure&lt;/em&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-it-works"&gt;How It Works&lt;/h2&gt;
&lt;p&gt;This new mechanism runs against the last known successfully deployed state of your IaC Stacks as recorded by Pulumi Cloud.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Evaluation is triggered automatically&lt;/strong&gt; after a successful &lt;code&gt;pulumi up&lt;/code&gt; or when a policy pack attached to the stack is updated.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Results are unified&lt;/strong&gt; into the same &lt;strong&gt;Policy Findings hub&lt;/strong&gt; you use today, giving you a single pane of glass for all preventative and audit policy findings.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-to-get-started"&gt;How to Get Started&lt;/h2&gt;
&lt;p&gt;You can enable audit scans for your IaC stacks by adding them to an &lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/policy-groups/#audit-policy-groups"&gt;Audit Policy Group&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Navigate to the &lt;strong&gt;Policies&lt;/strong&gt; tab in the left navigation bar of the Pulumi Cloud console.&lt;/li&gt;
&lt;li&gt;Create a new &lt;strong&gt;Audit Policy Group&lt;/strong&gt; or select an existing one.&lt;/li&gt;
&lt;li&gt;Select &lt;strong&gt;Pulumi Stacks&lt;/strong&gt; and add the specific stacks you want to monitor.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Add Policy Packs&lt;/strong&gt; to the group.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Save the policy group&lt;/strong&gt;. That&amp;rsquo;s it!&lt;/li&gt;
&lt;/ol&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Setting up Stack Audit Policy"
autoplay muted playsinline
loop &gt;
&lt;source src="stack-audit-policy.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;p&gt;The next time any of the selected stacks completes a &lt;code&gt;pulumi up&lt;/code&gt;, a post-deployment evaluation will be automatically triggered, and the results will populate in the Policy Findings hub.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Audit policy scans consume workflow minutes from your Pulumi Cloud plan. Each scan counts toward your monthly quota based on the complexity and number of resources evaluated. See pricing documentation for details.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="a-complete-governance-picture"&gt;A Complete Governance Picture&lt;/h2&gt;
&lt;p&gt;With the addition of post-deployment evaluation for IaC stacks, you now have a complete, 360-degree view of your cloud environment. You can use audit scans for cloud accounts to get a handle on your entire live footprint, and use audit scans for stacks to easily assess your IaC-managed footprint without adding friction to your development process.&lt;/p&gt;
&lt;h2 id="try-pulumi-policies"&gt;Try Pulumi Policies&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Ready to try these features?&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://app.pulumi.com/signup"&gt;Sign up for Pulumi Cloud&lt;/a&gt; and start a Neo task&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/get-started/"&gt;Read the Get Started guide&lt;/a&gt; to continuously scan resources and identify violations&lt;/li&gt;
&lt;li&gt;&lt;a href="https://slack.pulumi.com/"&gt;Join the Community Slack&lt;/a&gt; to share feedback on the new features&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For complete documentation, visit our &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Policies documentation&lt;/a&gt;.&lt;/p&gt;</description><author>Levi Blackstone</author><author>Arun Loganathan</author><category>pulumi-cloud</category><category>policy-as-code</category><category>crossguard</category><category>audit-policies</category><category>compliance</category><category>governance</category></item><item><title>Policy Findings Hub: Move From Alert Fatigue to Action</title><link>https://www.pulumi.com/blog/policy-issue-management/</link><pubDate>Wed, 05 Nov 2025 00:03:00 +0000</pubDate><guid>https://www.pulumi.com/blog/policy-issue-management/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/policy-issue-management/index.png" /&gt;
&lt;p&gt;For platform and security teams, enabling robust cloud scanning often creates a new problem: an unmanageable firehose of policy alerts. Identifying a violation is only the first step. Without a system to manage the lifecycle of these findings, teams are quickly overwhelmed, leading to prioritization paralysis and a perpetually growing backlog.&lt;/p&gt;
&lt;p&gt;The &lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/policy-findings/"&gt;Policy Findings&lt;/a&gt;&lt;/strong&gt; hub in Pulumi Cloud is the solution to this alert fatigue. It&amp;rsquo;s a purpose-built, collaborative workspace that turns a noisy list of violations into organized, actionable tasks. The hub brings clarity and structure to the compliance process, guiding teams from initial discovery to a verified fix.&lt;/p&gt;
&lt;h2 id="from-raw-data-to-actionable-insights"&gt;From Raw Data to Actionable Insights&lt;/h2&gt;
&lt;p&gt;The Policy Findings hub is designed with distinct views for every stakeholder involved in the governance lifecycle.&lt;/p&gt;
&lt;h3 id="1-the-overview-tab-a-dashboard-for-leaders"&gt;1. The Overview Tab: A Dashboard for Leaders&lt;/h3&gt;
&lt;p&gt;For a platform lead or security manager, the goal is to understand the big picture. The Overview tab provides a high-level dashboard of your organization&amp;rsquo;s compliance health, answering key questions at a glance:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;What is our overall resource compliance score?&lt;/li&gt;
&lt;li&gt;Are we trending in the right direction?&lt;/li&gt;
&lt;li&gt;Which parts of our cloud infrastructure (stacks, accounts, etc.) carry the most risk?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This view helps leadership track progress and make data-driven decisions about where to focus engineering efforts.&lt;/p&gt;
&lt;h3 id="2-the-compliance-tab-the-auditor-and-infosec-workspace"&gt;2. The Compliance Tab: The Auditor and Infosec Workspace&lt;/h3&gt;
&lt;p&gt;For the infosec members and auditors, context is everything. Simply listing thousands of violations is not helpful. The Compliance tab provides a policy-centric view, grouping all findings by the specific control they violated (e.g., a specific rule within CIS or NIST).&lt;/p&gt;
&lt;p&gt;This is crucial when preparing for an audit or assessing adherence to a specific security framework, as it allows you to &lt;a href="https://www.pulumi.com/blog/policy-packs-cis-nist-pci/#more-than-just-detection-the-complete-governance-lifecycle"&gt;see exactly where you are compliant and where you have gaps&lt;/a&gt;, control by control.&lt;/p&gt;
&lt;h3 id="3-the-issues-tab-the-teams-daily-workspace"&gt;3. The Issues Tab: The Team&amp;rsquo;s Daily Workspace&lt;/h3&gt;
&lt;p&gt;This is the space where insight is turned into action. The Issues tab is a collaborative triage board designed for the day-to-day workflow of platform and development teams. It provides the full toolset needed to manage the lifecycle of an issue from start to finish:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Triage and Prioritize:&lt;/strong&gt; Filter issues by severity, resource type, or policy to focus on what matters most. Set a priority level from P0 (critical) to P4 (low).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Assign Ownership:&lt;/strong&gt; Assign issues to specific team members to ensure clear ownership and accountability.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Manage Lifecycle:&lt;/strong&gt; Mark an issue as &amp;ldquo;Ignored&amp;rdquo; with a justification. This is a critical workflow for acknowledging intentional exceptions, which cleans up your dashboard and allows the team to focus on legitimate issues.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;And for the most critical part of the workflow — the fix itself — we&amp;rsquo;ve integrated our AI agent, &lt;strong&gt;&lt;a href="https://www.pulumi.com/product/neo/#video"&gt;Pulumi Neo&lt;/a&gt;&lt;/strong&gt;, directly into this view.&lt;/p&gt;
&lt;p&gt;After selecting one or more issues, your team can assign the task to Neo. It will analyze the violations and automatically generate a pull request with the necessary code changes. For unmanaged resources, Neo will even generate the code to import them into Pulumi and apply the fix. This turns a complex manual task into a simple review-and-merge process, allowing your team to finally burn down the backlog.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Managing policy findings in Pulumi Cloud"
controls
loop &gt;
&lt;source src="findingsclipblog.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="turning-alerts-into-action"&gt;Turning Alerts into Action&lt;/h2&gt;
&lt;p&gt;Effective governance goes beyond identifying violations. It requires a structured system that turns every finding into a clear and trackable path to resolution. The new Policy Findings hub provides that end-to-end workflow, from visibility to accountability to automated remediation.&lt;/p&gt;
&lt;p&gt;By organizing policy data into meaningful views and integrating Pulumi Neo directly into the issue management process, teams can move past alert fatigue and focus on what matters most: fixing problems quickly and maintaining continuous compliance.&lt;/p&gt;
&lt;p&gt;This new experience is now available. Navigate to the &lt;strong&gt;Policies &amp;gt; Findings&lt;/strong&gt; tab in the Pulumi Cloud to explore your new compliance dashboard and start turning alerts into action.&lt;/p&gt;
&lt;h2 id="try-pulumi-policies"&gt;Try Pulumi Policies&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Ready to try these features?&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://app.pulumi.com/signup"&gt;Sign up for Pulumi Cloud&lt;/a&gt; and start a Neo task&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/get-started/"&gt;Read the Get Started guide&lt;/a&gt; to manage compliance across your cloud infrastructure&lt;/li&gt;
&lt;li&gt;&lt;a href="https://slack.pulumi.com/"&gt;Join the Community Slack&lt;/a&gt; to share feedback on the new features&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For complete documentation, visit our &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Policies documentation&lt;/a&gt;.&lt;/p&gt;</description><author>Alejandro Cotroneo</author><author>Arun Loganathan</author><category>pulumi-cloud</category><category>policy-as-code</category><category>audit-policies</category><category>compliance</category><category>governance</category><category>pulumi-neo</category><category>infosec</category></item><item><title>Announcing Pulumi Identity and Access Management (IAM)</title><link>https://www.pulumi.com/blog/pulumi-cloud-iam-launch/</link><pubDate>Mon, 09 Jun 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-cloud-iam-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-cloud-iam-launch/index.png" /&gt;
&lt;p&gt;Cloud development is accelerating at an unprecedented pace, fueled by AI and the relentless drive for innovation. But this incredible speed demands unwavering trust in your security posture. How do you empower teams to deploy rapidly and frequently without opening doors to risk or violating compliance mandates? Today, we&amp;rsquo;re thrilled to answer that critical challenge by introducing &lt;strong&gt;Pulumi Identity and Access Management&lt;/strong&gt; (IAM) – a foundational new capability designed to embed robust, granular security directly into your cloud development lifecycle, enabling you to innovate both quickly and safely with Pulumi. Pulumi IAM provides the unified framework for fine-grained authorization needed to confidently manage modern cloud infrastructure and applications across the entire Pulumi Cloud platform.&lt;/p&gt;
&lt;h2 id="our-vision-for-pulumi-iam"&gt;Our Vision for Pulumi IAM&lt;/h2&gt;
&lt;p&gt;Pulumi IAM is a foundational investment, delivering enterprise-grade access management through a phased approach. Today&amp;rsquo;s release marks the beginning, with much more planned:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 1: Granular Access Tokens &amp;amp; Custom Roles (Available Today)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Define custom, reusable &lt;strong&gt;Permissions&lt;/strong&gt; with &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;fine-grained scopes&lt;/a&gt; (e.g., &lt;code&gt;stack:delete&lt;/code&gt; only).&lt;/li&gt;
&lt;li&gt;Create &lt;strong&gt;Custom Roles&lt;/strong&gt; by combining Permissions with specific Pulumi Entities (Stacks, Environments, etc.).&lt;/li&gt;
&lt;li&gt;Generate &lt;strong&gt;Organization Access Tokens&lt;/strong&gt; scoped precisely to these Custom Roles, perfect for secure automation.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 2: User &amp;amp; Team Role Assignment (Coming Soon)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Leverage &lt;strong&gt;OIDC configuration&lt;/strong&gt; to dynamically assume Custom Roles for secure, tokenless authentication from CI/CD systems like GitHub Actions, GitLab, and more.&lt;/li&gt;
&lt;li&gt;Assign these powerful Custom Roles directly to &lt;strong&gt;individual users and teams&lt;/strong&gt; within your Pulumi organization.&lt;/li&gt;
&lt;li&gt;Implement a complete overhaul of user and team access management, moving beyond the basic &lt;code&gt;Admin&lt;/code&gt;/&lt;code&gt;Member&lt;/code&gt; distinctions, and enabling reusability of custom building blocks permissions and roles that work for your organization&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 3: Advanced Authorization &amp;amp; Scalability (Future Release)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Introduce &lt;strong&gt;Attribute-Based Access Control (ABAC)&lt;/strong&gt;, allowing policies based on tags or other attributes of Pulumi Entities (e.g., &amp;ldquo;grant &amp;lsquo;dev-role&amp;rsquo; access to all stacks tagged &amp;rsquo;env:dev&amp;rsquo;&amp;rdquo;).&lt;/li&gt;
&lt;li&gt;Enable the creation of &lt;strong&gt;Custom RBAC Policies&lt;/strong&gt; with conditional logic for highly specific access scenarios and reuse them&lt;/li&gt;
&lt;li&gt;Provide mechanisms to manage permissions across hundreds or thousands of Pulumi Entities efficiently.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="a-foundation-for-zero-trust--unified-security"&gt;A Foundation for Zero Trust &amp;amp; Unified Security&lt;/h2&gt;
&lt;p&gt;Pulumi IAM isn&amp;rsquo;t just another feature; it&amp;rsquo;s a foundational pillar underpinning security across the entire Pulumi Cloud ecosystem, enabling organizations to implement &lt;strong&gt;Zero Trust&lt;/strong&gt; principles for their infrastructure management. Modern security models assume breaches will happen and demand rigorous verification for every access request. Static, organization-wide roles no longer suffice where separation of duties, least privilege, and compliance are paramount.&lt;/p&gt;
&lt;p&gt;Pulumi IAM addresses these challenges by providing:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Least Privilege Enforcement:&lt;/strong&gt; Define precisely &lt;em&gt;who&lt;/em&gt; can do &lt;em&gt;what&lt;/em&gt; on &lt;em&gt;which&lt;/em&gt; specific resources, minimizing the potential impact if credentials or accounts are compromised. This is core to Zero Trust – grant only the minimum necessary access, verified at the point of action.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Granular Control Across Pulumi:&lt;/strong&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Infrastructure as Code (IaC):&lt;/strong&gt; Apply fine-grained controls over Pulumi Stacks&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secrets Management:&lt;/strong&gt; Define specific access levels for Pulumi ESC Environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insights:&lt;/strong&gt; Manage permissions for Pulumi Insights account settings.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secure Automation:&lt;/strong&gt; Provide secure, least-privilege tokens and OIDC integration for CI/CD pipelines and automation, drastically reducing the risk associated with over-privileged service accounts.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Unified, Scalable Governance:&lt;/strong&gt; Establish a consistent authorization model that simplifies administration and scales from small teams to complex enterprise environments, ensuring security doesn&amp;rsquo;t hinder velocity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="launching-today-granular-access-tokens-via-custom-roles"&gt;Launching Today: Granular Access Tokens via Custom Roles&lt;/h2&gt;
&lt;p&gt;This vision begins today with the initial phase of Pulumi IAM, enabling you to define &lt;strong&gt;Custom Roles&lt;/strong&gt; built from &lt;strong&gt;fine-grained Permissions&lt;/strong&gt; and apply them specifically to &lt;strong&gt;Organization Access Tokens&lt;/strong&gt;. This initial step provides immediate, significant security benefits, particularly for automation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;True Least Privilege for CI/CD:&lt;/strong&gt; Scope pipeline tokens to &lt;em&gt;only&lt;/em&gt; the actions (e.g., &lt;code&gt;pulumi up&lt;/code&gt;) and Entities (e.g., &lt;code&gt;stack: myapp-prod&lt;/code&gt;) they absolutely need.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Blast Radius:&lt;/strong&gt; If a scoped token is compromised, the potential damage is limited strictly to the permissions defined in its associated role.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Compliance:&lt;/strong&gt; Demonstrate precise control over programmatic access to auditors.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-to-get-started-with-granular-access-tokens"&gt;How to Get Started with Granular Access Tokens&lt;/h2&gt;
&lt;p&gt;Configuring and using Custom Roles for scoped tokens is done via the Pulumi Cloud console:&lt;/p&gt;
&lt;h3 id="1-define-a-custom-permission-optional"&gt;1. Define a Custom Permission (Optional)&lt;/h3&gt;
&lt;p&gt;Create reusable sets of fine-grained scopes.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Roles -&amp;gt; Permissions&lt;/li&gt;
&lt;li&gt;Follow instructions for &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions#creating-custom-permissions"&gt;creating a custom permission&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="2-create-a-custom-role"&gt;2. Create a Custom Role&lt;/h3&gt;
&lt;p&gt;Combine permissions with specific resources.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Roles&lt;/li&gt;
&lt;li&gt;Follow instructions for &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles#creating-custom-roles"&gt;creating a custom role&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="3-generate-a-scoped-organization-access-token"&gt;3. Generate a Scoped Organization Access Token&lt;/h3&gt;
&lt;p&gt;Generate an organization access token with narrowed scope.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Access Tokens -&amp;gt; Organization Access Tokens.*&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Create token&amp;rdquo;. Provide a description. &lt;strong&gt;Select your Custom Role&lt;/strong&gt; from the &amp;ldquo;Role&amp;rdquo; dropdown. Generate the token.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="new-scenarios-unlocked-today"&gt;New Scenarios Unlocked Today&lt;/h2&gt;
&lt;p&gt;This release immediately enables more secure and compliant workflows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Secure Multi-Environment CI/CD:&lt;/strong&gt; A single pipeline can use different tokens based on the target environment (dev, staging, prod), each assuming a role with appropriately restricted permissions (e.g., read-only for prod dependencies, write for the target stack).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Restricted Operational Scripts:&lt;/strong&gt; An automation script designed only to read audit logs can use a token tied to a role granting &lt;em&gt;only&lt;/em&gt; &lt;code&gt;audit_log:read&lt;/code&gt; permission, preventing accidental or malicious modifications.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Safer ChatOps &amp;amp; Tooling:&lt;/strong&gt; Integrations like ChatOps bots can operate with tokens scoped down to only necessary actions (e.g., triggering a &lt;code&gt;pulumi preview&lt;/code&gt; on specific stacks).&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;strong&gt;Available Today:&lt;/strong&gt; Custom Permissions, Custom Roles, and the ability to scope Organization Access Tokens using these roles, is &lt;strong&gt;available now&lt;/strong&gt; for customers on the &lt;strong&gt;Pulumi Enterprise&lt;/strong&gt; and &lt;strong&gt;Pulumi Business Critical&lt;/strong&gt; tiers. Explore these features in your Pulumi Cloud organization settings!&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="conclusion-building-a-more-secure-future"&gt;Conclusion: Building a More Secure Future&lt;/h2&gt;
&lt;p&gt;Pulumi Identity and Access Management (IAM) represents a fundamental advancement in securing cloud development lifecycles managed by Pulumi, providing the controls needed to confidently embrace speed and scale. Today’s launch of Granular Access Tokens via Custom Roles provides immediate security improvements for automation and programmatic access, laying the vital groundwork for our comprehensive IAM vision rooted in Zero Trust principles.&lt;/p&gt;
&lt;p&gt;This empowers platform and security teams with the fine-grained control needed to implement least privilege, enhance compliance, and scale Pulumi usage securely without sacrificing velocity.&lt;/p&gt;
&lt;p&gt;We encourage our Enterprise and Business Critical customers to explore Custom Roles and Granular Access Tokens today. Dive into the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;documentation&lt;/a&gt; and start building roles tailored to your security requirements. We welcome your feedback and feature requests in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;. Join us as we build a more secure foundation for cloud engineering!&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn More&lt;/h2&gt;
&lt;p&gt;Learn more about Pulumi Cloud&amp;rsquo;s new IAM &amp;amp; RBAC features:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions"&gt;Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description><author>Germán Lena</author><author>Devon Grove</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category><category>access-tokens</category><category>oidc</category></item><item><title>Announcing Snowflake Dynamic and Rotated Credentials with Pulumi ESC</title><link>https://www.pulumi.com/blog/esc-snowflake-providers-launch/</link><pubDate>Thu, 01 May 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/esc-snowflake-providers-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-snowflake-providers-launch/index.png" /&gt;
&lt;p&gt;Snowflake is the data cloud powerhouse for countless businesses, critical for everything from customer dashboards to billing pipelines. The stakes are immense: this data must be strictly secured and always available. But managing this with static credentials or manual key rotation creates persistent security vulnerabilities and introduces operational instability, risking disruptions during clumsy updates. &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC&lt;/a&gt; eliminates this dilemma with two purpose-built Snowflake integrations:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/snowflake-login/"&gt;&lt;code&gt;snowflake-login&lt;/code&gt;&lt;/a&gt;:&lt;/strong&gt; Provides dynamic, short-lived OIDC tokens for temporary authentication &lt;em&gt;to&lt;/em&gt; Snowflake.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/"&gt;&lt;code&gt;snowflake-user&lt;/code&gt;&lt;/a&gt;:&lt;/strong&gt; Automates the rotation of RSA keypair secrets &lt;em&gt;for&lt;/em&gt; Snowflake users, essential for secure key-pair authentication.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Pulumi ESC allows you to securely manage and consume these Snowflake credentials in your applications, development workflows through &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;ESC SDK&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;Pulumi CLI&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/kubernetes/"&gt;Kubernetes integrations&lt;/a&gt;, and more!&lt;/p&gt;
&lt;h2 id="snowflake-login-dynamic-oidc-authentication-for-temporary-access"&gt;snowflake-login: Dynamic OIDC Authentication for Temporary Access&lt;/h2&gt;
&lt;p&gt;Use the &lt;code&gt;snowflake-login&lt;/code&gt; provider when you need temporary, just-in-time credentials to interact with Snowflake, such as from local development environments, CI/CD pipelines, or scripts. It leverages OIDC to mint short-lived access tokens, eliminating the need to store static tokens.&lt;/p&gt;
&lt;p&gt;This approach significantly reduces the attack surface by removing long-lived credentials required for &lt;em&gt;authentication&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Setup:&lt;/strong&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Configure OIDC in Snowflake:&lt;/strong&gt; Create a Security Integration in Snowflake to trust the Pulumi OIDC provider (&lt;code&gt;https://api.pulumi.com/oidc&lt;/code&gt;), map the appropriate user claims and create a Snowflake user. Check out the &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/snowflake-login/#configuring-oidc-for-snowflake"&gt;docs&lt;/a&gt;] for more details&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Configure ESC Environment:&lt;/strong&gt; Define the &lt;code&gt;snowflake-login&lt;/code&gt; provider in your ESC environment, specifying the Snowflake account and the user configured for OIDC.&lt;/li&gt;
&lt;/ol&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# my-org/logins/snowflake&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;snowflake&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::open::snowflake-login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;oidc&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;account&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;myorganization-account&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;user&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ESC_LOGIN_USER&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;role&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ESC_ROLE &lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Optional&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;When this environment is opened, ESC securely handles the OIDC flow and makes the temporary token available under &lt;code&gt;snowflake.login.token&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id="snowflake-user-automated-rotation-for-rsa-key-secrets"&gt;snowflake-user: Automated Rotation for RSA Key Secrets&lt;/h2&gt;
&lt;p&gt;For applications or services using Snowflake&amp;rsquo;s key-pair authentication, maintaining the security of those RSA keys is crucial. The &lt;code&gt;snowflake-user&lt;/code&gt; rotator automates the lifecycle management of these keys as &lt;strong&gt;rotated secrets&lt;/strong&gt; within ESC. This rotater uses the same two-secret rotation strategy we use in rest of ESC&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/"&gt;rotated secrets&lt;/a&gt; providers. This eliminates manual rotation toil and ensures keys are regularly refreshed according to policy, enhancing the security of the &lt;em&gt;user secret&lt;/em&gt; itself. Check out the rotated secrets &lt;a href="https://www.pulumi.com/blog/esc-rotated-secrets-launch/#introducing-esc-rotated-secrets"&gt;blog post&lt;/a&gt; to learn more about its benefits.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Setup:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Prepare Snowflake:&lt;/strong&gt;
&lt;ul&gt;
&lt;li&gt;Create the &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/#step-1-create-the-target-user"&gt;target user&lt;/a&gt; (e.g., &lt;code&gt;MY_APP_SNOWFLAKE_USER&lt;/code&gt;) whose keys need rotation.&lt;/li&gt;
&lt;li&gt;Set up a dedicated &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/#step-2-create-a-rotator-role"&gt;rotation role&lt;/a&gt; with &lt;code&gt;OWNERSHIP&lt;/code&gt; permission over the users you wish to rotate, so it can modify their keys.&lt;/li&gt;
&lt;li&gt;Create a &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/#step-3-create-a-rotation-service-user"&gt;service user&lt;/a&gt; using the rotation role, and &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/#step-4-set-up-oidc-for-the-rotation-service-user"&gt;setup OIDC&lt;/a&gt; to allow ESC to assume the role for rotation.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rotation Environment:&lt;/strong&gt; Define the rotation, importing the managing credentials and specifying the target user.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# Environment: my-org/rotators/snowflake-app-key&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rotatedKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::rotate::snowflake-user&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;inputs&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${environments.logins.snowflake.snowflake.login}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;#reference credentials created using `snowflake-login`&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;targetUser&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ESC_ROTATION_DEMO_USER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# User whose keys rotate&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After setup, use the triple-dot menu -&amp;gt; “Rotate Secrets” in the Pulumi Cloud UI and ensure rotation happens. Once you rotate a couple of time and ensured everything works well, navigate to the “Secret Rotation” tab for your Rotation environment in the Pulumi Cloud console and define the rotation schedule.&lt;/p&gt;
&lt;h2 id="when-to-use-dynamic-login-vs-rotated-secrets"&gt;When to Use Dynamic Login vs. Rotated Secrets&lt;/h2&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th style="text-align: left"&gt;&lt;strong&gt;Feature&lt;/strong&gt;&lt;/th&gt;
&lt;th style="text-align: left"&gt;&lt;strong&gt;&lt;code&gt;snowflake-login&lt;/code&gt; (Dynamic OIDC Login)&lt;/strong&gt;&lt;/th&gt;
&lt;th style="text-align: left"&gt;&lt;strong&gt;&lt;code&gt;snowflake-user&lt;/code&gt; (Rotated Secrets)&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Credential Type&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Short-lived OIDC access token&lt;/td&gt;
&lt;td style="text-align: left"&gt;Long-lived RSA Private Key secret (managed by ESC) + Public Keys (in Snowflake)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Primary Use Case&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Temporary authentication &lt;em&gt;to&lt;/em&gt; Snowflake (CLI, scripts, dev, CI/CD).&lt;/td&gt;
&lt;td style="text-align: left"&gt;Key-pair authentication &lt;em&gt;for&lt;/em&gt; long-lived applications/services connecting to Snowflake.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Ideal Scenario&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Short-lived tasks; frequent, temporary access needs.&lt;/td&gt;
&lt;td style="text-align: left"&gt;Applications needing persistent connections; keys required at deploy time; apps sensitive to auth blips.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Lifecycle&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Generated on-demand, expires quickly (minutes/hours).&lt;/td&gt;
&lt;td style="text-align: left"&gt;Rotated automatically on a schedule (e.g., days/months).&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Connection Impact&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Requires re-authentication or new token fetch when token expires.&lt;/td&gt;
&lt;td style="text-align: left"&gt;Rotation is typically seamless; two-key strategy avoids connection drops if apps update keys promptly.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;strong&gt;Benefit Focus&lt;/strong&gt;&lt;/td&gt;
&lt;td style="text-align: left"&gt;Eliminates static &lt;em&gt;authentication&lt;/em&gt; tokens/credentials.&lt;/td&gt;
&lt;td style="text-align: left"&gt;Automates lifecycle management of user &lt;em&gt;key-pair secrets&lt;/em&gt;, ensures key freshness.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s new Snowflake integrations provide robust solutions for modern credential management challenges. Use &lt;code&gt;snowflake-login&lt;/code&gt; for secure, temporary OIDC-based access and &lt;code&gt;snowflake-user&lt;/code&gt; to automate the rotation of critical RSA key secrets. By adopting these capabilities, you can significantly enhance your Snowflake security posture, reduce operational overhead, and simplify compliance.&lt;/p&gt;
&lt;p&gt;Explore the detailed documentation for &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/snowflake-login/"&gt;&lt;code&gt;snowflake-login&lt;/code&gt;&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/snowflake-user/"&gt;&lt;code&gt;snowflake-user&lt;/code&gt;&lt;/a&gt;, and see how Pulumi ESC can centralize and secure your configuration and secrets across all your environments. Join the conversation in the &lt;a href="https://slack.pulumi.com/"&gt;Pulumi Community Slack&lt;/a&gt; or our &lt;a href="https://github.com/pulumi/esc"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;</description><author>Claire Gaestel</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category><category>snowflake</category><category>rotation</category><category>dynamic-login</category><category>oidc</category><category>security</category><category>configuration-management</category></item><item><title>Introducing Automated Database Credential Rotation for PostgreSQL and MySQL in Pulumi ESC</title><link>https://www.pulumi.com/blog/esc-db-secrets-rotation-launch/</link><pubDate>Wed, 30 Apr 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/esc-db-secrets-rotation-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-db-secrets-rotation-launch/index.png" /&gt;
&lt;p&gt;Securing access to critical data stores is paramount in today&amp;rsquo;s cloud-native world. Yet, managing database credentials often involves static, long-lived passwords – a significant security blind spot. These static secrets, frequently embedded in application configurations or accessible to multiple team members, represent a prime target for attackers. Manually rotating these credentials is a cumbersome, error-prone task that’s often neglected, leaving databases vulnerable for extended periods. Building on our commitment to robust secrets management, we are excited to launch &lt;strong&gt;Automated Database Credential Rotation&lt;/strong&gt; for &lt;strong&gt;PostgreSQL and MySQL&lt;/strong&gt; in &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC!&lt;/a&gt;&lt;/p&gt;
&lt;h2 id="the-persistent-challenge-of-static-database-secrets"&gt;The Persistent Challenge of Static Database Secrets&lt;/h2&gt;
&lt;p&gt;Relying on static database credentials introduces substantial risks, which automated rotation helps mitigate:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security Vulnerabilities &amp;amp; Exposure:&lt;/strong&gt; Static credentials, if compromised through leaks, phishing, or unauthorized access, provide long-term access to attackers. Automated rotation significantly shrinks this window of opportunity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operational &amp;amp; Compliance Burdens:&lt;/strong&gt; Manually rotating database credentials is complex, error-prone, and requires careful coordination to avoid downtime. These manual rotations are hard to audit and demonstrate compliance with regulations like SOC 2, GDPR, or HIPAA (which often mandate rotation).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Network Complexity &amp;amp; The DIY Burden:&lt;/strong&gt; Databases in private networks (like AWS VPCs) require secure access for rotation. We provide an open-source &lt;strong&gt;Lambda connector&lt;/strong&gt; for AWS VPCs. While homegrown solutions can bridge the network gap, building and maintaining the &lt;em&gt;actual rotation logic&lt;/em&gt; (state, error handling, two-secret strategy) is complex. Crucially, DIY approaches typically lack integrated revision history, centralized auditing, and unified management provided by platforms like Pulumi ESC, increasing operational overhead.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tooling, Ecosystem, and Cloud-Native Connectivity:&lt;/strong&gt; Despite cloud IAM authentication options, many standard tools (GUIs, BI, ETL), legacy apps, and even certain cloud-native configurations (multi-cloud, specific Kubernetes setups) still rely on username/password. Direct IAM integration isn&amp;rsquo;t always feasible or practical, making automated rotation of traditional credentials essential for broad compatibility and security.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Pulumi ESC addresses these challenges by automating the secrets rotation process, including connectivity options for databases in private AWS networks using our Lambda connector, and allows you to consume them in your applications through ESC&amp;rsquo;s various developer-friendly methods including &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;ESC SDK&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;Pulumi CLI&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/kubernetes/external-secrets-operator/"&gt;Kubernetes External Secrets Operator&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/kubernetes/secret-store-csi-driver/"&gt;CSI Driver&lt;/a&gt;, etc.&lt;/p&gt;
&lt;h2 id="introducing-esc-rotated-secrets-for-databases"&gt;Introducing ESC Rotated Secrets for Databases&lt;/h2&gt;
&lt;p&gt;Pulumi ESC’s &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/"&gt;Rotated Secrets&lt;/a&gt; capability now extends to your critical databases, bringing automation and enhanced security to credential lifecycle management. We are adding support for the following databases and connectivity options:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th style="text-align: left"&gt;Database&lt;/th&gt;
&lt;th style="text-align: center"&gt;Publicly Accessible&lt;/th&gt;
&lt;th style="text-align: center"&gt;AWS VPCs&lt;/th&gt;
&lt;th style="text-align: center"&gt;Azure VNETs&lt;/th&gt;
&lt;th style="text-align: center"&gt;GCloud VPCs&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/postgres/"&gt;&lt;strong&gt;PostgreSQL&lt;/strong&gt;&lt;/a&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅ &lt;small&gt;(via Lambda)&lt;/small&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;Planned &lt;small&gt;(&lt;a href="https://github.com/pulumi/esc/issues/521"&gt;upvote issue&lt;/a&gt;)&lt;/small&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;Planned &lt;small&gt;(&lt;a href="https://github.com/pulumi/esc/issues/522"&gt;upvote issue&lt;/a&gt;)&lt;/small&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td style="text-align: left"&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/mysql/"&gt;&lt;strong&gt;MySQL&lt;/strong&gt;&lt;/a&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅&lt;/td&gt;
&lt;td style="text-align: center"&gt;✅ &lt;small&gt;(via Lambda)&lt;/small&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;Planned &lt;small&gt;(&lt;a href="https://github.com/pulumi/esc/issues/521"&gt;upvote issue&lt;/a&gt;)&lt;/small&gt;&lt;/td&gt;
&lt;td style="text-align: center"&gt;Planned &lt;small&gt;(&lt;a href="https://github.com/pulumi/esc/issues/522"&gt;upvote issue&lt;/a&gt;)&lt;/small&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Key benefits include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Automated Rotation Schedules:&lt;/strong&gt; Effortlessly define rotation frequencies (daily, weekly, monthly) that align with your security policies, eliminating manual toil and ensuring consistency.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;On-Demand Rotation:&lt;/strong&gt; Instantly rotate credentials in response to security events, personnel changes, or policy updates with a single click or command.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Seamless ESC Environment Integration:&lt;/strong&gt; Manage rotated database credentials alongside all your other application configurations within ESC Environments, leveraging composition and environment inheritance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Two-Secret Strategy:&lt;/strong&gt; ESC maintains both the current and previous valid credentials simultaneously. This prevents application downtime during rotation, as instances can gracefully transition to the new credential.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Auditing and Tracking:&lt;/strong&gt; Maintain a complete audit trail of credential rotations, including who initiated the rotation and when, simplifying compliance and governance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Admin and Creator Control:&lt;/strong&gt; Securely configure rotation using privileged database &amp;ldquo;managing user&amp;rdquo; credentials stored within ESC, keeping them separate from the rotated credentials consumed by applications.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Configure Webhooks for Automation:&lt;/strong&gt; Trigger notifications, CI/CD pipelines (e.g., Pulumi Deployments to update application stacks), or custom workflows upon successful rotation, keeping dependent systems synchronized.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;The following setup guide provides a detailed walkthrough for rotating &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/postgres/"&gt;&lt;strong&gt;PostgreSQL&lt;/strong&gt;&lt;/a&gt; credentials for an &lt;strong&gt;AWS RDS instance hosted within a private VPC&lt;/strong&gt;, which requires the AWS Lambda-based connector. For publicly accessible databases (PostgreSQL or MySQL), you can use the simpler &lt;strong&gt;Direct Connect&lt;/strong&gt; method documented on the respective integration pages. Please refer to the &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/mysql/"&gt;&lt;strong&gt;MySQL&lt;/strong&gt;&lt;/a&gt; documentation page for specific instructions on MySQL rotation (both Direct Connect and Lambda Connector).&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="how-to-set-up-and-use-rotation-for-aws-rds-postgresql-running-in-vpc"&gt;How to Set Up and Use Rotation for AWS RDS PostgreSQL running in VPC&lt;/h2&gt;
&lt;p&gt;Setting up rotation for AWS RDS or Aurora PostgreSQL databases running inside an AWS VPC involves &lt;a href="https://www.pulumi.com/docs/esc/environments/rotation/db-user-setup/"&gt;creating the required users&lt;/a&gt; within your database, deploying the AWS Lambda connector infrastructure via a Pulumi template, configuring ESC environments, and scheduling the rotation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Understanding the AWS Lambda Connector:&lt;/strong&gt; The open-source &lt;a href="https://github.com/pulumi/templates/tree/master/esc-connector-lambda-typescript"&gt;ESC Lambda connector&lt;/a&gt; acts as a secure proxy for database credential rotation within your VPC. It enables Pulumi ESC to safely rotate database credentials without needing direct network access from ESC to your database and without exposing your database to external networks. This connector is currently required to rotate credentials for PostgreSQL or MySQL databases hosted within an AWS VPC. Note: The AWS Lambda Connector is only available to Enterprise and Business Critical customers.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Step 1: Prepare Your PostgreSQL Database Users&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;You&amp;rsquo;ll need two &lt;em&gt;types&lt;/em&gt; of users configured, resulting in &lt;em&gt;three&lt;/em&gt; specific database user accounts:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Managing User:&lt;/strong&gt; A privileged user that ESC will use (via the Lambda connector) to perform the password rotations. This user needs permissions to change the passwords of the application users.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Application User 1 and Application User 2:&lt;/strong&gt; The two application users whose passwords ESC will manage. ESC rotates between these two users, ensuring two users are always active as applications gradually phase out the &lt;code&gt;previous&lt;/code&gt; user credentials.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Connect to the database as a superuser and run the following SQL commands:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Create the application users whose passwords you want ESC to rotate automatically:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;```sql
CREATE USER user1 WITH PASSWORD 'initial_password';
GRANT SELECT, INSERT, UPDATE ON yourDatabase TO user1;
CREATE USER user2 WITH PASSWORD 'initial_password';
GRANT SELECT, INSERT, UPDATE ON yourDatabase TO user2;
```
&lt;/code&gt;&lt;/pre&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Create the designated &amp;ldquo;managing user&amp;rdquo; account with privileges to modify passwords for the application users:&lt;/p&gt;
&lt;pre&gt;&lt;code&gt;```sql
CREATE USER managing_user WITH PASSWORD 'manager_password';
ALTER USER managing_user WITH CREATEROLE;
GRANT user1 TO managing_user WITH ADMIN OPTION;
GRANT user2 TO managing_user WITH ADMIN OPTION;
```
&lt;/code&gt;&lt;/pre&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Step 2: Bootstrap Rotation Infrastructure (Lambda Connector) and Create ESC Environments&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;To rotate credentials for PostgreSQL databases within AWS VPCs securely, you need to configure an &lt;a href="https://www.pulumi.com/docs/esc/environments/rotation/aws-lambda/"&gt;AWS Lambda function (the connector)&lt;/a&gt; within your VPC and create the corresponding ESC environments.&lt;/p&gt;
&lt;p&gt;If your PostgreSQL instance is running on AWS RDS, we recommend using our &lt;a href="https://github.com/pulumi/templates/tree/master/esc-connector-lambda-typescript"&gt;Pulumi Template&lt;/a&gt; to simplify the process of creating the Lambda function, associated AWS IAM Roles, Security Groups, and the basic ESC environment structure. You can start it from the &lt;a href="https://app.pulumi.com/new?template=https://github.com/pulumi/templates/esc-connector-lambda-typescript"&gt;Pulumi console&lt;/a&gt; or by running the following command in your terminal:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Run &lt;code&gt;pulumi new esc-connector-lambda-typescript&lt;/code&gt; in your terminal.&lt;/li&gt;
&lt;li&gt;This command initializes a new Pulumi project designed to provision the necessary AWS Lambda connector resources and create the ESC environments.&lt;/li&gt;
&lt;li&gt;Follow the prompts. You will first provide a &lt;strong&gt;Pulumi project name&lt;/strong&gt; (e.g., &lt;code&gt;my-db-rotation-infra&lt;/code&gt;). Then, you will be prompted for configuration values like:
&lt;ul&gt;
&lt;li&gt;Your target AWS Region (&lt;code&gt;aws:region&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;The RDS Database Identifier (&lt;code&gt;rdsDbIdentifier&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;The specific &lt;strong&gt;name for the ESC rotation environment&lt;/strong&gt; (e.g., &lt;code&gt;postgresrotation/Rotator&lt;/code&gt;). This environment will contain the two application users&amp;rsquo; credentials and configuration for rotation.&lt;/li&gt;
&lt;li&gt;The specific &lt;strong&gt;name for the ESC managing credentials environment&lt;/strong&gt; (e.g., &lt;code&gt;postgresrotation/ManagingCreds&lt;/code&gt;).&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;pulumi up&lt;/code&gt; to deploy the AWS resources and create the ESC environments using the names you provided.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Step 3: Configure ESC Environments and Test&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The Pulumi template creates two ESC environments with most of the configuration pre-filled. You need to update them with your specific PostgreSQL user credentials and database name.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Managing Credentials Environment (e.g., &lt;code&gt;postgresrotation/ManagingCreds&lt;/code&gt;):&lt;/strong&gt; Navigate to this environment in the Pulumi Cloud console. Update the managing user&amp;rsquo;s username and password. The &lt;code&gt;awsLogin&lt;/code&gt; section, which provides credentials for the Lambda connector to assume, should be pre-filled by the template.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# postgresrotation/ManagingCreds&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;managingUser&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;username&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;managing_user&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace with your managing user&amp;#39;s name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;password&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Securely replace the placeholder with your managing user&amp;#39;s password using fn::secret&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::secret&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ciphertext&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ZXNjeA...&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace with your encrypted password&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;awsLogin&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::open::aws-login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;oidc&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;duration&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;1h&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;roleArn&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;arn:aws:iam::616138583583:role/PulumiEscSecretRotatorLambda-InvocationRole-7e4646f&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Example Role ARN populated by template&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;sessionName&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pulumi-esc-secret-rotator-${esc.context.environment}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Example Session Name populated by template&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rotation Environment (e.g., &lt;code&gt;&amp;lt;project-name&amp;gt;/Rotator&lt;/code&gt;):&lt;/strong&gt; Navigate to this environment. Most fields related to the Lambda connector (Lambda ARN, host, port, references) are pre-filled by the template outputs. You &lt;em&gt;must&lt;/em&gt; update the database name and the application usernames mapping. Note the &lt;code&gt;connector.awsLambda&lt;/code&gt; block indicating the use of the Lambda connector.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# postgresrotation/Rotator&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;dbRotator&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::rotate::postgres&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;inputs&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;database&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Configure the AWS Lambda connector for private VPC access&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;connector&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;awsLambda&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${environments.postgresrotation.ManagingCreds.awsLogin}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;lambdaArn&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;arn:aws:lambda:us-west-2:616138583583:function:PulumiEscSecretRotatorLambda-Function-d9932fe&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Example Lambda ARN populated by template&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Database connection details (used by the Lambda connector)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;database&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;mydb&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace with your DB name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;tf-20250428212643894700000001.cluster-chuqccm8uxqx.us-west-2.rds.amazonaws.com&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Example Host populated by template&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;port&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;5432&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Example Port populated by template&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;managingUser&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${environments.postgresrotation.ManagingCreds.managingUser}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# List of application users whose passwords will be rotated&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rotateUsers&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;username1&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;user1&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace DB username if different from logical name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;username2&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;user2&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace DB username if different from logical name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# state section is automatically managed by ESC after first rotation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Do not provide state unless migrating existing, known credentials.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# state:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# current:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# password:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# fn::secret:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# ciphertext: ZXNjeAAAA...&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# username: user1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# previous:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# password:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# fn::secret:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# ciphertext: ZXNje21AA...&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# username: user2&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Test with Manual Rotation:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use the triple-dot menu -&amp;gt; &amp;ldquo;Rotate Secrets&amp;rdquo; in the Pulumi Cloud UI for the Rotator environment.&lt;/li&gt;
&lt;li&gt;Alternatively, use the Pulumi CLI: &lt;code&gt;pulumi env rotate &amp;lt;your-org&amp;gt;/&amp;lt;project-name&amp;gt;/Rotator&amp;gt;&lt;/code&gt; (e.g., &lt;code&gt;pulumi env rotate myorg/postgresrotation/Rotator&lt;/code&gt;). Remember to replace &lt;code&gt;&amp;lt;your-org&amp;gt;&lt;/code&gt; and &lt;code&gt;&amp;lt;project-name&amp;gt;&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Perform a rotation. If you &lt;em&gt;didn&amp;rsquo;t&lt;/em&gt; provide the &lt;code&gt;state&lt;/code&gt; block, this first rotation generates a new password for the user designated as &lt;code&gt;current&lt;/code&gt; (e.g., &lt;code&gt;user1&lt;/code&gt; associated with &lt;code&gt;username1&lt;/code&gt;) and updates it in the database via the Lambda connector. The &lt;code&gt;dbRotator&lt;/code&gt; value in ESC will now show this user/password under &lt;code&gt;current&lt;/code&gt;, and the &lt;code&gt;state&lt;/code&gt; block will be populated.&lt;/li&gt;
&lt;li&gt;Perform a &lt;em&gt;second&lt;/em&gt; rotation. Observe how the previous &lt;code&gt;current&lt;/code&gt; user (&lt;code&gt;user1&lt;/code&gt;/&lt;code&gt;username1&lt;/code&gt;) and its password become the &lt;code&gt;previous&lt;/code&gt; entry in the ESC value. The system now rotates the password for the &lt;em&gt;other&lt;/em&gt; user (&lt;code&gt;user2&lt;/code&gt;/&lt;code&gt;username2&lt;/code&gt;), makes it the new &lt;code&gt;current&lt;/code&gt;, and updates the database accordingly. Subsequent rotations cycle between &lt;code&gt;user1&lt;/code&gt; and &lt;code&gt;user2&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Check the Environment Revision History in the Pulumi Cloud console to track the changes to the &lt;code&gt;current&lt;/code&gt; and &lt;code&gt;previous&lt;/code&gt; state fields after each rotation.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Step 4: Schedule Automated Rotations&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Once you are satisfied that manual rotations via the Lambda connector are working correctly, navigate to the &amp;ldquo;Secret Rotation&amp;rdquo; tab for your Rotator environment (e.g., &lt;code&gt;postgresrotation/Rotator&lt;/code&gt;) in the Pulumi Cloud console.&lt;/li&gt;
&lt;li&gt;Define your desired automated rotation schedule (e.g., every 30 days). ESC will automatically trigger rotations according to this schedule, ensuring your credentials stay fresh without manual intervention.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="whats-next"&gt;What’s Next?&lt;/h2&gt;
&lt;p&gt;This launch significantly enhances database security posture through automation for PostgreSQL and MySQL, but we&amp;rsquo;re just getting started. We plan to expand our rotated secrets capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;More Databases:&lt;/strong&gt; Support for &lt;a href="https://github.com/pulumi/esc/issues/525"&gt;MongoDB&lt;/a&gt;, &lt;a href="https://github.com/pulumi/esc/issues/526"&gt;Microsoft SQL Server&lt;/a&gt;, &lt;a href="https://github.com/pulumi/esc/issues/527"&gt;Oracle&lt;/a&gt;, and others.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Databases in Private Networks on Other Clouds:&lt;/strong&gt; Rotation solutions for databases hosted in private networks within &lt;a href="https://github.com/pulumi/esc/issues/521"&gt;Azure&lt;/a&gt;, &lt;a href="https://github.com/pulumi/esc/issues/522"&gt;Google Cloud&lt;/a&gt;, and more.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Have a specific database or integration in mind? Upvote existing issues or open a new request in our &lt;a href="https://github.com/pulumi/esc/issues"&gt;GitHub repository&lt;/a&gt;!&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s Automated Database Credential Rotation drastically simplifies a critical security task. By automating the rotation of &lt;strong&gt;PostgreSQL&lt;/strong&gt; and &lt;strong&gt;MySQL&lt;/strong&gt; credentials, ESC reduces operational overhead, minimizes the risk associated with static secrets, and helps you meet compliance requirements more easily. Whether your databases are publicly accessible (using Direct Connect) or in private AWS networks (using the Lambda connector), ESC provides a unified way to manage their lifecycle securely.&lt;/p&gt;
&lt;p&gt;We encourage you to explore the &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC documentation&lt;/a&gt; and try out rotated database secrets for &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/postgres/"&gt;PostgreSQL&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/esc/integrations/rotated-secrets/mysql/"&gt;MySQL&lt;/a&gt;. Your feedback is invaluable – please share your experiences and suggestions on our &lt;a href="https://github.com/pulumi/esc"&gt;GitHub repository&lt;/a&gt;. Secure your databases with automated rotation and build with confidence!&lt;/p&gt;</description><author>Sean Yeh</author><author>Iaroslav Titov</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category><category>rotation</category><category>database</category><category>security</category></item><item><title>Announcing Infisical Providers for Pulumi ESC: Dynamic Login and Dynamic Secrets</title><link>https://www.pulumi.com/blog/esc-infisical-providers-launch/</link><pubDate>Mon, 28 Apr 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/esc-infisical-providers-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-infisical-providers-launch/index.png" /&gt;
&lt;p&gt;We are thrilled to announce enhanced integration support for &lt;a href="https://infisical.com/"&gt;Infisical&lt;/a&gt; within &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC&lt;/a&gt;! Pulumi ESC centralizes secrets and configuration management, providing a unified source of truth across your environments. With the addition of Infisical, a popular open-source secrets management platform, ESC further extends its ecosystem, enabling seamless and secure access to secrets stored across diverse systems.&lt;/p&gt;
&lt;p&gt;This release introduces two distinct dynamic providers for Infisical, each designed to improve security and streamline your workflows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/infisical-login/"&gt;&lt;code&gt;infisical-login&lt;/code&gt;&lt;/a&gt; (Dynamic Login):&lt;/strong&gt; This provider securely generates short-lived OIDC access tokens for authenticating &lt;em&gt;to&lt;/em&gt; Infisical. Static, long-lived credentials are a significant security risk. The &lt;code&gt;infisical-login&lt;/code&gt; provider directly addresses this by generating temporary, just-in-time credentials using OIDC. &lt;strong&gt;Use this provider when you need temporary credentials to interact directly with Infisical&lt;/strong&gt;, for instance, using the Infisical CLI or SDKs in local development or CI/CD pipelines, without storing long-lived static tokens. ESC manages the OIDC flow, providing a fresh token when needed.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/infisical-secrets/"&gt;&lt;code&gt;infisical-secrets&lt;/code&gt;&lt;/a&gt; (Dynamic Secrets):&lt;/strong&gt; This provider dynamically fetches secrets stored &lt;em&gt;within&lt;/em&gt; your Infisical projects and makes them available within the Pulumi ESC environment. &lt;strong&gt;Use this provider when you need specific secrets &lt;em&gt;from&lt;/em&gt; Infisical to configure your applications or infrastructure managed via ESC.&lt;/strong&gt; This centralizes secret consumption, allowing you to access Infisical secrets using the same consistent ESC patterns used for AWS, Azure, GCP, Vault, 1Password, and more.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Pulumi ESC acts as a robust &lt;strong&gt;secrets broker&lt;/strong&gt; provider consistent API interface for all your tools, applications and workflows. It securely handles &lt;em&gt;both&lt;/em&gt; the generation of temporary authentication credentials (like with &lt;code&gt;infisical-login&lt;/code&gt;) and the fetching of application secrets (like with &lt;code&gt;infisical-secrets&lt;/code&gt;) from various providers such as Infisical, cloud platforms (&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/aws-secrets/"&gt;AWS&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/azure-secrets/"&gt;Azure&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/gcp-secrets/"&gt;GCP&lt;/a&gt;), and other secret managers (&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/vault-secrets/"&gt;Vault&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/1password-secrets/"&gt;1Password&lt;/a&gt;). Once centralized in ESC, these secrets and configurations are consistently available for you to consume via ESC&amp;rsquo;s many developer friendly methods including the &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;ESC SDK&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;Pulumi CLI&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/kubernetes/external-secrets-operator/"&gt;Kubernetes External Secrets Operator&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/kubernetes/secret-store-csi-driver/"&gt;CSI Driver&lt;/a&gt;, or sync them to various platforms where they are needed such as &lt;a href="https://github.com/pulumi/esc-examples/tree/main/sync/github-secrets"&gt;GitHub Secrets&lt;/a&gt;, &lt;a href="https://github.com/pulumi/esc-examples/tree/main/sync/aws-secrets-manager"&gt;AWS Secrets Manager&lt;/a&gt;, and more!&lt;/p&gt;
&lt;h2 id="getting-started-using-the-infisical-providers"&gt;Getting Started: Using the Infisical Providers&lt;/h2&gt;
&lt;p&gt;Let&amp;rsquo;s walk through how to configure and use each provider.&lt;/p&gt;
&lt;h3 id="prerequisites"&gt;Prerequisites&lt;/h3&gt;
&lt;p&gt;Configure Infisical for OpenID Connect(OIDC) before you try out the providers. Follow the steps in &lt;a href="https://www.pulumi.com/docs/esc/environments/configuring-oidc/infisical/"&gt;Infisical OIDC documentation&lt;/a&gt;. This involves creating an Identity in Infisical, adding OIDC authentication pointing to &lt;code&gt;https://api.pulumi.com/oidc&lt;/code&gt;, and configuring the audience and subject claims. Note down the &lt;strong&gt;Identity ID&lt;/strong&gt;.&lt;/p&gt;
&lt;h3 id="how-to-use-the-infisical-login-provider-dynamic-authentication"&gt;How to Use the infisical-login Provider (Dynamic Authentication)&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Create a Pulumi ESC environment (e.g., &lt;code&gt;pulumi-org/infisical-auth/oidc-login&lt;/code&gt;) with the following environment definition and update the &lt;code&gt;identityId&lt;/code&gt;.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# Environment: pulumi-org/infisical-auth/oidc-login&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;infisical&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Configure the Dynamic Login provider using OIDC&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::open::infisical-login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;oidc&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;identityId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;&amp;lt;your-identity-id&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Replace with your Infisical Identity ID&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Expose the token as an environment variable for easy consumption&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;environmentVariables&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;INFISICAL_TOKEN&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${infisical.login.accessToken}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Save the environment.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Validate the environment by clicking on Open in the Pulumi Cloud console, or running &lt;code&gt;pulumi env open pulumi-org/infisical-auth/oidc-login&lt;/code&gt; in your CLI. The output will include the infisical.login.accessToken.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Usage Example: Run Infisical CLI commands dynamically:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;pulumi env run pulumi-org/infisical-auth/oidc-login -- infisical secrets get API_KEY --projectId&lt;span class="o"&gt;=&lt;/span&gt;&amp;lt;your-project-id&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# The INFISICAL_TOKEN env var is automatically injected&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="how-to-use-the-infisical-secrets-provider-dynamically-fetching-secrets"&gt;How to Use the infisical-secrets Provider (Dynamically Fetching Secrets)&lt;/h3&gt;
&lt;p&gt;Use this provider to pull secrets &lt;em&gt;from&lt;/em&gt; Infisical &lt;em&gt;into&lt;/em&gt; your ESC environment for consumption by your applications, CI/CD systems, Pulumi IaC, Terraform and more!&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Create an ESC environment where you need the secrets (e.g., &lt;code&gt;pulumi-org/my-app/dev&lt;/code&gt;).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Import&lt;/strong&gt; the dynamic login environment (if using OIDC for authentication, which is recommended). This makes the temporary Infisical token available.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Configure the &lt;code&gt;infisical-secrets&lt;/code&gt; provider, referencing the imported login details. See example below.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Specify the secrets to fetch using the &lt;code&gt;get&lt;/code&gt; block. Replace placeholders.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# Environment: pulumi-org/my-app/dev&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;imports&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Import the environment performing Dynamic Login (recommended)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;pulumi-org/infisical-auth/oidc-login&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Use the path to your login environment&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Define a structure to hold secrets fetched from Infisical&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;infisicalSecrets&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::open::infisical-secrets&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Authenticate using the token from the imported Dynamic Login environment&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${infisical.login}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Pass the login object from the import&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Specify secrets to retrieve from Infisical&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;get&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Define names for the secrets as they will appear in ESC&amp;#39;s output under &amp;#39;infisicalSecrets&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;apiKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# This is the name within ESC&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;projectId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;&amp;lt;your-infisical-project-id&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;environment&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;prod&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# The Infisical environment slug (e.g., &amp;#39;prod&amp;#39;, &amp;#39;dev&amp;#39;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;secretKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;api-key&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# The key of the secret in Infisical&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;appSecret&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Pull another secret `app-secret` into ESC&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;projectId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;&amp;lt;your-infisical-project-id&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;environment&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;dev&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;secretKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;app-secret&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# Optionally, map fetched secrets to environment variables for application consumption&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;environmentVariables&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;API_KEY&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${infisicalSecrets.apiKey}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;APP_SECRET&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${infisicalSecrets.appSecret}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Save the environment.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Validate the environment by clicking on Open in the Pulumi Cloud console, or running &lt;code&gt;pulumi env open pulumi-org/my-app/dev&lt;/code&gt; in your CLI. The output will show the imported &lt;code&gt;infisical.login&lt;/code&gt;, the fetched secrets under &lt;code&gt;infisicalSecrets&lt;/code&gt;, and the mapped &lt;code&gt;environmentVariables&lt;/code&gt;.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Usage Example:&lt;/strong&gt; Run an application that needs these secrets:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;pulumi env run pulumi-org/my-app/dev -- node app.js
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# The API_KEY and APP_SECRET env vars are automatically injected&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The new &lt;code&gt;infisical-login&lt;/code&gt; and &lt;code&gt;infisical-secrets&lt;/code&gt; providers for Pulumi ESC offer powerful and secure ways to interact with Infisical. Use &lt;code&gt;infisical-login&lt;/code&gt; for dynamic, short-lived OIDC authentication when interacting directly with Infisical APIs or CLIs. Use &lt;code&gt;infisical-secrets&lt;/code&gt; to securely fetch secrets &lt;em&gt;from&lt;/em&gt; Infisical &lt;em&gt;into&lt;/em&gt; your centralized ESC environment. Together, they enhance your security posture and simplify configuration management.&lt;/p&gt;
&lt;p&gt;We encourage you to explore these new capabilities. Dive into the &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/infisical-login/"&gt;infisical-login&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/infisical-secrets/"&gt;infisical-secrets&lt;/a&gt; for detailed configuration options, check out the broader &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC Documentation&lt;/a&gt;, and share your feedback or ask questions in the &lt;a href="https://slack.pulumi.com/"&gt;Pulumi Community Slack&lt;/a&gt;.&lt;/p&gt;</description><author>Boris Schlosser</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>infisical</category><category>features</category><category>configuration-management</category><category>dynamic-secrets</category><category>oidc</category></item><item><title>Pulumi Release Notes: Pulumi MCP Server, Pulumi ESC Rotated Secrets, and Policy Enhancements</title><link>https://www.pulumi.com/blog/pulumi-release-notes-117/</link><pubDate>Fri, 25 Apr 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-release-notes-117/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-release-notes-117/index.png" /&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Note: This post discusses Pulumi Copilot, which Pulumi Neo has replaced. &lt;a href="https://www.pulumi.com/docs/ai/"&gt;Learn about Neo →&lt;/a&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We&amp;rsquo;ve been busy over the past two months, shipping significant enhancements across the Pulumi ecosystem. From major improvements to our core IaC platform with Azure Native V3 and cross-language Components to powerful new capabilities in Pulumi ESC and Insights, these updates deliver on our commitment to making cloud management more powerful, accessible, and secure. We&amp;rsquo;re particularly excited about our AI integration through the MCP Server, enabling developers to work with infrastructure in a more intuitive, contextual way. Let&amp;rsquo;s dive into the details of what&amp;rsquo;s new.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-iac"&gt;Pulumi IaC&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#azure-native-v3"&gt;Azure Native V3&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-model-context-protocol-mcp-server"&gt;Pulumi Model Context Protocol (MCP) Server&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#next-generation-pulumi-components"&gt;Next-Generation Pulumi Components&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#registry-wave-2-27-new-providers"&gt;Registry Wave 2: 27 New Providers&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#enhanced-terraform-conversion"&gt;Enhanced Terraform Conversion&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#improved-refresh-and-destroy-experience"&gt;Improved Refresh and Destroy Experience&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#gitlab-integration-improvements"&gt;GitLab Integration Improvements&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#faster-secrets-management"&gt;Faster Secrets Management&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-kubernetes-operator-20"&gt;Pulumi Kubernetes Operator 2.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#java-sdk-10"&gt;Java SDK 1.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-copilot-in-vscode"&gt;Pulumi Copilot in VSCode&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#autonaming-configuration"&gt;Autonaming Configuration&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc"&gt;Pulumi ESC&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#rotated-secrets"&gt;Rotated Secrets&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-github-action"&gt;Pulumi ESC GitHub Action&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-insights"&gt;Pulumi Insights&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#enforce-policy-as-code-on-discovered-resources"&gt;Enforce Policy as Code on Discovered Resources&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#wrap-up"&gt;Wrap up&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="pulumi-iac"&gt;Pulumi IaC&lt;/h2&gt;
&lt;h3 id="azure-native-v3"&gt;Azure Native V3&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce the release of Pulumi Azure Native V3, delivering a remarkable 75% reduction in SDK size while maintaining complete coverage of the Azure ecosystem. The new SDK provides faster downloads, more manageable package sizes, and more reliable performance while maintaining access to all Azure resource properties. With a modern API surface, consistent input/output schemas, and simplified version management, it&amp;rsquo;s now easier than ever to build and deploy Azure resources with Pulumi. &lt;a href="https://www.pulumi.com/blog/azure-native-v3/"&gt;Read the blog post&lt;/a&gt; or check out the &lt;a href="https://www.pulumi.com/registry/packages/azure-native/"&gt;Azure Native Provider documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="pulumi-model-context-protocol-mcp-server"&gt;Pulumi Model Context Protocol (MCP) Server&lt;/h3&gt;
&lt;p&gt;The new Pulumi Model Context Protocol (MCP) Server integration brings AI-assisted infrastructure development directly into your coding workflow. By connecting AI-powered code assistants with Pulumi&amp;rsquo;s CLI and registry, MCP enables real-time resource information and infrastructure management without leaving your editor. This integration drastically reduces context switching, accelerates resource discovery, and enables faster coding with intelligent assistance. Use it with tools like GitHub Copilot, Anthropic&amp;rsquo;s Claude Code, Cursor, and others to streamline your infrastructure development experience. &lt;a href="https://www.pulumi.com/blog/mcp-server-ai-assistants/"&gt;Learn more about AI-assisted IaC&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="next-generation-pulumi-components"&gt;Next-Generation Pulumi Components&lt;/h3&gt;
&lt;p&gt;Introducing the next generation of Pulumi Components with enhanced cross-language capabilities, enabling you to create reusable infrastructure abstractions once and deploy them using any supported Pulumi language. These improved components allow platform teams to codify organizational standards into shareable libraries while giving developers simpler, more approachable interfaces that enforce best practices automatically. With built-in input validation, detailed documentation, improved error messages, and cross-language support, your components can now reach a wider audience of developers regardless of their preferred programming language. &lt;a href="https://www.pulumi.com/blog/pulumi-components/"&gt;Read the blog post&lt;/a&gt; or explore the &lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/components/"&gt;Components documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="registry-wave-2-27-new-providers"&gt;Registry Wave 2: 27 New Providers&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve expanded the Pulumi Registry with 27 new native providers, bringing the total to over 150 providers and 7,500 resource types. This wave adds support for popular services like Jira, Gitlab, Railway, Neon, PlanetScale, and many more, giving you more options for managing your entire cloud infrastructure with Pulumi. Each provider is published as a standalone package, making it easier to adopt new providers without updating your entire Pulumi installation. Start using these providers today to expand your infrastructure management capabilities. &lt;a href="https://www.pulumi.com/blog/registry-wave-2/"&gt;Read the blog post&lt;/a&gt; or browse the &lt;a href="https://www.pulumi.com/registry/"&gt;Pulumi Registry&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="enhanced-terraform-conversion"&gt;Enhanced Terraform Conversion&lt;/h3&gt;
&lt;p&gt;With Pulumi CLI version 3.153.0 and above, we&amp;rsquo;ve supercharged our Terraform conversion capabilities. Now you can automatically convert &lt;strong&gt;ANY&lt;/strong&gt; Terraform project to Pulumi and import its resources - even if it uses providers that don&amp;rsquo;t have native Pulumi equivalents. This breakthrough eliminates a significant migration barrier, allowing teams to convert their entire Terraform codebase without provider limitations. The enhanced converter handles mixed provider scenarios effortlessly, maintaining access to specialized Terraform providers you already leverage while modernizing your infrastructure deployment. This builds on our existing capability to use &lt;a href="https://www.pulumi.com/blog/any-terraform-provider/"&gt;any Terraform/OpenTofu provider&lt;/a&gt; in your Pulumi projects, making it easier than ever to migrate your infrastructure as code to Pulumi. &lt;a href="https://www.pulumi.com/blog/pulumi-convert-terraform-improvements/"&gt;Read the blog post&lt;/a&gt; to see examples and learn how to try it for yourself.&lt;/p&gt;
&lt;h3 id="improved-refresh-and-destroy-experience"&gt;Improved Refresh and Destroy Experience&lt;/h3&gt;
&lt;p&gt;As of Pulumi CLI version 3.160.0, we&amp;rsquo;ve introduced a significant enhancement to the &lt;code&gt;pulumi refresh&lt;/code&gt; and &lt;code&gt;pulumi destroy&lt;/code&gt; commands. These commands now support the &lt;code&gt;--run-program&lt;/code&gt; flag, which enables them to run your program code before refreshing or destroying your stack. This is especially valuable for teams working with short-lived credentials, dynamic resources, or any workflow where your code needs to run to establish the right context. Previously, while these commands took into account updated configuration from your &lt;code&gt;Pulumi.&amp;lt;stack&amp;gt;.yaml&lt;/code&gt; files, they didn&amp;rsquo;t consider changes in your actual code, which could break workflows that depend on code to update credentials or determine resources to manage. This improvement ensures your infrastructure operations have the full context they need to succeed, particularly important when using OIDC-based authentication, dynamically fetching credentials from a secrets manager, or working with dynamic providers. We plan to make this the default behavior eventually, but are introducing it as an opt-in flag first to ensure a smooth transition. &lt;a href="https://github.com/pulumi/pulumi/discussions/19102"&gt;Read more in our RFC&lt;/a&gt; on making program execution the default behavior.&lt;/p&gt;
&lt;h3 id="gitlab-integration-improvements"&gt;GitLab Integration Improvements&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve significantly enhanced our GitLab integration with support for multiple pipeline jobs and simplified authentication. The improved integration works with both GitLab CI/CD server and SaaS offerings, supporting parallel execution of multiple Pulumi steps within a single GitLab pipeline. Authentication has been streamlined with a new method that eliminates the need for personal access tokens, instead leveraging GitLab&amp;rsquo;s CI/CD variables for secure, seamless authentication. These enhancements make it easier than ever to implement GitOps workflows with Pulumi and GitLab. &lt;a href="https://www.pulumi.com/blog/gitlab-better-than-ever/"&gt;Read the blog post&lt;/a&gt; or check out the &lt;a href="https://www.pulumi.com/docs/using-pulumi/continuous-delivery/gitlab-app/"&gt;documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="faster-secrets-management"&gt;Faster Secrets Management&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve optimized secrets performance in Pulumi, resulting in significantly faster operations when working with large numbers of secrets. Through focused engineering efforts, we&amp;rsquo;ve achieved up to 75% reduction in secrets processing time for large stacks, with the most dramatic improvements seen in stacks with many outputs. This enhancement particularly benefits workflows involving many secrets, resource outputs, or stack references. The improvements are available starting with Pulumi 3.123.0 and require no changes to your existing code. &lt;a href="https://www.pulumi.com/blog/faster-secrets-management/"&gt;Read the blog post&lt;/a&gt; to learn more about these performance improvements.&lt;/p&gt;
&lt;h3 id="pulumi-kubernetes-operator-20"&gt;Pulumi Kubernetes Operator 2.0&lt;/h3&gt;
&lt;p&gt;The Pulumi Kubernetes Operator 2.0 is now generally available, bringing advanced automation capabilities for managing Pulumi stacks within Kubernetes clusters. The new version includes a completely rewritten, faster codebase with enhanced reconciliation logic, better error handling, and improved CRD management. Version 2.0 also adds critical features like automatic retry for temporary failures, fine-grained refresh control, idempotent updates, and advanced stack management capabilities. These improvements make the operator more reliable and powerful for managing infrastructure directly from your Kubernetes clusters. &lt;a href="https://www.pulumi.com/blog/pko-2-0-ga/"&gt;Read the blog post&lt;/a&gt; or check out the &lt;a href="https://www.pulumi.com/docs/iac/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/"&gt;operator documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="java-sdk-10"&gt;Java SDK 1.0&lt;/h3&gt;
&lt;p&gt;The Pulumi Java SDK is now generally available with its 1.0 release, providing first-class support for Java in Pulumi&amp;rsquo;s multi-language ecosystem. The GA release includes feature parity with other Pulumi languages, improved documentation, enhanced type safety, and support for the complete Pulumi programming model. We&amp;rsquo;ve also expanded the Java SDK to support all current LTS versions and ensure smooth interoperability with the broader Java ecosystem. This milestone makes Pulumi an excellent choice for Java teams looking to manage their infrastructure using their preferred language. &lt;a href="https://www.pulumi.com/blog/java-1-0/"&gt;Read the blog post&lt;/a&gt; or check out the &lt;a href="https://www.pulumi.com/docs/iac/languages-sdks/java/"&gt;Java getting started guide&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="pulumi-copilot-in-vscode"&gt;Pulumi Copilot in VSCode&lt;/h3&gt;
&lt;p&gt;Pulumi Copilot is now available in Visual Studio Code, bringing AI-powered assistance directly to your infrastructure development environment. The VSCode extension helps you write, understand, and debug Pulumi code with inline explanations, transformation suggestions, and code generation capabilities. Copilot can also assist with converting between Pulumi languages and translating from other IaC tools like Terraform and CloudFormation. This integration makes it easier to learn Pulumi, accelerate your infrastructure development, and solve complex configuration challenges. &lt;a href="https://www.pulumi.com/blog/copilot-in-vscode/"&gt;Read the blog post&lt;/a&gt; or &lt;a href="https://marketplace.visualstudio.com/items?itemName=pulumi.pulumi-vscode-copilot"&gt;install the extension&lt;/a&gt; today.&lt;/p&gt;
&lt;h3 id="autonaming-configuration"&gt;Autonaming Configuration&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve enhanced Pulumi&amp;rsquo;s autonaming feature with new configuration options that give you more control over resource naming. You can now globally disable autonaming or configure it on a per-component basis, allowing you to precisely control when Pulumi generates names for your resources. This is particularly valuable for organizations that want to ensure consistent, predictable resource naming across their infrastructure. The new configuration is available in Pulumi CLI version 3.91.1 and later, and requires no code changes to implement. &lt;a href="https://www.pulumi.com/blog/autonaming-configuration/"&gt;Read the blog post&lt;/a&gt; or check out the &lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/names/"&gt;documentation&lt;/a&gt; for implementation details.&lt;/p&gt;
&lt;h2 id="pulumi-esc"&gt;Pulumi ESC&lt;/h2&gt;
&lt;h3 id="rotated-secrets"&gt;Rotated Secrets&lt;/h3&gt;
&lt;p&gt;Address the persistent challenge of static, long-lived credentials with the new Rotated Secrets capability in Pulumi ESC. Static secrets pose significant security risks due to potential exposure and infrequent, error-prone manual rotation. While &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/"&gt;dynamic secrets&lt;/a&gt; are ideal, Rotated Secrets provide a powerful alternative for applications requiring long-lived credentials, systems needing persistent connections, or where dynamic credentials aren&amp;rsquo;t feasible. Automatically rotate credentials like AWS IAM user access keys (with more integrations coming soon) on flexible schedules or on-demand, eliminating manual effort and reducing the window of vulnerability. Rotated Secrets seamlessly integrate into ESC environments, utilize a &amp;ldquo;two-secret&amp;rdquo; strategy for smooth transitions, offer robust auditing, and allow for separation of administrative and consumer roles. Configure rotations directly within your ESC definitions and set up webhooks to automate downstream updates. &lt;a href="https://www.pulumi.com/blog/announcing-pulumi-esc-github-action/"&gt;Read the blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="pulumi-esc-github-action"&gt;Pulumi ESC GitHub Action&lt;/h3&gt;
&lt;p&gt;Securely inject secrets and configuration directly into your GitHub Actions workflows with the new &lt;a href="https://github.com/marketplace/actions/esc-action"&gt;Pulumi ESC GitHub Action&lt;/a&gt;. This action lets you dynamically inject values from your Pulumi ESC environments as needed during CI/CD runs, eliminating the need to store static, long-lived credentials within GitHub and reducing secret sprawl. Leverage Pulumi ESC&amp;rsquo;s automatic secret rotation capabilities and run ESC commands directly within your workflows for streamlined environment management. Combine this action with &lt;a href="https://github.com/marketplace/actions/pulumi-auth-action"&gt;pulumi/auth-actions&lt;/a&gt; for seamless, tokenless authentication to Pulumi Cloud using OIDC, further enhancing security. &lt;a href="https://www.pulumi.com/blog/announcing-pulumi-esc-github-action/"&gt;Read the blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="pulumi-insights"&gt;Pulumi Insights&lt;/h2&gt;
&lt;h3 id="enforce-policy-as-code-on-discovered-resources"&gt;Enforce Policy as Code on Discovered Resources&lt;/h3&gt;
&lt;p&gt;Extend the governance reach of Pulumi &lt;a href="https://www.pulumi.com/docs/iac/using-pulumi/crossguard/"&gt;Policy as Code&lt;/a&gt; beyond IaC-managed resources to encompass your entire cloud environment with a powerful new capability in &lt;a href="https://www.pulumi.com/docs/insights/"&gt;Pulumi Insights&lt;/a&gt;. You can now automatically apply your existing policies to resources discovered by Pulumi Insights, regardless of how they were created. Simply link your &lt;a href="https://www.pulumi.com/docs/insights/accounts/"&gt;Insights Accounts&lt;/a&gt; (representing cloud provider integrations) to your Policy Groups alongside your stacks. Pulumi will then evaluate all resources within those accounts against your defined policies, surfacing violations centrally. This allows you to write policies once and apply them universally across both IaC and discovered resources, dramatically simplifying how you maintain consistent security and compliance standards at scale across AWS, Azure, OCI, and Kubernetes. &lt;a href="https://www.pulumi.com/blog/enforcing-policy-as-code-on-discovered-resources-with-pulumi/"&gt;Read the blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="wrap-up"&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;These new features and enhancements represent our ongoing commitment to improving the cloud management experience for developers and platform teams. Whether you&amp;rsquo;re managing cloud resources with our streamlined Azure Native V3 provider, creating reusable abstractions with cross-language Components, leveraging AI assistance with the MCP Server, or strengthening your security posture with ESC Rotated Secrets and policy enforcement, we&amp;rsquo;re focused on making your infrastructure management more efficient, secure, and enjoyable. As we continue to innovate, your feedback helps shape our roadmap and prioritize improvements that matter most to you.&lt;/p&gt;
&lt;p&gt;Explore all the new capabilities and share your feedback – we&amp;rsquo;re always listening! Open an issue in the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud requests repository&lt;/a&gt; or the &lt;a href="https://github.com/pulumi/pulumi"&gt;pulumi/pulumi repository&lt;/a&gt; for anything CLI-related. Stay tuned for more exciting updates!&lt;/p&gt;</description><author>Arun Loganathan</author><author>Meagan Cojocar</author><category>features</category><category>release-notes</category></item><item><title>Introducing Rotated Secrets in Pulumi ESC</title><link>https://www.pulumi.com/blog/esc-rotated-secrets-launch/</link><pubDate>Wed, 19 Feb 2025 00:00:00 -0400</pubDate><guid>https://www.pulumi.com/blog/esc-rotated-secrets-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-rotated-secrets-launch/index.png" /&gt;
&lt;p&gt;Managing secrets effectively is no longer a &amp;ldquo;nice-to-have&amp;rdquo;—it&amp;rsquo;s a must-have for any organization building and scaling applications in the cloud. Static, long-lived credentials like database passwords, API keys, and IAM user credentials are a major security vulnerability. They&amp;rsquo;re often overexposed, residing in source code, configuration files, or other easily accessible locations. Manual rotation processes are tedious, error-prone, and infrequent, leaving a wide window of opportunity for potential breaches. Today, we&amp;rsquo;re thrilled to announce a powerful new capability in &lt;a href="https://www.pulumi.com/product/secrets-management/"&gt;Pulumi ESC&lt;/a&gt; that directly addresses this challenge: Rotated Secrets.&lt;/p&gt;
&lt;h2 id="the-challenge-with-static-secrets-a-ticking-time-bomb"&gt;The Challenge with static secrets: A ticking time bomb&lt;/h2&gt;
&lt;p&gt;Traditional secrets management often relies on static, long-lived credentials. This approach creates several critical problems:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Increased attack surface&lt;/strong&gt;: The longer a secret remains unchanged, the greater the chance it will be compromised through accidental exposure, phishing attacks, or insider threats.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Manual, error-prone rotation&lt;/strong&gt;: Manual rotation processes are time-consuming and require significant coordination across teams. A single mistake can lead to application downtime or even data breaches.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Inconsistent practices&lt;/strong&gt;: Ad-hoc scripts and manual procedures often lead to inconsistent rotation policies, making it difficult to enforce security best practices across the organization.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance headaches&lt;/strong&gt;: Many compliance regulations (like SOC 2, GDPR, and HIPAA) require regular secret rotation. Manual processes make it difficult to demonstrate compliance and can lead to costly penalties.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These challenges are amplified in complex, multi-cloud, hybrid, or on-premises environments where secrets are distributed across numerous systems. While Pulumi ESC&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/"&gt;Dynamic Secrets&lt;/a&gt; addresses all of these challenges and makes secret management much easier, static secrets remain a reality for many organizations. Legacy applications, compliance mandates, or integration limitations often prevent a full switch to dynamic credentials. In such cases, Rotated Secrets provide a second-best option—automating credential rotation to minimize risk while integrating seamlessly with existing workflows.&lt;/p&gt;
&lt;h2 id="introducing-esc-rotated-secrets"&gt;Introducing ESC Rotated Secrets&lt;/h2&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s new Rotated Secrets feature provides an elegant solution to the challenges of secret lifecycle management. It enables automated, seamless rotation of credentials, ensuring that your secrets are always up-to-date and secure. Here&amp;rsquo;s how it solves the problems outlined above and more:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Automated rotation schedules&lt;/strong&gt;: Define flexible rotation schedules tailored to your security and operational requirements. This eliminates manual effort and ensures consistent, frequent rotations.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;On-demand rotation&lt;/strong&gt;: Need to rotate a secret immediately due to a suspected breach or policy change? ESC allows you to trigger rotations on demand, giving you immediate control.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Seamless integration with ESC Environments&lt;/strong&gt;: Rotated secrets are seamlessly integrated into your existing ESC environment definitions. This allows you to leverage the power of ESC&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/esc/environments/imports/"&gt;composability&lt;/a&gt;, allowing you to manage rotated secrets alongside your other configuration values.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Two-secret strategy&lt;/strong&gt;: ESC Rotated secrets uses a two-secret strategy in which two secrets are active and valid at any point in time. This is especially useful when multiple instances of an application share a credential but not all instances pull in the latest credential at the same time, allowing you to rotate a secret without worrying about some instances being unavailable due to invalid credentials.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Auditing and tracking&lt;/strong&gt;: Gain complete visibility into credential usage, including a full history of generated credentials, active credentials, and the principals accessing them. This enhances governance and simplifies compliance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Admin and creator control&lt;/strong&gt;: Admins and creators/writers of rotated secrets can configure rotations using privileged user credentials and keep those credentials private while ensuring the consumers can still consume the resulting rotated secrets. This provides a clear separation of concern for administration and individual usage.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Configure &lt;a href="https://www.pulumi.com/docs/esc/environments/webhooks/"&gt;webhooks&lt;/a&gt; for automation&lt;/strong&gt;: Notify teams, trigger custom workflows, or trigger a &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployment&lt;/a&gt; to update your &lt;a href="https://www.pulumi.com/docs/iac/concepts/stacks/"&gt;IaC stacks&lt;/a&gt; whenever rotations occur, ensuring dependent teams and systems are updated on a timely basis&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With today’s launch, we support AWS IAM user credential rotation with many more databases and cloud integrations on the way. Upvote on our &lt;a href="https://github.com/pulumi/esc/issues?q=is%3Aissue%20state%3Aopen%20rotated%20secrets"&gt;GitHub issues&lt;/a&gt; to get support for new integrations.&lt;/p&gt;
&lt;h2 id="how-to-use-esc-rotated-secrets"&gt;How to Use ESC Rotated Secrets&lt;/h2&gt;
&lt;p&gt;Below are the steps to configure &lt;a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html"&gt;AWS IAM user&lt;/a&gt; rotated secrets using best practices. You can also configure this via Pulumi IaC. Check out the &lt;a href="https://github.com/pulumi/esc-examples/tree/esc-native-example/rotate/example-native"&gt;example program&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="1-provision-an-aws-iam-user-on-your-aws-console"&gt;1. Provision an AWS IAM User on your AWS console&lt;/h3&gt;
&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html"&gt;Create an AWS IAM user&lt;/a&gt; whose access keys you want to rotate.&lt;/p&gt;
&lt;h3 id="2-create-a-new-environment-with-managing-user-credentials"&gt;2. Create a new environment with managing user credentials&lt;/h3&gt;
&lt;p&gt;In the example environment &lt;code&gt;credentials/aws-creds&lt;/code&gt; below, we use the ESC&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/"&gt;aws-login provider&lt;/a&gt; using OIDC. This credential was configured with the privileged access to be able to rotate the IAM user credentials.&lt;/p&gt;
&lt;p&gt;The minimal permissions the managing credential requires are IAM List, Create, and DeleteAccessKeys over the IAM user you created.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# credentials/aws-creds&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;aws&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::open::aws-login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;oidc&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;duration&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;1h&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;roleArn&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;arn:aws:iam::12345689:role/test-managing-role&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;sessionName&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pulumi-environments-session&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;subjectAttributes&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;currentEnvironment.name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="3-create-a-new-environment-with-the-iam-user-rotation-configuration"&gt;3. Create a new environment with the IAM user rotation configuration&lt;/h3&gt;
&lt;p&gt;Define the rotation using rotated secrets aws-iam provider. Below is an example definition. Notice how the managing user credentials created in step 2 is referenced in the rotation provider &lt;code&gt;input&lt;/code&gt;. This credential will only be used during rotation and never be exposed to the consumers of the rotated IAM user credential.&lt;/p&gt;
&lt;p&gt;Providing current and previous credentials is optional. If you already have IAM user access keys that are actively used, you can specify them in the &lt;code&gt;state&lt;/code&gt; field as &lt;code&gt;current&lt;/code&gt; and &lt;code&gt;previous&lt;/code&gt;. If not, you can leave the state empty.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rotated-creds&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::rotate::aws-iam&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;inputs&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;region&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;us-west-1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;login&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${environments.credentials.aws-creds.aws.login}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;userArn&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;arn:aws:iam::{accountId}:user/{username}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# state section below is optional.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;state&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;current&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;accessKeyId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;AKIA...&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;secretAccessKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::secret&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ASIA....&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;previous&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;accessKeyId&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;AKIA...&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;secretAccessKey&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fn::secret&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ASIA....&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="4-test-the-setup-with-a-manual-rotation"&gt;4. Test the setup with a manual rotation&lt;/h3&gt;
&lt;p&gt;In the Environment Editor screen, open the triple-dot menu and select Rotate Secrets. Alternatively, you can perform the rotation from the ‘secrets rotation’ tab or use the rotate CLI command. Every rotation creates a new &lt;a href="https://www.pulumi.com/docs/esc/environments/versioning/"&gt;revision&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;If you did not provide current or precious credentials in step 3, rotation will generate new credentials automatically.&lt;/p&gt;
&lt;h3 id="5-monitor-rotations"&gt;5. Monitor rotations&lt;/h3&gt;
&lt;p&gt;Perform multiple rotations to observe how access keys move from current → previous → deleted. Use the Environment Revision History to track changes.&lt;/p&gt;
&lt;h3 id="6-schedule-rotations"&gt;6. Schedule rotations&lt;/h3&gt;
&lt;p&gt;Now that you&amp;rsquo;ve correctly configured your rotated secrets, set up an automated rotation schedule from the Secrets Rotation tab.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC Rotated Secrets Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="rotated-secrets-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="rotated-secrets-vs-dynamic-credentials-choosing-the-right-tool"&gt;Rotated Secrets vs. Dynamic Credentials: Choosing the right tool&lt;/h2&gt;
&lt;p&gt;Pulumi ESC offers both &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/"&gt;Dynamic Secrets&lt;/a&gt; and Rotated Secrets. While both enhance security, they serve different purposes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Dynamic secrets&lt;/strong&gt;: These are short-lived, ephemeral credentials with a Time-To-Live (TTL) typically ranging from 1 to 8 hours. A new set of credentials is generated every time the environment is opened. This is ideal for minimizing the impact of compromised credentials, as they quickly become invalid.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rotated secrets&lt;/strong&gt;: These are longer-lived credentials, potentially lasting for days, weeks, or even months. The same latest credential is returned every time the environment is opened until the next scheduled rotation occurs. This provides stability and predictability for applications that need consistent credentials over a longer period.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Here are scenarios where rotated secrets are the preferred choice:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Legacy applications&lt;/strong&gt;: Many legacy applications were built before modern secret management practices existed and cannot easily be rewritten to support dynamic secrets. For these applications, Rotated Secrets offer a practical way to enhance security without requiring a full application redesign or re-architecture.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Applications that can only update credentials during restarts and redeployments&lt;/strong&gt;: Some applications require credentials to be available at startup and cannot refresh them dynamically. Rotated Secrets works well for this scenario, providing rotations and ensuring applications always have a valid credential when restarted.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Applications requiring persistent connections&lt;/strong&gt;: High-performance applications or applications that have a long-lived database connections cannot afford to fetch fresh credentials every few hours. Rotated Secrets ensure such applications continue to function as needed while boosting security.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Third-Party API keys (Support coming soon)&lt;/strong&gt;: Some external services cannot provision dynamic short-term credentials. Rotated Secrets provide a way to comply with periodic key rotation policies without requiring real-time credential generation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Databases in private networks (Support coming soon)&lt;/strong&gt;: Many Enterprise databases are not connected to the internet, thereby requiring a proxy or an agent running in their internal network to perform the rotation. Rotated Secrets offer stability in such environments by reducing the number of external calls, even when routed through a proxy.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="whats-next"&gt;What&amp;rsquo;s next?&lt;/h2&gt;
&lt;p&gt;This is just the beginning! We&amp;rsquo;re committed to expanding the capabilities of Rotated Secrets. Here&amp;rsquo;s a glimpse of what&amp;rsquo;s on the roadmap:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Database Secrets Rotation: Automated secrets rotation support for a wide range of databases including &lt;strong&gt;PostgreSQL, Snowflake, MySQL&lt;/strong&gt;, and more!&lt;/li&gt;
&lt;li&gt;Secret rotations for databases running in private networks&lt;/li&gt;
&lt;li&gt;3rd party API key rotation (example: &lt;strong&gt;Twilio&lt;/strong&gt;)&lt;/li&gt;
&lt;li&gt;Other cloud provider support: &lt;strong&gt;Azure, GCP&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Upvote integrations &lt;a href="https://github.com/pulumi/esc/issues?q=is%3Aissue%20state%3Aopen%20rotated%20secrets"&gt;here&lt;/a&gt;. Want an integration not mentioned? Click &lt;a href="https://github.com/pulumi/esc/issues"&gt;here&lt;/a&gt; to raise a request.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s Rotated Secrets feature represents a significant advancement in modern secrets management. By automating a traditionally manual and error-prone process, ESC reduces operational risks, strengthens your security posture, and helps you achieve compliance – all without slowing down development.&lt;/p&gt;
&lt;p&gt;We encourage you to explore the &lt;a href="https://www.pulumi.com/docs/esc/environments/rotation"&gt;docs&lt;/a&gt; and try out Rotated Secrets. Share any feedback or open new issues in our &lt;a href="https://github.com/pulumi/esc/issues"&gt;GitHub repository&lt;/a&gt;. We&amp;rsquo;re excited to see how you use this powerful new feature to build more secure and resilient applications!&lt;/p&gt;</description><author>Claire Gaestel</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Pulumi ESC: Discovering Environment Imports</title><link>https://www.pulumi.com/blog/esc-imports-discoverability/</link><pubDate>Fri, 13 Dec 2024 00:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/esc-imports-discoverability/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-imports-discoverability/index.png" /&gt;
&lt;p&gt;Managing secrets and configuration across multiple environments and stacks can easily become complex, leading to duplicated values, inconsistencies, and security risks. &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC&lt;/a&gt; solves this with composable environments via &lt;a href="https://www.pulumi.com/docs/esc/environments/imports/"&gt;imports&lt;/a&gt;, allowing you to define configuration once and reuse it organization-wide. Now, with the new capabilities to discover environment imports, you gain unprecedented visibility and control, simplifying the management of even the most complex infrastructure and applications.&lt;/p&gt;
&lt;h2 id="understanding-pulumi-esc-imports"&gt;Understanding Pulumi ESC Imports&lt;/h2&gt;
&lt;p&gt;Pulumi ESC lets you define secrets and configuration as code collections called &lt;a href="https://www.pulumi.com/docs/esc/environments/working-with-environments/"&gt;environments&lt;/a&gt;. These environments can import other environments, creating a hierarchical structure that promotes reusability, and reduces duplication and sprawl. You can centralize secrets and configuration within ESC and use them across &lt;a href="https://www.pulumi.com/docs/esc/integrations/infrastructure/pulumi-iac/"&gt;Pulumi IaC Stacks&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/insights/accounts/"&gt;Pulumi Insights Accounts&lt;/a&gt;, and various other platforms through our &lt;a href="https://www.pulumi.com/docs/esc/integrations/"&gt;integrations&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;By using &lt;a href="https://www.pulumi.com/docs/esc/environments/versioning/#tagging-versions"&gt;version tags&lt;/a&gt;, imports can target specific versions of an environment. This locks down the configuration used by dependents, ensuring stability and preventing unintended changes from rolling out to your critical environments.&lt;/p&gt;
&lt;h2 id="whats-new"&gt;What&amp;rsquo;s New?&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;ve added powerful discoverability features to give you clear insight into your environment dependencies:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;New &amp;ldquo;Imported By&amp;rdquo; tab&lt;/strong&gt;: Easily understand downstream dependencies by clicking the &amp;ldquo;Imported By&amp;rdquo; tab for each environment. This tab shows all environments and stacks that import a specific environment, including the specific tagged version used. Filter and sort by imported versions and downstream resources to narrow in on the resources that will be affected by a change you are trying to make.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Warnings for deletions and tag movements&lt;/strong&gt;: Pulumi ESC now warns you about the potential impact of deleting an environment or modifying version tags before you make the change, helping you avoid disruptions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced environment page&lt;/strong&gt;: The Environments page now clearly indicates if an environment is used by other environments, stacks, or insights accounts, providing valuable relationship context at a glance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pulumi IaC stack visibility&lt;/strong&gt;: Environment import information is also available on the Stacks page and within individual stack overview pages.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="imported-by.png" alt="Screenshot of the Pulumi ESC &amp;lsquo;Imported By&amp;rsquo; tab showing environment dependencies"&gt;&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s import feature is a paradigm shift in how you manage your secrets and configuration. The new suite of import discoverability features gives you the confidence to manage complex deployments with ease. Explore the new features and share your feedback through our &lt;a href="https://www.pulumi.com/community/"&gt;Community Slack&lt;/a&gt; or &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;GitHub Repo&lt;/a&gt;.&lt;/p&gt;</description><author>Sean Yeh</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>configuration-management</category><category>features</category><category>releases</category></item><item><title>Unveiling the New Stacks Page</title><link>https://www.pulumi.com/blog/new-stacks-page-launch/</link><pubDate>Thu, 24 Oct 2024 00:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/new-stacks-page-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/new-stacks-page-launch/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re thrilled to unveil the redesigned &lt;a href="https://www.pulumi.com/product/infrastructure-as-code/"&gt;Pulumi Infrastructure as Code (IaC)&lt;/a&gt; Stacks page within Pulumi Cloud console, addressing one of the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/56"&gt;most upvoted&lt;/a&gt; issues in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests"&gt;Pulumi Cloud Requests repository&lt;/a&gt;! This revamped experience delivers a significant boost in performance and usability, empowering even the most complex organizations to manage their infrastructure with ease.&lt;/p&gt;
&lt;h2 id="why-a-new-stacks-page"&gt;Why a New Stacks Page?&lt;/h2&gt;
&lt;p&gt;As our customers scaled, the previous Stacks page faced some limitations that impacted its effectiveness. Here were some of the primary challenges:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Performance Issues&lt;/strong&gt;: The page became sluggish with large numbers of stacks, making it difficult to scroll smoothly when you had thousands of stacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Limited Grouping and Sorting Options&lt;/strong&gt;: Users had limited customization options for organizing their stacks, with minimal control over grouping and sorting.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tag-Based Grouping Limitations&lt;/strong&gt;: Grouping by tags wasn’t as reliable as we wanted—it sometimes failed to load completely.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="whats-new"&gt;What’s New?&lt;/h2&gt;
&lt;p&gt;The new Stacks page provides more information at a glance, offering a streamlined and powerful experience:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Effortless Scalability&lt;/strong&gt;: Manage thousands of stacks with ease. The new page is optimized for performance, ensuring smooth scrolling and interaction regardless of scale.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Flexible Grouping&lt;/strong&gt;: Group your stacks by repository, project, and tags simultaneously—up to three levels of grouping. Or opt for no grouping at all! The choice is yours. Expand and collapse groups as needed for a more organized and focused browsing experience.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Sorting&lt;/strong&gt;: Sort your stacks by last update or group name (ascending/descending) to quickly find what you need.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Shareable Views&lt;/strong&gt;: The page now includes query parameters in the URL, allowing you to save and share your exact view with team members effortlessly.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Personalized Experience&lt;/strong&gt;: The page remembers your last selected groups and sorting preferences, so you can pick up right where you left off.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dynamic Loading&lt;/strong&gt;: Enjoy instantaneous loading as you scroll, eliminating wait times and boosting efficiency.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Time-Saving Shortcuts&lt;/strong&gt;: Use quick option to make group and sort selections or to reset them.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="New Stacks Page Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="./new-stacks-page-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="classic-view-still-available"&gt;Classic View: Still Available&lt;/h3&gt;
&lt;p&gt;For users who prefer the familiar grouping by repository and project, and sorting by last updated, we&amp;rsquo;ve got you covered! Simply click the &amp;ldquo;Classic View&amp;rdquo; shortcut in the top right-corner to switch to the classic grouping and sorting option instantaneously.&lt;/p&gt;
&lt;h2 id="your-feedback-matters"&gt;Your Feedback Matters&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;re excited for you to experience the power and flexibility of the new Pulumi Stacks page! Share your feedback and suggestions through our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;Pulumi Cloud requests&lt;/a&gt; GitHub repository—we&amp;rsquo;re always listening and striving to improve.&lt;/p&gt;</description><author>Germán Lena</author><author>Kimberley Mackenzie</author><author>Arun Loganathan</author><category>features</category><category>releases</category></item><item><title>Announcing the General Availability of Pulumi ESC - Welcome to a New Era of Secrets Management</title><link>https://www.pulumi.com/blog/pulumi-esc-ga/</link><pubDate>Wed, 18 Sep 2024 08:59:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-esc-ga/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-esc-ga/index.png" /&gt;
&lt;p&gt;At Pulumi, we&amp;rsquo;ve been at the forefront of revolutionizing infrastructure management and DevOps processes. We&amp;rsquo;ve built the industry&amp;rsquo;s most comprehensive &lt;a href="https://www.pulumi.com/docs/iac/concepts/secrets/"&gt;secrets management solution for IaC&lt;/a&gt;, securing production cloud credentials and secrets for countless organizations. Now, we&amp;rsquo;re taking that expertise and applying it to the broader challenges of managing secrets at scale with an open ecosystem approach.&lt;/p&gt;
&lt;p&gt;Pulumi Environments, Secrets, and Configuration (&lt;a href="https://www.pulumi.com/product/secrets-management/"&gt;Pulumi ESC&lt;/a&gt;), launched in &lt;a href="https://www.pulumi.com/blog/environments-secrets-configurations-management/"&gt;preview&lt;/a&gt; in October 2023, is now generally available.&lt;/p&gt;
&lt;p&gt;This next-generation secrets management and orchestration service is built with a robust software engineering approach, designed to bring security and simplicity to even the most complex secrets management needs.&lt;/p&gt;
&lt;h2 id="challenges-in-secrets-management"&gt;Challenges in Secrets Management&lt;/h2&gt;
&lt;p&gt;In today&amp;rsquo;s cloud-native world, secrets are the keys to the cloud estate, but managing them effectively is a growing challenge. Modern applications rely on a complex web of secrets, but traditional approaches to &lt;a href="https://www.pulumi.com/what-is/what-is-secrets-management/"&gt;secrets management&lt;/a&gt; are struggling to keep pace. This complexity creates major challenges for security and engineering teams:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Secrets Sprawl&lt;/strong&gt;: Secrets scattered across numerous systems and platforms make it nearly impossible to track their usage, enforce consistent security policies, and prevent unauthorized access, significantly increasing the likelihood of a breach.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Long-Lived Credentials&lt;/strong&gt;: Storing long-lived credentials, especially locally, creates a significant security liability. If these credentials are compromised, they can grant attackers prolonged access to sensitive systems.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The Trade-off Between Speed and Security&lt;/strong&gt;: Many security measures designed to safeguard secrets can inadvertently impede development velocity. Complex storage and retrieval processes create unnecessary friction, leading to frustration and delays.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insecure .env File Sharing&lt;/strong&gt;: Developers often copy/paste secrets across many different files, including formats like &lt;code&gt;.env&lt;/code&gt; files stored locally on their machine or shared through insecure channels (like Slack), creating blind spots for security teams and increasing the risk of data leaks.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="introducing-pulumi-esc-a-modern-approach-to-environments-secrets-and-configuration"&gt;Introducing Pulumi ESC: A Modern Approach to Environments, Secrets, and Configuration&lt;/h2&gt;
&lt;p&gt;Pulumi ESC is the modern secret management platform designed to streamline and secure how you manage environments, secrets, and configuration across your entire organization. Built with flexibility and security at its core, Pulumi ESC empowers you to:&lt;/p&gt;
&lt;h3 id="centralize-and-simplify-secrets-management"&gt;Centralize and Simplify Secrets Management:&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Unify Your Secrets&lt;/strong&gt;: Say goodbye to secrets scattered across systems. Pulumi ESC lets you pull and synchronize secrets from any source—&lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/vault-secrets/"&gt;HashiCorp Vault&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/aws-secrets/"&gt;AWS Secrets Manager&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/azure-secrets/"&gt;Azure Key Vault&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/1password-secrets/"&gt;1Password&lt;/a&gt;, and more—and consume them securely from anywhere.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Streamline Access and Control&lt;/strong&gt;: Access secrets seamlessly via &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;CLI&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/#environments"&gt;API&lt;/a&gt;, &lt;a href="https://external-secrets.io/latest/provider/pulumi/"&gt;Kubernetes operator&lt;/a&gt;, the intuitive Pulumi Cloud UI, or directly within your code using our TypeScript, Python, and Go &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;SDKs&lt;/a&gt;. Robust &lt;a href="https://www.pulumi.com/docs/esc/environments/access-control/"&gt;RBAC&lt;/a&gt; ensures the right people have the right access at all times.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Eliminate .env File Risks&lt;/strong&gt;: Stop sharing secrets through insecure channels. Pulumi ESC provides a secure and centralized way to manage and access secrets, eliminating the need for risky .env files.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="esc-integrations.png" alt="Pulumi ESC Integrations"&gt;&lt;/p&gt;
&lt;h3 id="boost-developer-velocity-and-security"&gt;Boost Developer Velocity and Security:&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Empower Developers, Not Slow Them Down&lt;/strong&gt;: Pulumi ESC is designed for developer convenience without compromising security. Access secrets programmatically, integrate with your existing workflows, and leverage flexible authoring options: Pulumi Cloud Editor, VS Code Plugin, SDKs, the Pulumi Service Provider, and our REST API - the choice is yours!&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Gain Complete Visibility and Control&lt;/strong&gt;: Track all secret access and changes with detailed audit logs. Understand the downstream impact of changes and ensure your secrets are used securely and consistently across your organization.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secrets as Code&lt;/strong&gt;: Pulumi ESC supports flexible composition of environments by allowing &lt;a href="https://www.pulumi.com/docs/esc/get-started/import-environments/"&gt;imports&lt;/a&gt; between one another. Construct hierarchical environments that avoid the need to copy/paste secrets and configurations, ensuring that changes are consistently propagated across all related environments.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="esc-document-editor-view.png" alt="Pulumi ESC document view"&gt;&lt;/p&gt;
&lt;h3 id="built-for-the-modern-cloud-open-by-design"&gt;Built for the Modern Cloud, Open by Design:&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Use It Your Way&lt;/strong&gt;: Pulumi ESC integrates seamlessly with other Pulumi products and features such as Pulumi IaC and Pulumi Deployments for a unified infrastructure management experience. But its flexibility extends to any platform or toolset, including HashiCorp Terraform.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Embrace the Open Ecosystem&lt;/strong&gt;: We believe in freedom of choice. That&amp;rsquo;s why Pulumi ESC is built on an open-source foundation (Apache 2.0 license) and designed to retrieve and synchronize secrets with various platforms seamlessly. We empower our customers to choose the best tools for their needs and supercharge their workflows with Pulumi ESC.&lt;/li&gt;
&lt;/ul&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/JY3Cm1UUIYE?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;h2 id="customer-stories"&gt;Customer Stories&lt;/h2&gt;
&lt;p&gt;Since launch, we’ve seen an exponential increase in our customers using Pulumi ESC. Our users have reduced the duplication of their configuration and secrets by over &lt;b&gt;90%&lt;/b&gt; and made Pulumi ESC a core part of running and managing their mission-critical infrastructure and applications.&lt;/p&gt;
&lt;p&gt;Hear from our customers directly what they had to say about Pulumi ESC:&lt;/p&gt;
&lt;i&gt;
“With Pulumi ESC, our developers get dynamic AWS and Azure credentials on-demand, that removes the need for long-lived tokens and enhances security. Onboarding new developers is quick and secure, with no more manually filling in .env templates, since a common ESC dev environment with RBAC is all we need. The integration with the Pulumi SDKs is a &lt;b&gt;huge productivity boost&lt;/b&gt;, and allows us to integrate secrets seamlessly across all of our development workflows." states &lt;b&gt;Liam White, Platform Lead at Tetrate&lt;/b&gt;.”
&lt;p&gt;“Pulumi ESC has been a &lt;b&gt;lifesaver&lt;/b&gt; for us”; said &lt;b&gt;JK Jensen, Team Lead at Mysten Labs&lt;/b&gt;, “it’s nice to throw everything behind an ESC environment and eliminate one-off granting IAM permissions and other issues related to static credentials. It gives us peace of mind knowing that we can grant permissions quickly and revoke easily, limiting the blast radius for any access.”&lt;/p&gt;
&lt;p&gt;“With Pulumi ESC, our developers get dynamic AWS/GCP credentials on-demand; that &lt;b&gt;removes the need for long-lived tokens&lt;/b&gt; and enhances security. ESC allows for Pulumi programs to share secure credentials and access secrets in their given cloud environments. ESC is a great configuration ‘/and secrets management sharing tool to allow for a DRY (Don&amp;rsquo;t Repeat Yourself) approach to development,” says &lt;b&gt;Richard Genthner, Lead DevOps Engineer at Boost Insurance&lt;/b&gt;.
&lt;/i&gt;&lt;/p&gt;
&lt;p&gt;Watch the snippet from our &lt;a href="https://www.pulumi.com/pulumi-up/"&gt;PulumiUP Keynote&lt;/a&gt; that walks you through how to achieve all these benefits our customers have experienced. &lt;a href="https://conference.pulumi.com/schedule/?utm_source=PulumiUp&amp;amp;utm_medium=web&amp;amp;utm_campaign=FY2025Q1_Event_PulumiUP"&gt;Sign-up&lt;/a&gt; here to watch the full keynote.&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/KDAoZ9aiwb8?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;h3 id="beyond-preview-the-evolution-of-pulumi-esc"&gt;Beyond Preview: The Evolution of Pulumi ESC&lt;/h3&gt;
&lt;p&gt;Since the launch of Pulumi ESC in preview, over the last 11 months, we have launched numerous features and enhancements driven by our customers. Some of the major ones include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-sdk-launch/"&gt;&lt;strong&gt;SDKs&lt;/strong&gt;&lt;/a&gt; for TypeScript, Python, and Go to leverage Pulumi ESC within all your applications&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-versioning-launch/"&gt;&lt;strong&gt;Versioning&lt;/strong&gt;&lt;/a&gt; that maintains full history of the changes you have made to your secrets and configuration and rollback to specific versions when needed&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/esc/environments/versioning/#tagging-versions"&gt;&lt;strong&gt;Version Tags&lt;/strong&gt;&lt;/a&gt; allow you to assign tags and import specific versions by tags within your applications such that moving tags across versions changes the configuration but requires zero changes in your application code&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-sync-with-iac/"&gt;&lt;strong&gt;Syncing your secrets&lt;/strong&gt;&lt;/a&gt; to several external sources including GitHub and AWS SecretsManager&lt;/li&gt;
&lt;li&gt;&lt;a href="https://external-secrets.io/latest/provider/pulumi/"&gt;&lt;strong&gt;Kubernetes secrets operator&lt;/strong&gt;&lt;/a&gt; to use Pulumi ESC within your Kubernetes applications to retrieve secrets and configuration using external secrets operator during runtime&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-vscode-extension/"&gt;&lt;strong&gt;VS Code Extension&lt;/strong&gt;&lt;/a&gt; to author and view your environments directly from where you code&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-webhooks-launch/"&gt;&lt;strong&gt;Webhooks&lt;/strong&gt;&lt;/a&gt; to trigger your automated CI/CD workflows, restart applications with the latest secrets and configuration, notify your teams&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/oidc-trust-relationships/"&gt;&lt;strong&gt;Pulumi OIDC Trust relationship&lt;/strong&gt;&lt;/a&gt; to get Pulumi short-term credentials using your existing Identity provider&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-projects-environment-tags-launch/"&gt;&lt;strong&gt;Projects and Environment Tags&lt;/strong&gt;&lt;/a&gt; to help you organize your Pulumi ESC environments and allow them to scale as your organization evolves&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-esc-public-preview-for-1password-support/"&gt;&lt;strong&gt;1Password integration&lt;/strong&gt;&lt;/a&gt; to pull secrets stored in 1Password during runtime&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-editor-enhancements/"&gt;&lt;strong&gt;In-built Document Editor Enhancements&lt;/strong&gt;&lt;/a&gt; to ease authoring with Pulumi Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-key-value-table-editor-launch/"&gt;&lt;strong&gt;Table Editor&lt;/strong&gt;&lt;/a&gt; to support users who prefer point-and-click UI-driven method to secrets management&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/esc/integrations/infrastructure/pulumi-iac/pulumi-stacks/"&gt;&lt;strong&gt;Pulumi Stack reference provider&lt;/strong&gt;&lt;/a&gt; offering tighter integration with Pulumi IaC&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/esc-kubernetes-cluster-and-app/"&gt;&lt;strong&gt;Files&lt;/strong&gt;&lt;/a&gt; support that allows getting Kubernetes credentials dynamically&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/admin/audit-logs/"&gt;&lt;strong&gt;Audit logs&lt;/strong&gt;&lt;/a&gt; to monitor your environments&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="pricing"&gt;Pricing&lt;/h2&gt;
&lt;p&gt;Starting &lt;b&gt;October 1st, 2024&lt;/b&gt;, Pulumi ESC will be billed per secret. We have heard from customers that this is a familiar pricing dimension that aligns to the value customers get out of ESC. To help you get started, we have included a generous free tier of secrets and API calls.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Free&lt;/th&gt;
&lt;th&gt;Team&lt;/th&gt;
&lt;th&gt;Enterprise&lt;/th&gt;
&lt;th&gt;Business Critical&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Price per secret/month&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;25 free&lt;/td&gt;
&lt;td&gt;$0.50&lt;/td&gt;
&lt;td&gt;$0.75 / Custom&lt;/td&gt;
&lt;td&gt;Custom&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Price per plaintext config&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Free&lt;/td&gt;
&lt;td&gt;Free&lt;/td&gt;
&lt;td&gt;Free&lt;/td&gt;
&lt;td&gt;Free&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Price per 10K API calls&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;10K free&lt;/td&gt;
&lt;td&gt;$0.10&lt;/td&gt;
&lt;td&gt;$0.10&lt;/td&gt;
&lt;td&gt;$0.10&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Commitment discounts&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;✔&lt;/td&gt;
&lt;td&gt;✔&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Check out our &lt;a href="https://www.pulumi.com/pricing/"&gt;pricing&lt;/a&gt; page for more information about the various packages available. &lt;a href="https://www.pulumi.com/contact/?form=sales"&gt;Contact us&lt;/a&gt; if you are interested in a demo, have any questions, or would like to discuss volume discounts.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC represents a significant advancement in secrets and config management. By addressing the challenges faced by organizations today, such as secrets sprawl and the trade-off between speed and security, Pulumi ESC offers a modern, flexible solution. Its unique features, including support for dynamic, short-lived credentials and seamless integration with major cloud providers, GitHub, etc. make it an invaluable asset for teams looking to maintain agility without compromising on security. Pulumi ESC is set to redefine the standards of secrets management, enabling organizations to achieve their security and operational goals more effectively.&lt;/p&gt;
&lt;p&gt;We can’t wait to see how you leverage Pulumi ESC. &lt;a href="https://app.pulumi.com/signup?_gl=1*u5yfkh*_gcl_au*NTc2MTc3MzIwLjE3MjY1MzU3OTI."&gt;Sign-up&lt;/a&gt; for Pulumi Cloud to start using Pulumi ESC and check out our &lt;a href="https://www.pulumi.com/docs/esc/get-started/"&gt;getting started&lt;/a&gt; guide to learn more about Pulumi ESC.&lt;/p&gt;</description><author>Arun Loganathan</author><author>Luke Hoban</author><category>esc</category><category>secrets</category></item><item><title>Introducing Webhooks for Pulumi ESC</title><link>https://www.pulumi.com/blog/esc-webhooks-launch/</link><pubDate>Fri, 13 Sep 2024 00:00:00 -0300</pubDate><guid>https://www.pulumi.com/blog/esc-webhooks-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-webhooks-launch/index.png" /&gt;
&lt;p&gt;Managing secrets and configurations across multiple environments and teams can be a complex juggling act for development teams. &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC&lt;/a&gt;, our developer-friendly secrets management product, simplifies this process and accelerates your development cycle. Today, we&amp;rsquo;re excited to make this process even easier with the launch of Webhooks for Pulumi ESC, a powerful new feature that allows you to send a custom trigger to any URL endpoint, enabling you to automate workflows and keep your infrastructure and applications up to date. Pulumi ESC Webhooks also integrates seamlessly with popular communication platforms like Slack and Microsoft Teams.&lt;/p&gt;
&lt;p&gt;With Pulumi ESC Webhooks, you can now receive real-time notifications and trigger automated actions based on specific events within your Pulumi ESC &lt;a href="https://www.pulumi.com/docs/esc/environments/"&gt;Environments&lt;/a&gt;. For example, you can set up a Webhook to notify your team’s Slack channel or automatically trigger a deployment pipeline via a POST request when a new environment revision is created due to changes in secrets and configuration. Webhooks can be triggered by changes to &lt;a href="https://www.pulumi.com/docs/esc/environments/#tagging-versions"&gt;version tags&lt;/a&gt; and &lt;a href="https://www.pulumi.com/blog/esc-projects-environment-tags-launch/#introducing-environment-tags"&gt;environment tags&lt;/a&gt;, and can be configured per environment or at the organization level for all environments.&lt;/p&gt;
&lt;p&gt;Take your automation further by creating Webhooks that trigger &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployments&lt;/a&gt;, automatically updating your infrastructure in response to configuration changes in Pulumi ESC—without writing custom code and all within the Pulumi Cloud Console.&lt;/p&gt;
&lt;p&gt;Hierarchical configurations where one environment &lt;a href="https://www.pulumi.com/docs/esc/environments/#importing-other-environments"&gt;imports&lt;/a&gt; others are fundamental to Pulumi ESC. If an environment is importing another environment, any changes made to the imported environment trigger a Webhook configured within the current environment. The Webhook will notify you that the environment has changed, and you can call back to open the environment using &lt;a href="https://www.pulumi.com/docs/esc/sdk/"&gt;SDK&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/cloud-rest-api/#environments"&gt;REST API&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;Pulumi Service Provider&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/#streamline-automated-workflows-with-automation-api-enhancements"&gt;Automation API&lt;/a&gt;, and get the latest secrets and configuration.&lt;/p&gt;
&lt;h2 id="getting-started-with-pulumi-esc-webhooks"&gt;Getting Started with Pulumi ESC Webhooks&lt;/h2&gt;
&lt;p&gt;Setting up Webhooks is straightforward. You can use the Pulumi Cloud Console, the Pulumi Service Provider, or REST API.&lt;/p&gt;
&lt;h3 id="using-pulumi-cloud-console"&gt;Using Pulumi Cloud Console&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;Navigate to the &amp;ldquo;Webhooks&amp;rdquo; tab under settings for organization-wide Webhooks or within an individual environment&amp;rsquo;s top navigation bar.&lt;/li&gt;
&lt;li&gt;Select your desired integration (Slack, Microsoft Teams, Pulumi Deployments, or generic JSON Webhooks).&lt;/li&gt;
&lt;li&gt;Configure the Webhook details, including the events you want to trigger notifications on.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="esc-webhooks.png" alt="Table view"&gt;&lt;/p&gt;
&lt;h3 id="using-pulumi-service-provider"&gt;Using Pulumi Service Provider&lt;/h3&gt;
&lt;p&gt;Here is a sample code in TypeScript:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;environmentWebhook&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;service&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Webhook&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;env-webhook&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;active&lt;/span&gt;: &lt;span class="kt"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;displayName&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;env-webhook&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;organizationName&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;my-org&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;projectName&lt;/span&gt;: &lt;span class="kt"&gt;environment.project&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;environmentName&lt;/span&gt;: &lt;span class="kt"&gt;environment.name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;payloadUrl&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://example.com&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;filters&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nx"&gt;WebhookFilters&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;EnvironmentRevisionCreated&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;WebhookFilters&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ImportedEnvironmentChanged&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;})&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="benefits-of-pulumi-esc-webhooks"&gt;Benefits of Pulumi ESC Webhooks&lt;/h2&gt;
&lt;p&gt;Pulumi ESC Webhooks offer a range of benefits designed to enhance visibility, streamline workflows, and automate key processes related to your secrets and configuration management:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Effortless Automation and Streamlined Workflows&lt;/strong&gt;: Automatically trigger actions based on ESC events such as application restarts, infrastructure deployments, or configuration updates. Easily integrate Pulumi ESC Webhooks into your CI/CD pipelines to automate builds, tests, and deployments whenever environment updates occur.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Seamless Integration with Pulumi Deployments&lt;/strong&gt;: Whether you need to update your infrastructure, preview changes, or create temporary infrastructure with &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/ttl/"&gt;TTL&lt;/a&gt; or &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/review-stacks/"&gt;review stacks&lt;/a&gt;, Pulumi ESC Webhooks handles all these scenarios, making deployments faster and easier.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-time Awareness and Collaboration&lt;/strong&gt;: Receive instant notifications about critical changes in your Pulumi ESC environments, fostering better communication and collaboration between developers, operations teams, and security personnel. This real-time awareness enables faster incident response times, minimizing downtime and security risks.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Webhooks for Pulumi ESC equip your team with tools to improve visibility, streamline workflows, and automate key processes related to your secrets and configuration management. By integrating seamlessly with your existing communication and development tools, Pulumi ESC Webhooks empower you to automate and streamline your infrastructure management, giving you greater control and agility.&lt;/p&gt;
&lt;p&gt;Dive into our &lt;a href="https://www.pulumi.com/docs/esc/webhooks/"&gt;documentation&lt;/a&gt; and explore the possibilities of Pulumi ESC Webhooks! As always, share any feedback or open new issues in our &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;</description><author>Iaroslav Titov</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Introducing Pulumi ESC Projects and Environment Tags</title><link>https://www.pulumi.com/blog/esc-projects-environment-tags-launch/</link><pubDate>Thu, 12 Sep 2024 13:00:00 -0400</pubDate><guid>https://www.pulumi.com/blog/esc-projects-environment-tags-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-projects-environment-tags-launch/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re thrilled to unveil two new features that will empower you to organize your collection of &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC&lt;/a&gt; Environments: &lt;b&gt;Projects&lt;/b&gt; and &lt;b&gt;Environment Tags&lt;/b&gt;. Projects offer a structured way to group related environments and Environment Tags allow you to add contextual information to each environment. Together, they offer a powerful way for you to manage, navigate, and collaborate on your secrets and configurations.&lt;/p&gt;
&lt;h2 id="overview-of-pulumi-esc"&gt;Overview of Pulumi ESC&lt;/h2&gt;
&lt;p&gt;Pulumi ESC is a developer-first platform designed to simplify the management of secrets and configurations into collections called &lt;i&gt;&lt;a href="https://www.pulumi.com/docs/esc/environments/"&gt;environments&lt;/a&gt;&lt;/i&gt;. As a fully managed solution, it offers &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/"&gt;dynamic cloud provider credential&lt;/a&gt; resolution, a rich set of &lt;a href="https://www.pulumi.com/docs/esc/providers/"&gt;providers&lt;/a&gt; to retrieve secrets from external platforms, and the ability to use the secrets and configurations you have defined across any surface, including your applications and infrastructure via &lt;a href="https://www.pulumi.com/docs/esc/sdk/"&gt;Multi-language SDKs&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/cloud-rest-api/#environments"&gt;REST APIs&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;CLI&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;Pulumi-Service Provider&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/#streamline-automated-workflows-with-automation-api-enhancements"&gt;Automation API&lt;/a&gt;. Like all Pulumi functionality, Pulumi ESC focuses on enhancing both agility and security in modern cloud development.&lt;/p&gt;
&lt;p&gt;As developers have embraced Pulumi ESC to manage their collections of secrets and configurations across many teams and projects, the demand for more sophisticated organizational tools has increased. To address this growing need for more organized and efficient management of cloud environments, we are introducing Projects and Environment Tags in Pulumi ESC.&lt;/p&gt;
&lt;h2 id="introducing-projects"&gt;Introducing Projects&lt;/h2&gt;
&lt;p&gt;Projects offer a structured way to organize environments into logical groupings. Each Project has a distinct name, providing context for the environments within it, and can contain multiple environments with variations, each having a specific purpose. Additionally, Projects help large organizations simplify environment management by mitigating possible environment name conflicts and ensuring changes are made in isolation to the correct environments.&lt;/p&gt;
&lt;p&gt;For example, your organization could have a project named &amp;ldquo;payments-app&amp;rdquo; containing &lt;code&gt;dev&lt;/code&gt;, &lt;code&gt;staging&lt;/code&gt;, and &lt;code&gt;prod&lt;/code&gt; environments within it. Your organization could also have a project called &amp;ldquo;dev-credentials&amp;rdquo; which contains different environments used to provide temporary runtime access to credentials for developers while working.&lt;/p&gt;
&lt;p&gt;We have two additional features as part of this launch:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Grouping and Search&lt;/strong&gt;: You can group environments by either Project name or by Environment Tags, as well as search by them, making it simple to locate and manage your environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Environment Clone&lt;/strong&gt;: Using the built-in cloning functionality, you can securely copy environments with sensitive information, preserving either the entire version history or just the latest environment state, depending on your needs.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;To use Projects and Environment Tags, please update your &lt;a href="https://www.pulumi.com/docs/cli/"&gt;Pulumi CLI&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/esc/sdk/"&gt;SDK&lt;/a&gt; to the latest.&lt;/div&gt;
&lt;/div&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;p&gt;Environments will now need to be referenced by specifying the project as part of the environment identifier. Any existing environments within your organization will be available in the &lt;code&gt;default&lt;/code&gt; project. Projects are fully backward compatible - all your existing programs, imports and CLI commands will work without requiring any changes at the moment. Note that only environments within the &lt;code&gt;default&lt;/code&gt; project will be backwards compatibly and resolve without a project prefix.&lt;/p&gt;
&lt;p&gt;Users will be able to create new environments in the default project until &lt;b&gt;Nov 30, 2024&lt;/b&gt;. Starting Dec 1, 2024, users will not be able to create new environments in the default project.&lt;/p&gt;
&lt;p&gt;Starting &lt;b&gt;Apr 1, 2025&lt;/b&gt;, users will not be able to edit their environments within the ‘default’ Project. We recommend customers migrate their existing environments to user-created projects at the earliest to take advantage of new Pulumi ESC capabilities.&lt;/p&gt;
&lt;p&gt;Moving environments out of the &lt;code&gt;default&lt;/code&gt; project is as easy as cloning the environment into a new project and updating any references to it. An example clone command that preserves all environment history, tags, and team access looks as follows&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; $ pulumi env clone default/dev your-project/dev --preserve-history --preserve-env-tags --preserve-rev-tags --preserve-access
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We offer numerous ways for you to get started with Projects via the Pulumi Web Console, &lt;a href="https://www.pulumi.com/docs/esc/sdk/"&gt;SDK&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/cloud-rest-api/#environments"&gt;REST API&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;CLI&lt;/a&gt; and &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;Pulumi-Service Provider&lt;/a&gt; - choose what best fits your workflow. Here is one example using the Pulumi CLI to create and list environments within a project:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; $ pulumi env init cloud-pe/demo
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; Environment created: dschaller/cloud-pe/demo
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; $ pulumi env ls -p cloud-pe
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; cloud-pe/demo
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; pulumi/cloud-pe/demo
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id="breaking-changes"&gt;Breaking Changes&lt;/h3&gt;
&lt;p&gt;With the introduction of Projects, all existing environments part of the &lt;code&gt;default&lt;/code&gt; project will continue to work without requiring any changes. However, when moving existing environments out of the default project you may notice some differences that we have outlined below.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;If your environment was interpolating the &lt;code&gt;context.currentEnvironment.name&lt;/code&gt; or &lt;code&gt;context.rootEnvironment.name&lt;/code&gt; from &lt;a href="https://www.pulumi.com/docs/esc/environments/#pulumi-contextual-information"&gt;Contextual information&lt;/a&gt;, this value will now include the project for any environments outside of the &lt;code&gt;default&lt;/code&gt; project.&lt;/li&gt;
&lt;li&gt;If you were using any of the &lt;a href="https://www.pulumi.com/docs/esc/environments/#using-secrets-providers-and-oidc"&gt;secrets providers with OIDC&lt;/a&gt;, you will need to update both the subject and audience if a trust relationship has been set up. The subject will be either &lt;code&gt;pulumi:environments:org:&amp;lt;organization name&amp;gt;:env:&amp;lt;project name&amp;gt;/&amp;lt;environment name&amp;gt;&lt;/code&gt; if no &lt;code&gt;subjectAttributes&lt;/code&gt; are specified or if the &lt;code&gt;currentEnvironment.name&lt;/code&gt; subject attribute is specified it will now resolve to &lt;code&gt;currentEnvironment.name:&amp;lt;project name&amp;gt;/&amp;lt;environment name&amp;gt;&lt;/code&gt;. The audience will be the provider&amp;rsquo;s platform name (&lt;code&gt;aws&lt;/code&gt;, &lt;code&gt;azure&lt;/code&gt;, or &lt;code&gt;gcp&lt;/code&gt;) followed by the org name of the environment (e.g. &lt;code&gt;aws:pulumi&lt;/code&gt;).&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="introducing-environment-tags"&gt;Introducing Environment Tags&lt;/h2&gt;
&lt;p&gt;Using Environment Tags, teams can now assign any number of custom tags to each environment within Pulumi ESC. These tags serve as contextual identifiers that can streamline workflows by enabling you to group and search across environments based on specific criteria such as teams, project stages, deployment environments, compliance requirements, or geographic locations. This multi-dimensional approach provides unparalleled flexibility and control, ensuring your Pulumi ESC environments can scale seamlessly with your organizations evolving needs.&lt;/p&gt;
&lt;p&gt;For example, suppose your organization has multiple environments across different geographic regions. You can use Environment Tags like &amp;lsquo;region: us-east&amp;rsquo; or &amp;lsquo;region: eu-central-1&amp;rsquo; to quickly filter environments by region. Similarly, for security audits, you might tag environments with ‘Compliance: SOC2’ or ‘Compliance: GDPR’ to easily find relevant environments and ensure they are compliant.&lt;/p&gt;
&lt;p&gt;You can use the Pulumi Web Console and the &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;CLI&lt;/a&gt; to create and manage Environment Tags. Here is an example of using the CLI to add and list Environment Tags.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi env tag cloud-pe/demo region us-east-1
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Name: region
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Value: us-east-1
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Last updated at 2024-09-10 11:03:05.708 -0700 PDT by Derek &amp;lt;dschaller&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi env tag ls cloud-pe/demo
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Name: region
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Value: us-east-1
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Last updated at 2024-09-10 11:03:05.708 -0700 PDT by Derek &amp;lt;dschaller&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Pulumi ESC Projects and Environment Tags are powerful additions that bring order and clarity to your secrets and configuration to even the most complex infrastructure landscapes. By enabling you to organize, group, and search for your environments with ease, we&amp;rsquo;re empowering you to scale your infrastructure with high confidence and flexibility.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;re excited to see how you leverage these new capabilities. Check out the docs to learn more about Pulumi ESC Projects and Environment Tags and start organizing your environments today!&lt;/p&gt;
&lt;p&gt;As always, please share your &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;feedback&lt;/a&gt; on how we can further improve Pulumi ESC to suit your needs.&lt;/p&gt;</description><author>Derek Schaller</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Pulumi ESC Table Editor Now Supports Dynamic Credential and Secret Integrations</title><link>https://www.pulumi.com/blog/esc-table-editor-provider-config-support/</link><pubDate>Tue, 10 Sep 2024 00:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/esc-table-editor-provider-config-support/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-table-editor-provider-config-support/index.png" /&gt;
&lt;p&gt;We are pleased to announce a major update to the &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC&lt;/a&gt;’s Table Editor: full support for provider configurations is now live! When we &lt;a href="https://www.pulumi.com/blog/esc-key-value-table-editor-launch"&gt;first introduced the ESC Table view&lt;/a&gt;, our goal was to offer a user-friendly interface for managing complex configuration and secrets for your applications and infrastructure. This has empowered teams to focus on what they do best—building and deploying software.&lt;/p&gt;
&lt;p&gt;In our initial launch, the Table Editor allowed you to perform CRUD operations on your secrets and plaintext values, decrypt secrets, import environments, and manage variables—all within a visual interface. Today, we’re taking the next step by enabling full read-write support for provider configurations within the Table Editor. This new capability allows you to add, edit, and manage your provider configurations directly from the table view, offering a more integrated and seamless experience.&lt;/p&gt;
&lt;h2 id="primer-on-esc-provider-configuration"&gt;Primer on ESC Provider Configuration&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/esc/providers/"&gt;Pulumi ESC’s provider ecosystem&lt;/a&gt; is one of its most powerful features. It supports two categories of providers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Dynamic Cloud Provider Credentials&lt;/strong&gt;: Dynamically acquire credentials from cloud providers like &lt;a href="https://www.pulumi.com/docs/esc/providers/aws-login/"&gt;AWS&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/providers/azure-login/"&gt;Azure&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/providers/gcp-login/"&gt;GCP&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/esc/providers/vault-login/"&gt;Vault&lt;/a&gt; at runtime, eliminating the need for static, long-lived credentials. This enhances security by removing the reliance on dotenv files, locally stored secrets, or long-lived credentials in CI/CD environments, strengthening your workflows’ overall security.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dynamic Secret Retrieval&lt;/strong&gt;: ESC retrieves secrets from external secrets managers, such as &lt;a href="https://www.pulumi.com/docs/esc/providers/aws-secrets/"&gt;AWS Secrets Manager&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/providers/1password-secrets/"&gt;1Password&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/esc/providers/vault-secrets/"&gt;HashiCorp Vault&lt;/a&gt;, securely pulling them directly into your environments. Whether you are migrating or utilizing Pulumi ESC’s rich toolset, you can retrieve sensitive information at runtime and apply it seamlessly to your applications.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="enhancing-the-table-editor-provider-configuration-support"&gt;Enhancing the Table Editor: Provider Configuration Support&lt;/h2&gt;
&lt;p&gt;With the addition of provider configuration support in the Table view, incorporating Pulumi ESC provider capabilities into your workflow is now more straightforward. A clean, user-friendly form provides step-by-step guidance, promoting best practices like &lt;a href="https://www.pulumi.com/docs/esc/environments/configuring-oidc"&gt;OIDC&lt;/a&gt; adoption and the secure handling of sensitive data. This streamlined approach reduces the need for external documentation, making the entire process more intuitive and efficient.&lt;/p&gt;
&lt;p&gt;&lt;img src="esc-table-editor-provider-config.png" alt="Table view"&gt;&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The new provider configuration support in the ESC Table view marks another step in our efforts to simplify and enhance the developer experience. We’re eager to see how you’ll leverage this new capability to streamline your workflows and strengthen your infrastructure’s security. As always, your feedback is invaluable to our development process, and we’re committed to continually improving the Table Editor and other Pulumi tools based on your needs. Please share your feedback with us &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Check out our &lt;a href="https://www.pulumi.com/docs/esc"&gt;documentation&lt;/a&gt; to learn more about Pulumi ESC.&lt;/p&gt;</description><author>Kimberley Mackenzie</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>configuration-management</category><category>features</category><category>releases</category></item><item><title>Pulumi Release Notes: Pulumi Copilot, Pulumi ESC Versioning, Pulumi ESC SDK, Docker Provider, and more!</title><link>https://www.pulumi.com/blog/pulumi-release-notes-106/</link><pubDate>Mon, 24 Jun 2024 11:06:04 -0800</pubDate><guid>https://www.pulumi.com/blog/pulumi-release-notes-106/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-release-notes-106/index.png" /&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Note: This post discusses Pulumi Copilot, which Pulumi Neo has replaced. &lt;a href="https://www.pulumi.com/docs/ai/"&gt;Learn about Neo →&lt;/a&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;What an incredible two months at Pulumi! From the revolutionary AI-powered Pulumi Copilot to robust infrastructure lifecycle management, enhanced Pulumi ESC with versioning and SDKs, and a brand-new Docker Build provider, this release cycle is packed with high-impact features delivered at an unprecedented pace. Ready to see all the details? We&amp;rsquo;ve got a lot to cover, so let&amp;rsquo;s jump right into the highlights of this action-packed release.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#ai"&gt;AI&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-copilot-the-future-of-cloud-infrastructure"&gt;Pulumi Copilot: The Future of Cloud Infrastructure&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-cloud"&gt;Pulumi Cloud&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#new-infrastructure-lifecycle-management-features"&gt;New Infrastructure Lifecycle Management Features&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#drift-detection-and-remediation"&gt;Drift Detection and Remediation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#time-to-live-stacks"&gt;Time-to-Live Stacks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#scheduled-deployments"&gt;Scheduled Deployments&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-new-features-to-supercharge-your-secrets-and-config-management"&gt;Pulumi ESC: New Features to Supercharge Your Secrets and Config Management&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-versioning"&gt;Pulumi ESC Versioning&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-sdk"&gt;Pulumi ESC SDK&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-service-provider-for-esc"&gt;Pulumi Service Provider for ESC&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#automation-api-support-for-esc"&gt;Automation API Support for ESC&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-cloud-oidc-trust-relationship"&gt;Pulumi Cloud OIDC Trust Relationship&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#new-project-wizard-enhancements"&gt;New Project Wizard Enhancements&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#core"&gt;Core&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#continue-on-error-in-the-pulumi-cli"&gt;Continue On Error in the Pulumi CLI&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#run-pulumi-with-any-typescript-version"&gt;Run Pulumi with Any TypeScript Version&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#providers-and-packages"&gt;Providers and Packages&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#next-generation-docker-image-builds-with-pulumi"&gt;Next-Generation Docker Image Builds with Pulumi&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#using-pulumi-with-azure-deployment-environments"&gt;Using Pulumi with Azure Deployment Environments&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#helm-chart-v4-resource"&gt;Helm Chart v4 Resource&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#new-provider-resources"&gt;New Provider Resources&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#wrap-up"&gt;Wrap up&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="ai"&gt;AI&lt;/h2&gt;
&lt;h3 id="pulumi-copilot-the-future-of-cloud-infrastructure"&gt;Pulumi Copilot: The Future of Cloud Infrastructure&lt;/h3&gt;
&lt;p&gt;Pulumi Copilot is a game-changing conversational AI assistant for &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/"&gt;Pulumi Cloud&lt;/a&gt;, leveraging large language models (LLMs) to simplify and enhance your cloud management experience. Get instant answers about your cloud by querying the state of any resource managed by Pulumi, across all your clouds and accounts. Explore historical data on stacks, projects, deployments, and more, gaining deep insights into your infrastructure. Write and deploy IaC with ease as Pulumi Copilot brings the power of Pulumi AI directly to your fingertips. Gain insights from cloud provider metadata as Pulumi Copilot integrates with AWS, Azure, Kubernetes, and more; to provide real-time insights into usage, costs, and your infrastructure.&lt;/p&gt;
&lt;p&gt;Pulumi Copilot enforces the same strict identity and RBAC rules as Pulumi Cloud, ensuring data security and privacy for your organization. Try Pulumi Copilot for free! It&amp;rsquo;s in public beta and available to all Pulumi Cloud organizations. Enable it in your organization settings: Settings &amp;gt; Access Management &amp;gt; Pulumi Copilot. &lt;a href="https://www.pulumi.com/blog/pulumi-copilot/"&gt;Read the blog post&lt;/a&gt; | &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/copilot/"&gt;Explore the docs&lt;/a&gt;&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi Copilot Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/blog/pulumi-copilot/demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="pulumi-cloud"&gt;Pulumi Cloud&lt;/h2&gt;
&lt;h3 id="new-infrastructure-lifecycle-management-features"&gt;New Infrastructure Lifecycle Management Features&lt;/h3&gt;
&lt;p&gt;We introduced a wave of new &lt;a href="https://www.pulumi.com/blog/infrastructure-lifecycle-management/"&gt;Infrastructure Lifecycle Management&lt;/a&gt; capabilities in Pulumi Cloud, building upon the power of &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployments&lt;/a&gt;, and directly addressing the needs of our customers for robust Day 2 operations and beyond. These new features—Drift Detection and Remediation, Time-to-Live Stacks, and Scheduled Deployments—enhance security, optimize costs, and automate key infrastructure management tasks. We also announced a new Pulumi Deployments &lt;a href="https://www.pulumi.com/blog/deploy-minutes-included/"&gt;Free Tier&lt;/a&gt; for all users, providing 3,000 free deployment minutes every month to easily test and use these new features.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/infrastructure-lifecycle-management/ilm-diagram.png" alt="Infrastructure Lifecycle Management Features"&gt;&lt;/p&gt;
&lt;h4 id="drift-detection-and-remediation"&gt;Drift Detection and Remediation&lt;/h4&gt;
&lt;p&gt;Uncontrolled configuration drift can wreak havoc on your cloud environments, leading to security vulnerabilities, compliance violations, costly outages, and wasted resources. Pulumi Cloud&amp;rsquo;s new &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/drift/"&gt;Drift Detection and Remediation&lt;/a&gt; feature empowers platform teams to maintain complete control over their cloud infrastructure. This feature periodically compares the actual state of cloud resources with the desired state defined in Pulumi programs, identifying any discrepancies. Automatically detect any deviation from your desired state, whether caused by manual edits or external scripts, and receive timely alerts through integrations like &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/webhooks/#slack-webhooks"&gt;Slack&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/webhooks/#microsoft-teams-webhooks"&gt;Microsoft Teams&lt;/a&gt;. Pulumi Deployments users can enable automatic remediation to correct drift and ensure their infrastructure remains consistent with their code. You can manage Drift Detection and Remediation through the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/drift/#pulumi-cloud-ui"&gt;Pulumi Cloud console&lt;/a&gt;, the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/drift/#running-drift-detection-from-the-cli"&gt;Pulumi CLI&lt;/a&gt;, the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/drift/#setting-it-up-via-the-rest-api"&gt;REST API&lt;/a&gt;, or the &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/driftschedule/"&gt;Pulumi Service Provider&lt;/a&gt;. Check out our &lt;a href="https://www.pulumi.com/blog/drift-detection/"&gt;detailed post&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Drift Detection and Remediation in Pulumi Cloud"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/blog/drift-detection/drift.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h4 id="time-to-live-stacks"&gt;Time-to-Live Stacks&lt;/h4&gt;
&lt;p&gt;Creating temporary environments is crucial for running experiments, testing new features, and ensuring that everything works smoothly before going live. However, these environments are often forgotten and left running, consuming resources and adding unnecessary costs. Manually managing these temporary stacks is time-consuming, operationally burdensome, and prone to errors. Pulumi&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/ttl/"&gt;Time-to-Live Stacks&lt;/a&gt; feature solves this by allowing teams to set a predefined lifespan on any stack. After the specified time, the stack is automatically destroyed, preventing cost overruns and reducing security risks from idle resources. This automated cleanup process ensures cost control, enhances developer enablement, and improves security. Time-to-Live Stacks can be easily managed through the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/ttl/#pulumi-cloud-ui"&gt;Pulumi Cloud console&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/ttl/#rest-api"&gt;REST API&lt;/a&gt;, or the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/ttl/#pulumi-cloud-service-provider"&gt;Pulumi Service Provider&lt;/a&gt;. See our launch &lt;a href="https://www.pulumi.com/blog/ttl/"&gt;blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h4 id="scheduled-deployments"&gt;Scheduled Deployments&lt;/h4&gt;
&lt;p&gt;We also rolled out &lt;a href="https://www.pulumi.com/blog/scheduled-deployments/"&gt;Scheduled Deployments&lt;/a&gt;, extending the automation capabilities of Drift Detection and Remediation and Time-to-Live Stacks. Scheduled Deployments enable precise automation of cloud operations, allowing users to schedule any Pulumi operation—such as pulumi up, pulumi refresh, pulumi destroy, or pulumi preview—for any stack with Pulumi Deployments. This provides greater flexibility for managing your cloud operations, whether it&amp;rsquo;s scheduling off-peak deployments, optimizing resource costs, or automating routine infrastructure updates. You can easily set up and manage Scheduled Deployments through the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/schedules/#pulumi-cloud-ui"&gt;Pulumi Cloud console&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/schedules/#setting-it-up-in-the-api"&gt;REST API&lt;/a&gt;, or directly within your code using the &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentschedule/"&gt;Pulumi Service Provider&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="pulumi-esc-new-features-to-supercharge-your-secrets-and-config-management"&gt;Pulumi ESC: New Features to Supercharge Your Secrets and Config Management&lt;/h3&gt;
&lt;p&gt;We unleashed a wave of powerful new features for &lt;a href="https://www.pulumi.com/product/esc/"&gt;Pulumi Environments, Secrets, and Configuration&lt;/a&gt; (ESC), taking secrets and configuration management to the next level. &lt;a href="https://www.pulumi.com/blog/esc-software-engineering/"&gt;Read the blog post&lt;/a&gt; to learn more about these enhancements that bring best-in-class software engineering practices to your fingertips, enabling you to manage secrets and configuration complexity at scale across all your cloud applications and infrastructure.&lt;/p&gt;
&lt;h4 id="pulumi-esc-versioning"&gt;Pulumi ESC Versioning&lt;/h4&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/esc-versioning-launch/"&gt;Pulumi ESC Versioning&lt;/a&gt; gives you unprecedented control over your secrets and configuration. Every change is captured in an immutable revision history, allowing you to audit modifications, compare versions, and safely roll back. Assign meaningful tags to revisions (e.g., &lt;code&gt;production&lt;/code&gt;, &lt;code&gt;v1.2.1&lt;/code&gt;, &lt;code&gt;stable&lt;/code&gt;) for easy management, just like Docker tags. When importing an environment, pin it to a specific version using tags or a revision number to prevent automatic propagation of changes from the source. This enables phased rollouts and thorough testing before deploying new configurations. You can also reference specific versions with the pulumi env run command, targeting different environments for different tasks. This granular control minimizes risks, enhances collaboration, and streamlines workflows. Access versioning features through the &lt;a href="https://www.pulumi.com/blog/esc-versioning-launch/#using-the-console"&gt;Pulumi Cloud Console&lt;/a&gt;, the &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env_version/"&gt;Pulumi CLI&lt;/a&gt;, or the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/cloud-rest-api/#environments"&gt;ESC REST API&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC Versioning Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/blog/esc-versioning-launch/esc-versioning-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h4 id="pulumi-esc-sdk"&gt;Pulumi ESC SDK&lt;/h4&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/esc-sdk-launch/"&gt;Pulumi ESC SDKs&lt;/a&gt; are now available for &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/python/"&gt;Python&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/javascript/"&gt;TypeScript/JavaScript&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/go/"&gt;Go&lt;/a&gt;, making it easier than ever to harness the power of ESC directly within your applications using your favorite programming languages. The SDKs provide a simple and intuitive programmatic interface to manage your ESC environments, securely access secrets and configurations at runtime, and eliminate the need for hardcoded credentials. This streamlines your development process, enhances security, and promotes best practices for handling sensitive data. Check out our &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;docs&lt;/a&gt;.&lt;/p&gt;
&lt;h4 id="pulumi-service-provider-for-esc"&gt;Pulumi Service Provider for ESC&lt;/h4&gt;
&lt;p&gt;You can now manage your Pulumi ESC Environments using the powerful &lt;a href="https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/"&gt;Pulumi Service Provider&lt;/a&gt;. This means you can &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;define environments&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environmentversiontag/"&gt;add version tags&lt;/a&gt;, and even &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/teamenvironmentpermission/"&gt;control access&lt;/a&gt; using familiar Infrastructure as Code (IaC) practices, ensuring consistency and repeatability across your deployments. The Pulumi Service Provider empowers you to manage your entire infrastructure and application landscape through a unified approach.&lt;/p&gt;
&lt;h4 id="automation-api-support-for-esc"&gt;Automation API Support for ESC&lt;/h4&gt;
&lt;p&gt;We’ve expanded the powerful Pulumi Automation API to include new methods for interacting with Pulumi ESC Environments programmatically. These new methods– addEnvironments(&amp;hellip;), listEnvironments(), and removeEnvironment(environment) – enable you to seamlessly integrate environment management into your automated workflows and build sophisticated custom tooling. The &lt;a href="https://www.pulumi.com/docs/using-pulumi/automation-api/"&gt;Automation API&lt;/a&gt; provides the building blocks for advanced automation scenarios such as dynamically configuring applications based on environments, managing environment dependencies, and integrating ESC into CI/CD pipelines. Pulumi ESC Automation API capabilities are available for &lt;a href="https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/classes/automation.Stack.html#addEnvironments"&gt;TypeScript/JavaScript&lt;/a&gt;, &lt;a href="https://pkg.go.dev/github.com/pulumi/pulumi/sdk/v3@v3.117.0/go/auto#LocalWorkspace.AddEnvironments"&gt;Go&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.automation.LocalWorkspace.add_environments"&gt;Python&lt;/a&gt;. Check out our &lt;a href="https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/#streamline-automated-workflows-with-automation-api-enhancements"&gt;blog post&lt;/a&gt; for examples.&lt;/p&gt;
&lt;h3 id="pulumi-cloud-oidc-trust-relationship"&gt;Pulumi Cloud OIDC Trust Relationship&lt;/h3&gt;
&lt;p&gt;Pulumi Cloud now supports &lt;a href="https://www.pulumi.com/blog/oidc-trust-relationships/"&gt;OpenID Connect (OIDC) Trust Relationships&lt;/a&gt;, allowing you to securely integrate Pulumi into any ecosystem that supports OIDC. This feature addresses the &amp;ldquo;secret zero&amp;rdquo; challenge by facilitating the exchange of secure platform tokens for short-lived Pulumi tokens, enhancing security and simplifying token management. You can configure trusted OIDC identity providers, such as &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/github/"&gt;GitHub&lt;/a&gt;, GitLab, or Google Cloud, and set granular policies to control token exchange based on issuer, subject, or additional claims. This integration extends to Kubernetes, enabling pods to authenticate to Pulumi Cloud using OIDC tokens issued by Google Kubernetes Engine &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/kubernetes-gke/"&gt;GKE&lt;/a&gt;. To further streamline the integration with GitHub Actions, we introduced a new &lt;a href="https://github.com/marketplace/actions/pulumi-auth-action"&gt;GitHub Action&lt;/a&gt; that automates the retrieval of Pulumi access tokens, making it even easier to leverage OIDC for secure authentication within your workflows. Check out our &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/github/"&gt;OIDC docs&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="new-project-wizard-enhancements"&gt;New Project Wizard Enhancements&lt;/h3&gt;
&lt;p&gt;We enhanced the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/developer-portals/new-project-wizard/"&gt;New Project Wizard&lt;/a&gt; in Pulumi Cloud to streamline developer workflows and give platform teams more control over deployments. You can now configure the &lt;a href="https://www.pulumi.com/blog/developer-portal-gallery/"&gt;Developer Portal Gallery&lt;/a&gt; to exclusively display organization-specific templates, ensuring developers only use approved configurations. This simplifies template discovery and selection, reinforcing governance and compliance across development projects. We also streamlined project creation by introducing default repository locations and auto-generated project names, eliminating manual steps and potential naming conflicts. Read the &lt;a href="https://www.pulumi.com/blog/new-project-wizard-apr2024-updates/"&gt;New Project Wizard updates blog post&lt;/a&gt; for more details.&lt;/p&gt;
&lt;h2 id="core"&gt;Core&lt;/h2&gt;
&lt;h3 id="continue-on-error-in-the-pulumi-cli"&gt;Continue On Error in the Pulumi CLI&lt;/h3&gt;
&lt;p&gt;Pulumi now offers more control over error handling during deployments with the new &lt;code&gt;--continue-on-error&lt;/code&gt; flag for &lt;code&gt;pulumi up&lt;/code&gt; and &lt;code&gt;pulumi destroy&lt;/code&gt;. When managing complex infrastructure with Pulumi, deployments can involve a large number of concurrent resource operations. Previously, if an error occurred during a deployment, Pulumi would stop all new operations to prevent potential cascading failures. While this approach is often desirable, there are cases where you might want to continue updating or destroying resources that are independent of the failed resource. The &amp;ndash;continue-on-error flag enables this behavior, allowing deployments to proceed even in the presence of errors, while still respecting resource dependencies. This can be especially useful when destroying resources, as it allows you to clean up as much infrastructure as possible. Read the &lt;a href="https://www.pulumi.com/blog/continue-on-error/"&gt;blog post&lt;/a&gt; for more details.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Using pulumi new with the new AI option"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/blog/continue-on-error/coe.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="run-pulumi-with-any-typescript-version"&gt;Run Pulumi with Any TypeScript Version&lt;/h3&gt;
&lt;p&gt;Previously, Pulumi&amp;rsquo;s seamless TypeScript experience was limited to version 3.8, requiring manual build steps for newer versions. But now, with the release of the &lt;a href="https://www.npmjs.com/package/@pulumi/pulumi"&gt;Pulumi Node.js SDK 3.113.0&lt;/a&gt;, you can use any TypeScript version 3.8 or later, including the latest &lt;a href="https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-4.html"&gt;TypeScript 5.4&lt;/a&gt;, by simply adding it as a dependency in your project&amp;rsquo;s package.json file. Pulumi will automatically use the specified version for compilation, unlocking access to the newest TypeScript features and improved type checking. Read the &lt;a href="https://www.pulumi.com/blog/typescript-versions/"&gt;blog post&lt;/a&gt; for a detailed example and instructions on upgrading your projects.&lt;/p&gt;
&lt;h2 id="providers-and-packages"&gt;Providers and Packages&lt;/h2&gt;
&lt;h3 id="next-generation-docker-image-builds-with-pulumi"&gt;Next-Generation Docker Image Builds with Pulumi&lt;/h3&gt;
&lt;p&gt;Pulumi introduces the new &lt;a href="https://www.pulumi.com/registry/packages/docker-build/"&gt;Docker Build provider&lt;/a&gt;, a dedicated package designed to modernize and streamline Docker image builds directly from your Pulumi programs. The new provider exposes Docker&amp;rsquo;s next-generation buildx interface, unlocking advanced features such as multi-platform image support, advanced caching mechanisms, built-in support for build secrets, and seamless integration with Docker Build Cloud. This unlocks powerful scenarios, including building multi-architecture images and optimizing build performance with various cache backends. Read the &lt;a href="https://www.pulumi.com/blog/docker-build/"&gt;blog post&lt;/a&gt; for detailed examples and migration guides.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Docker Build Cloud"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/blog/docker-build/dbc.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="using-pulumi-with-azure-deployment-environments"&gt;Using Pulumi with Azure Deployment Environments&lt;/h3&gt;
&lt;p&gt;Pulumi now supports authoring &lt;a href="https://learn.microsoft.com/en-us/azure/deployment-environments/"&gt;Azure Deployment Environments (ADE)&lt;/a&gt; environment definitions, empowering developers to self-serve the application infrastructure they need while maintaining centralized management and governance. This integration allows you to leverage Pulumi&amp;rsquo;s familiar programming model and the full power of its Infrastructure as Code (IaC) platform to define and manage Azure resources within ADE environments. You can define ADE environments using a simple YAML configuration file that references a Pulumi program written in any of Pulumi&amp;rsquo;s supported languages, including C#, TypeScript, Python, Go, and YAML. Leveraging a dedicated Pulumi Docker image, ADE seamlessly executes the selected Pulumi program, provisioning the defined Azure resources. This streamlines the creation of new environments, enhances developer productivity, and ensures consistency and compliance with organizational standards. Read the &lt;a href="https://www.pulumi.com/blog/azure-deployment-environments/"&gt;blog post&lt;/a&gt; for a detailed walkthrough and examples.&lt;/p&gt;
&lt;h4 id="helm-chart-v4-resource"&gt;Helm Chart v4 Resource&lt;/h4&gt;
&lt;p&gt;Pulumi introduces a new and improved Helm Chart v4 resource (&lt;a href="https://www.pulumi.com/registry/packages/kubernetes/api-docs/helm/v4/chart/"&gt;kubernetes.helm.sh/v4.Chart&lt;/a&gt;) in the Pulumi Kubernetes provider, offering enhanced functionality, and a more streamlined experience for deploying Helm charts. A key improvement in v4 is expanded language support. Previous versions of the Chart resource were implemented separately for each Pulumi SDK, leading to inconsistencies and limited language compatibility. The new Chart v4 resource ensures consistent behavior and functionality across all Pulumi SDKs, including Python, TypeScript/JavaScript, Go, C#, Java, and YAML. Other notable enhancements include full OCI registry support, improved handling of chart values, better connectivity for cluster interactions, and improved resource ordering. Read the &lt;a href="https://www.pulumi.com/blog/kubernetes-chart-v4/"&gt;blog post&lt;/a&gt; for a detailed overview, examples, and migration guidance.&lt;/p&gt;
&lt;h3 id="new-provider-resources"&gt;New Provider Resources&lt;/h3&gt;
&lt;p&gt;We have added 121 functions and 159 resources across our most popular providers, along with many more throughout our ecosystem. We also welcome our new community provider resource: &lt;a href="https://www.pulumi.com/registry/packages/genesiscloud/"&gt;Genesis cloud&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="new-provider-resources-functions.png" alt="New Provider Resources and Functions"&gt;&lt;/p&gt;
&lt;h2 id="wrap-up"&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;Phew, that&amp;rsquo;s a lot! We&amp;rsquo;ve packed this release with features to empower you to build and manage modern cloud infrastructure and applications with greater efficiency, control, and confidence. Explore all the new capabilities and share your feedback – we&amp;rsquo;re always listening! Open an issue in the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud requests repository&lt;/a&gt; or the &lt;a href="https://github.com/pulumi/pulumi"&gt;pulumi/pulumi repository&lt;/a&gt; for anything CLI-related. Stay tuned for more exciting updates!&lt;/p&gt;</description><author>Arun Loganathan</author><category>features</category><category>release-notes</category></item><item><title>Introducing Pulumi ESC Support in Automation API and the Pulumi Service Provider</title><link>https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/</link><pubDate>Wed, 05 Jun 2024 00:00:00 -0500</pubDate><guid>https://www.pulumi.com/blog/esc-automation-api-pulumi-service-provider-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-automation-api-pulumi-service-provider-launch/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce two powerful new capabilities for &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi Environments Secrets and Configurations&lt;/a&gt; (ESC) that supercharge how you manage and control your infrastructure and application secrets and configurations:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Pulumi Service Provider Support for ESC Environments&lt;/strong&gt;: Manage your environments as code right alongside your infrastructure including fine-grained access control using &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/"&gt;Pulumi Service Provider&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automation API Enhancements for ESC&lt;/strong&gt;: Seamlessly integrate ESC Environments into your &lt;a href="https://www.pulumi.com/automation/"&gt;Automation API&lt;/a&gt;-based Pulumi projects.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These updates build upon Pulumi ESC&amp;rsquo;s commitment to simplify and streamline secrets and configuration management providing you with greater control, security, and automation capabilities.&lt;/p&gt;
&lt;h2 id="manage-esc-environments-as-code-with-the-pulumi-service-provider"&gt;Manage ESC Environments as Code with the Pulumi Service Provider&lt;/h2&gt;
&lt;p&gt;You can now manage your Pulumi ESC &lt;a href="https://www.pulumi.com/docs/esc/environments/"&gt;Environments&lt;/a&gt; directly within the Pulumi Service using the powerful Pulumi Service Provider. This means you can define environments, add &lt;a href="https://www.pulumi.com/docs/esc/environments/#tagging-versions"&gt;version tags&lt;/a&gt;, and even control access using familiar Infrastructure as Code (IaC) practices ensuring consistency and repeatability across your deployments.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s a glimpse of what you can achieve:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Programmatically create and manage ESC Environments&lt;/strong&gt;: Define environments alongside your infrastructure code for a unified workflow.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Add version tags to environments&lt;/strong&gt;: Add tags when you are creating the environment.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enforce granular team permissions&lt;/strong&gt;: Control who can &lt;a href="https://www.pulumi.com/docs/esc/environments/#organization-wide-permissions"&gt;read, open, or modify&lt;/a&gt; your environments ensuring secure collaboration and preventing unauthorized access.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Bringing Pulumi ESC Environments support into the Pulumi Service Provider empowers you to manage your entire infrastructure and application landscape through a unified approach.&lt;/p&gt;
&lt;p&gt;Pulumi Service Provider ESC capabilities are available for TypeScript/JavaScript, Go, Python, C#, Java, and YAML. See our &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;Environment&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environmentversiontag/"&gt;Environment Version Tag&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/teamenvironmentpermission/"&gt;Environment Permissions&lt;/a&gt; Pulumi Service Provider docs. Here are examples of creating environments in TypeScript/JavaScript, Go, and Python:&lt;/p&gt;
&lt;div&gt;
&lt;pulumi-chooser type="language" options="typescript,python,go" mode=""&gt;&lt;/pulumi-chooser&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="typescript" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;service&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/pulumiservice&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/pulumi&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;var&lt;/span&gt; &lt;span class="nx"&gt;environment&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;service&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;testing-environment&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;organization&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;service-provider-test-org&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;testing-environment-ts&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;yaml&lt;/span&gt;: &lt;span class="kt"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;asset&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;StringAsset&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="sb"&gt;`values:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sb"&gt; myKey1: &amp;#34;myValue1&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sb"&gt; myNestedKey:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sb"&gt; myKey2: &amp;#34;myValue2&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sb"&gt; myNumber: 1`&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;})&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="python" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pulumi_pulumiservice&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Environment&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;environment&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;Environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;testing-environment&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;organization&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;service-provider-test-org&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;testing-environment-py&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;yaml&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;pulumi&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;StringAsset&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&amp;#34;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; values:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; myKey1: &amp;#34;myValue1&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; myNestedKey:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; myKey2: &amp;#34;myValue2&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; myNumber: 1
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; &amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="go" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;package&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/pulumi-pulumiservice/sdk/go/pulumiservice&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/pulumi/sdk/v3/go/pulumi&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Run&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Context&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;error&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pulumiservice&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;testing-environment&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="nx"&gt;pulumiservice&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;EnvironmentArgs&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;String&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;testing-environment-go&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Organization&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;String&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;service-provider-test-org&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Yaml&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewStringAsset&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;`
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s"&gt; values:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s"&gt; myKey1: &amp;#34;myValue1&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s"&gt; myNestedKey:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s"&gt; myKey2: &amp;#34;myValue2&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s"&gt; myNumber: 1`&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;})&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;})&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;h2 id="streamline-automated-workflows-with-automation-api-enhancements"&gt;Streamline Automated Workflows with Automation API Enhancements&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;re expanding the powerful Pulumi Automation API to include new methods for interacting with Pulumi ESC Environments programmatically. This enables you to seamlessly integrate environment management into your automated workflows and build sophisticated custom tooling.&lt;/p&gt;
&lt;p&gt;The new Automation API methods for ESC include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;addEnvironments(...)&lt;/code&gt;: Append environments in order to your Pulumi stack&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/esc/environments/#using-environments-with-pulumi-iac"&gt;import&lt;/a&gt; list.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;listEnvironments()&lt;/code&gt;: Retrieve a list of environments currently imported into your stack.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;removeEnvironment(environment)&lt;/code&gt;: Remove a specific environment from your stack&amp;rsquo;s import list.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These additions provide the building blocks for advanced automation scenarios such as dynamically configuring applications based on environments, managing environment dependencies, and integrating ESC into CI/CD pipelines.&lt;/p&gt;
&lt;p&gt;Pulumi ESC Automation API capabilities are available for &lt;a href="https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/classes/automation.Stack.html#addEnvironments"&gt;TypeScript/JavaScript&lt;/a&gt;, &lt;a href="https://pkg.go.dev/github.com/pulumi/pulumi/sdk/v3@v3.117.0/go/auto#LocalWorkspace.AddEnvironments"&gt;Go&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.automation.LocalWorkspace.add_environments"&gt;Python&lt;/a&gt;. Here are some examples:&lt;/p&gt;
&lt;div&gt;
&lt;pulumi-chooser type="language" options="typescript,python,go" mode=""&gt;&lt;/pulumi-chooser&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="typescript" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/pulumi&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;automation&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/pulumi/automation&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;async&lt;/span&gt; &lt;span class="kd"&gt;function&lt;/span&gt; &lt;span class="nx"&gt;manageEnvironments() {&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;projectName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;myProject&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;stackName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;dev&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Set up your stack options. Here we&amp;#39;re using an empty program
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// since we&amp;#39;re only manipulating environments, not deploying resources.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;stackArgs&lt;/span&gt;: &lt;span class="kt"&gt;automation.InlineProgramArgs&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;stackName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;projectName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;program&lt;/span&gt;: &lt;span class="kt"&gt;async&lt;/span&gt; &lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;};&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Create or select an existing stack.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;stack&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;automation&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;LocalWorkspace&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;createOrSelectStack&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;stackArgs&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Add environments to your stack&amp;#39;s configuration.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// This is like adding them to the `imports` section of an ESC environment.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;addEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;env2&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// The stack&amp;#39;s configuration now includes `env1` and `env2`.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// List the environments currently configured for the stack.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;environments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;listEnvironments&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Current environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;environments&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt; &lt;span class="c1"&gt;// Output: [&amp;#34;env1&amp;#34;, &amp;#34;env2&amp;#34;]
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Remove an environment from the stack&amp;#39;s configuration.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;removeEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// The stack&amp;#39;s configuration now only includes `env2`.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// List environments again to confirm the removal.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;updatedEnvironments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;listEnvironments&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Updated environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;updatedEnvironments&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt; &lt;span class="c1"&gt;// Output: [&amp;#34;env2&amp;#34;]
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// Call the async function to execute.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nx"&gt;manageEnvironments&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="k"&gt;catch&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;error&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="python" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pulumi.automation&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;LocalWorkspace&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ProjectSettings&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Stack&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;manage_environments&lt;/span&gt;&lt;span class="p"&gt;():&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;stack_name&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;dev&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;project_name&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;myProject&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Define the project settings.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;project_settings&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ProjectSettings&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;project_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;runtime&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;python&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Create a LocalWorkspace with the project settings.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;workspace&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;LocalWorkspace&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;work_dir&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;.&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;# Use the current directory as the working directory&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;project_settings&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;project_settings&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Create or select an existing stack.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;stack&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;Stack&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;create&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;stack_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;stack_name&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;workspace&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;workspace&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Add environments to the stack&amp;#39;s configuration.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;stack&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;add_environments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;env2&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# List the environments associated with the stack.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;environments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;stack&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;list_environments&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Current environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;environments&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="c1"&gt;# Output: [&amp;#39;env1&amp;#39;, &amp;#39;env2&amp;#39;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Remove an environment from the stack&amp;#39;s configuration.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;stack&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;remove_environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# List the environments again to verify the removal.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;updated_environments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;stack&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;list_environments&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Updated environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;updated_environments&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="c1"&gt;# Output: [&amp;#39;env2&amp;#39;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Run the function to manage environments.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;manage_environments&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="go" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;package&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;context&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;fmt&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;log&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/pulumi/sdk/v3/go/auto&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/pulumi/sdk/v3/go/common/tokens&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/pulumi/sdk/v3/go/common/workspace&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;context&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Background&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;projectName&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;myProject&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stackName&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;dev&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Define the project configuration.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;project&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;workspace&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Project&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;tokens&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;PackageName&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;projectName&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Runtime&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;workspace&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewProjectRuntimeInfo&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;go&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Create a workspace with the project configuration.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Here we&amp;#39;re using an empty program since we&amp;#39;re only manipulating environments, not deploying resources.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ws&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;auto&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewLocalWorkspace&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;auto&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Project&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;project&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;auto&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Program&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to create workspace: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Create or select an existing stack.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;auto&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;UpsertStack&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stackName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ws&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to create or select stack: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Add environments to the stack&amp;#39;s configuration.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// This is like adding them to the `imports` section of an ESC environment.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;AddEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;env2&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to add environments: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The stack&amp;#39;s configuration now includes `env1` and `env2`.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// List the environments associated with the stack.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envs&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;ListEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to list environments: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;fmt&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Println&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Current environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envs&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Output: map[env1:{env1} env2:{env2}]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Remove an environment from the stack&amp;#39;s configuration.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;RemoveEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;env1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to remove environment: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The stack&amp;#39;s configuration now only includes `env2`.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// List the environments again to confirm the removal.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envs&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stack&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;ListEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;ctx&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to list environments: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;fmt&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Println&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Updated environments:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envs&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Output: map[env2:{env2}]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;h2 id="whats-coming-in-the-future"&gt;What’s Coming in the Future&lt;/h2&gt;
&lt;p&gt;We have exciting plans to further enhance these capabilities. Here&amp;rsquo;s a sneak peek at what&amp;rsquo;s on the horizon:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Pulumi service Provider&lt;/strong&gt;: Capabilities to Open, Read, and List any environment versions and version tags&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automation API&lt;/strong&gt;: Capabilities to author new environments, and assign version tags&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Need more features or want to share feedback? We encourage you to open new issues on our &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;GitHub repository&lt;/a&gt; or upvote existing &lt;a href="https://github.com/pulumi/esc/issues"&gt;ones&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="get-started-today"&gt;Get Started Today!&lt;/h2&gt;
&lt;p&gt;These powerful new features are available now! We&amp;rsquo;re excited to see how you leverage these updates to simplify your secrets and configuration management, enhance your security posture, and unlock new levels of automation.&lt;/p&gt;
&lt;p&gt;To learn more and start leveraging the enhanced capabilities of Pulumi ESC check out the following resources:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Pulumi Service Provider for ESC &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environment/"&gt;Environment&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/environmentversiontag/"&gt;Environment Version Tag&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/api-docs/teamenvironmentpermission/"&gt;Environment Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Pulumi ESC Automation API in &lt;a href="https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/classes/automation.Stack.html#addEnvironments"&gt;TypeScript/JavaScript&lt;/a&gt;, &lt;a href="https://pkg.go.dev/github.com/pulumi/pulumi/sdk/v3@v3.117.0/go/auto#LocalWorkspace.AddEnvironments"&gt;Go&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.automation.LocalWorkspace.add_environments"&gt;Python&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description><author>Arun Loganathan</author><author>Iaroslav Titov</author><category>esc</category><category>secrets</category><category>configuration-management</category><category>features</category></item><item><title>Introducing Pulumi ESC SDK: Streamline Your Application Secrets Management</title><link>https://www.pulumi.com/blog/esc-sdk-launch/</link><pubDate>Wed, 05 Jun 2024 00:00:00 -0400</pubDate><guid>https://www.pulumi.com/blog/esc-sdk-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-sdk-launch/index.png" /&gt;
&lt;p&gt;Managing secrets and application configurations effectively is crucial for building secure and maintainable software. However, developers often face challenges such as hardcoded credentials, configuration inconsistencies, and security risks. &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi Environments Secrets and Configuration&lt;/a&gt; (ESC) simplifies the management of sensitive data and configuration across your entire application lifecycle. Today, we&amp;rsquo;re thrilled to introduce the official Pulumi ESC SDK in &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/javascript/"&gt;TypeScript/JavaScript&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/go/"&gt;Go&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/python/"&gt;Python&lt;/a&gt;, making it even easier to integrate ESC directly into your applications.&lt;/p&gt;
&lt;h2 id="primer-on-pulumi-esc"&gt;Primer on Pulumi ESC&lt;/h2&gt;
&lt;p&gt;Pulumi ESC (Environments, Secrets, and Configuration) provides a developer-first solution to simplify how you manage sensitive data and configuration across your entire application lifecycle. It&amp;rsquo;s a fully managed solution allowing teams to generate &lt;a href="https://www.pulumi.com/docs/esc/integrations/"&gt;dynamic cloud provider&lt;/a&gt; credentials, aggregate secrets and configuration from multiple sources, and manage them through composable collections called &amp;ldquo;&lt;a href="https://www.pulumi.com/docs/esc/environments/"&gt;environments&lt;/a&gt;.&amp;rdquo; These environments can be consumed from anywhere, making Pulumi ESC ideal for any &lt;a href="https://www.pulumi.com/docs/esc/integrations/"&gt;application and development workflow&lt;/a&gt;. Additionally, while Pulumi ESC works independently to eliminate duplication and reduce drift and sprawl of secrets and configuration for all your applications, it also &lt;a href="https://www.pulumi.com/docs/esc/get-started/integrate-with-pulumi-iac/"&gt;integrates&lt;/a&gt; smoothly with Pulumi Infrastructure as Code (IaC) to enhance these capabilities within the Pulumi ecosystem.&lt;/p&gt;
&lt;h2 id="introducing-the-pulumi-esc-sdk"&gt;Introducing the Pulumi ESC SDK&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;re excited to unveil the official Pulumi ESC SDK, making it even easier to harness the power of ESC directly within your applications using your favorite programming languages. The SDK provides a simple programmatic interface to all of Pulumi ESC&amp;rsquo;s robust features, allowing you to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Manage the Entire Lifecycle of Your Environments:&lt;/strong&gt; Create new environments, list existing ones, and easily update or delete them as your needs evolve. You can even add &lt;a href="https://www.pulumi.com/docs/esc/environments/versioning/#tagging-versions"&gt;version tags&lt;/a&gt; to your environments, making it simple to track changes and roll back to previous states if needed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Seamlessly Integrate Secrets and Configurations:&lt;/strong&gt; Securely access and utilize secrets and configurations within your applications, ensuring consistency of configuration across environments. The SDK provides a streamlined way to fetch the information you need, whether it&amp;rsquo;s dynamic cloud credentials, database connection strings, feature flags, or any other sensitive data.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The Pulumi ESC SDK streamlines secret and configuration management, promoting secure handling best practices. It handles the secure storage and retrieval of your sensitive data at runtime, eliminating the need to store credentials long-term and minimizing the risk of accidental exposure. The SDK is a natural extension of your development workflow, offering familiar objects and methods, smooth integration with your IDE, and the benefits of type safety such as compile-time checks and helpful code suggestions that reduce errors and accelerate development.&lt;/p&gt;
&lt;h2 id="how-to-get-started"&gt;How to Get Started&lt;/h2&gt;
&lt;p&gt;Here are a few examples of how to use the ESC SDK for various languages:&lt;/p&gt;
&lt;div&gt;
&lt;pulumi-chooser type="language" options="typescript,python,go" mode=""&gt;&lt;/pulumi-chooser&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="typescript" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;esc&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/esc-sdk&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;async&lt;/span&gt; &lt;span class="kd"&gt;function&lt;/span&gt; &lt;span class="nx"&gt;main() {&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;PULUMI_ACCESS_TOKEN&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;process&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;env&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;PULUMI_ACCESS_TOKEN&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;orgName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;process&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;env&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;PULUMI_ORG&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;config&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Configuration&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt; &lt;span class="nx"&gt;accessToken&lt;/span&gt;: &lt;span class="kt"&gt;PULUMI_ACCESS_TOKEN&lt;/span&gt; &lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;client&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;EscApi&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;config&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;envName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;sdk-typescript-example&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Create a new environment
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;createEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;envDef&lt;/span&gt;: &lt;span class="kt"&gt;esc.EnvironmentDefinition&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;values&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;my_secret&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;fn::secret&amp;#34;&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;shh! don&amp;#39;t tell anyone&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;};&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Update the environment with the new definition
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;updateEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;envDef&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Open and read the environment
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;openEnv&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;openAndReadEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;openEnv&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;error&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Failed to open and read the environment&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// Acces the value of the secret
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;secretValue&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;openEnv&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;values&lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;my_secret&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sb"&gt;`Secret value: &lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;secretValue&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="sb"&gt;n`&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// List all the environments in the organization
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;orgEnvs&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;client&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;listEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;orgEnvs&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;orgEnvs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;environments&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;No environments found&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;env&lt;/span&gt; &lt;span class="k"&gt;of&lt;/span&gt; &lt;span class="nx"&gt;orgEnvs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;environments&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;console&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sb"&gt;`Environment: &lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nx"&gt;env&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kr"&gt;async&lt;/span&gt; &lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="o"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;await&lt;/span&gt; &lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;})();&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="python" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_esc_sdk&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;esc&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;os&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;accessToken&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;getenv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;PULUMI_ACCESS_TOKEN&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;orgName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;getenv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;PULUMI_ORG&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;configuration&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;esc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Configuration&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;access_token&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;accessToken&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;client&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;esc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;EscClient&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;configuration&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;envName&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;sdk-python-example&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Create environment&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;create_environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# create a new EnvironmentDefinition with &amp;#34;my_secret&amp;#34; as a secret in values additional_properties&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;envDef&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;esc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;EnvironmentDefinition&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;imports&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;values&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;esc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;EnvironmentDefinitionValues&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;additional_properties&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;my_secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;fn::secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;shh! don&amp;#39;t tell anyone&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Update environment&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;update_environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;envDef&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Open and read the environment&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;env&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;values&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;yaml&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;open_and_read_environment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;secret&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;values&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;my_secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Secret: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;secret&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# List environments&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;environments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;list_environments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;env&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;environments&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environments&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Environment: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;env&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;div&gt;
&lt;pulumi-choosable type="language" values="go" mode=""&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;package&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;log&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;os&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;github.com/pulumi/esc-sdk/sdk/go&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;accessToken&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Getenv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;PULUMI_ACCESS_TOKEN&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;os&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Getenv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;PULUMI_ORG&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;configuration&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewConfiguration&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;escClient&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewClient&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;configuration&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;authCtx&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewAuthContext&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;accessToken&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;sdk-go-example&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Create Environment&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;escClient&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;CreateEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;authCtx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to create environment: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Update Environment with Secrets&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;updatePayload&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;EnvironmentDefinition&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="nx"&gt;esc&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;EnvironmentDefinitionValues&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;AdditionalProperties&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;map&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="kd"&gt;interface&lt;/span&gt;&lt;span class="p"&gt;{}{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;my_secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;map&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;fn::secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;shh! don&amp;#39;t tell anyone&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;escClient&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;UpdateEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;authCtx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;updatePayload&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to update environment: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Open and View Secrets&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;values&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;escClient&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;OpenAndReadEnvironment&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;authCtx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to open environment: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;mySecret&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ok&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;values&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;my_secret&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;ok&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Secret &amp;#39;my_secret&amp;#39; not found in environment %s&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;envName&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;my_secret: %v\n&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;mySecret&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgEnvs&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;escClient&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;ListEnvironments&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;authCtx&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgName&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Fatalf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Failed to list environments: %v&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgEnv&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;range&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgEnvs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Environments&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Environment: %v\n&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;orgEnv&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Name&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/pulumi-choosable&gt;
&lt;/div&gt;
&lt;h2 id="example-scenarios-pulumi-esc-sdk-in-action"&gt;Example Scenarios: Pulumi ESC SDK in Action&lt;/h2&gt;
&lt;p&gt;Here are some real-world scenarios showcasing how you can leverage the Pulumi ESC SDK:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Database Credentials&lt;/strong&gt;: Applications can use the ESC SDK to fetch database credentials with a specified TTL, ensuring they always use valid credentials, even as the credentials are rotated in the background. This eliminates service interruptions due to expired credentials.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secure Serverless Deployments&lt;/strong&gt;: A Google Cloud Function requiring access to an AWS S3 bucket can leverage the ESC SDK to obtain temporary AWS credentials during runtime. This enables secure cross-cloud interactions without embedding long-lived AWS credentials directly within the function&amp;rsquo;s code.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microservices Configuration&lt;/strong&gt;: With ESC, development teams can manage diverse configurations for their microservices, including API endpoints, retry policies, and logging levels, specific to each environment (development, staging, production). The ESC SDK allows each microservice to retrieve the correct configuration values during runtime, simplifying environment-based customizations.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="get-started-today"&gt;Get Started Today!&lt;/h2&gt;
&lt;p&gt;The Pulumi ESC SDK is available now! To learn more and start simplifying your application secrets workflow, check out the &lt;a href="https://www.pulumi.com/docs/esc/development/languages-sdks/"&gt;Pulumi ESC SDK&lt;/a&gt; Documentation. We&amp;rsquo;re confident that this powerful new tool will streamline your development process, enhance your application security, and empower you to build innovative solutions with confidence. Join us on this journey towards a more secure and manageable future for application secrets and configurations!&lt;/p&gt;</description><author>Arun Loganathan</author><author>Cleve Littlefield</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Unveiling Pulumi ESC Versioning: Manage Secrets and Deployments with Confidence</title><link>https://www.pulumi.com/blog/esc-versioning-launch/</link><pubDate>Wed, 05 Jun 2024 00:00:00 -0300</pubDate><guid>https://www.pulumi.com/blog/esc-versioning-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-versioning-launch/index.png" /&gt;
&lt;p&gt;Since the launch of &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi Environments, Secrets and Configuration&lt;/a&gt; (ESC), our developer-first configuration and secrets management platform, we&amp;rsquo;ve seen exponential growth in usage. Customers have used it to simplify their secrets and configuration management by organizing them into composable collections called &amp;rsquo;environments&amp;rsquo;. Today, we are thrilled to introduce a comprehensive suite of versioning features, giving you unprecedented control and confidence in managing your environments.&lt;/p&gt;
&lt;h2 id="uncover-the-key-features-of-pulumi-esc-versioning"&gt;Uncover the Key Features of Pulumi ESC Versioning&lt;/h2&gt;
&lt;p&gt;Pulumi ESC Versioning introduces a range of powerful features:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Immutable Revision History&lt;/strong&gt;: Every time you save an environment, a new, immutable revision is created, preserving a complete and tamper-proof history of your changes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compare Revisions Side-by-Side&lt;/strong&gt;: Gain a clear understanding of changes between revisions with our detailed side-by-side comparison view. This helps identify differences, troubleshoot issues, and ensure smooth transitions between versions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tag Revisions&lt;/strong&gt;: Assign meaningful names to specific revisions, enabling you to easily manage and deploy different versions of your environments. You can use tags like &lt;code&gt;production&lt;/code&gt;, &lt;code&gt;v1.2.1&lt;/code&gt;, &lt;code&gt;stable&lt;/code&gt;, &lt;code&gt;pre-release&lt;/code&gt;, and &lt;code&gt;in-development&lt;/code&gt; to clearly communicate the purpose or stage of each version. Each environment has a built-in &lt;code&gt;latest&lt;/code&gt; tag that always points to the environment’s most recent revision.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Import Specific Versions&lt;/strong&gt;: Precisely control which version of an environment is imported, either by specifying a tag (e.g., &lt;code&gt;environmentA@prod&lt;/code&gt;) or using a specific revision number (e.g., &lt;code&gt;environmentB@2&lt;/code&gt;). This method also applies when &lt;a href="https://www.pulumi.com/docs/esc/environments/#importing-other-environments"&gt;importing environments&lt;/a&gt; via &lt;a href="https://www.pulumi.com/docs/esc/environments/#using-environments-with-pulumi-iac"&gt;Pulumi Stack Config&lt;/a&gt; or via other environments, to effectively &amp;lsquo;pin&amp;rsquo; the desired version.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rollback to a Specific Version&lt;/strong&gt;: Quickly revert your environment to a previous state by rolling back to a specific version or revision. This provides a safety net for deployments and makes it easy to undo unwanted changes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Retract a Revision&lt;/strong&gt;: Quickly remove a revision from your history – crucial for situations like accidentally exposing a secret in plaintext.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="level-up-your-workflow"&gt;Level Up Your Workflow&lt;/h2&gt;
&lt;p&gt;Pulumi ESC Versioning delivers significant benefits that can transform your development process:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Disaster Prevention&lt;/strong&gt;: By pinning a version during import, you can test new configurations in isolation before applying them to critical production systems. This minimizes downtime, reduces risk, and ensures business continuity, boosting confidence in deployments and supporting agile practices.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Improved Auditing and Collaboration&lt;/strong&gt;: Easily track the complete history of your environments, including who made changes and when. This granular audit trail enhances security, ensures compliance, and promotes seamless collaboration within your team.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Streamlined Development Workflows&lt;/strong&gt;: Similar to Docker tags, Pulumi ESC version tags provide a familiar and intuitive way to categorize and utilize specific revisions to manage different stages of your environments.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Tags and specific version imports are available on the Enterprise and Business Critical editions of Pulumi Cloud. The Team Edition offers access to the latest 5 revisions.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="how-to-get-started"&gt;How to Get Started&lt;/h2&gt;
&lt;p&gt;Ready to start using versioning in Pulumi ESC? Here&amp;rsquo;s how you can get started using the CLI or the Console:&lt;/p&gt;
&lt;h3 id="using-the-cli"&gt;Using the CLI&lt;/h3&gt;
&lt;p&gt;Make sure you have the latest &lt;a href="https://www.pulumi.com/docs/iac/download-install/"&gt;Pulumi CLI&lt;/a&gt; installed before you perform these steps. In your terminal,&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Run &lt;code&gt;pulumi env edit &amp;lt;environment-name&amp;gt;&lt;/code&gt; to edit an environment&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Run &lt;code&gt;pulumi env version history &amp;lt;environment-name&amp;gt;&lt;/code&gt; to view all revision history&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Run &lt;code&gt;pulumi env diff &amp;lt;environment-name&amp;gt;[@&amp;lt;version&amp;gt;] [[&amp;lt;environment-name&amp;gt;]@&amp;lt;version&amp;gt;]&lt;/code&gt; to compare changes between versions&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Run &lt;code&gt;pulumi env version tag &amp;lt;environment-name&amp;gt;@&amp;lt;tag&amp;gt;&lt;/code&gt; to assign a tag to the latest revision&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Create a new environment using &lt;code&gt;pulumi env init &amp;lt;new-environment-name&amp;gt;&lt;/code&gt; and import the previously edited environment using this syntax:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;imports&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;- &lt;span class="l"&gt;&amp;lt;environment-name&amp;gt;@&amp;lt;tag&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Run &lt;code&gt;pulumi env open &amp;lt;new-environment-name&amp;gt;&lt;/code&gt; to open and confirm that you have imported the right environment version&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Check out the &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;Pulumi CLI documentation&lt;/a&gt; for more details on available options and commands.&lt;/p&gt;
&lt;h3 id="using-the-console"&gt;Using the Console&lt;/h3&gt;
&lt;p&gt;In your Pulumi Cloud Console,&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Open an environment, make a change, and click &lt;code&gt;Save&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Go to the &lt;code&gt;Versions&lt;/code&gt; Tab and select &lt;code&gt;Revision History&lt;/code&gt; view to see the history of changes made to the environment&lt;/li&gt;
&lt;li&gt;Click on a revision to see its details or view the differences between revisions using &lt;code&gt;compare revisions&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Add a tag to a revision by clicking on the Actions menu&lt;/li&gt;
&lt;li&gt;Go to the &lt;code&gt;Tags&lt;/code&gt; view and copy the reference to the tag&lt;/li&gt;
&lt;li&gt;Create a new environment and import the tag&lt;/li&gt;
&lt;/ol&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC Versioning Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="esc-versioning-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="real-world-scenarios"&gt;Real-world Scenarios&lt;/h2&gt;
&lt;p&gt;Here are a few examples of how you might use these features:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Global Infrastructure Update&lt;/strong&gt;: You need to deploy a new configuration to a global service spanning multiple regions. Tag the updated configuration as &lt;code&gt;next&lt;/code&gt; and deploy it to one region for testing. After verifying stability, you can confidently roll it out to other regions. If issues arise, quickly revert to the previous &lt;code&gt;stable&lt;/code&gt; version, ensuring resilient and minimally disruptive deployments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Platform Team Releases&lt;/strong&gt;: If you&amp;rsquo;re a Platform team responsible for generating configurations, by tagging releases with labels like &lt;code&gt;v1.0-stable&lt;/code&gt; and &lt;code&gt;v1.2-development&lt;/code&gt;, you can clearly communicate which configurations are production-ready, keeping other teams informed about the ongoing development, and fostering seamless collaboration.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Code Review and Debugging&lt;/strong&gt;: You&amp;rsquo;re working in a development environment where the latest revision includes multiple recent changes, and you notice that the application is experiencing performance issues. By using the Compare Revisions Side-by-Side feature or &lt;code&gt;pulumi env diff&lt;/code&gt;, you can quickly identify the specific changes that might be causing the problem, enabling faster troubleshooting and resolution.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These examples are just a glimpse of how Pulumi ESC’s versioning capabilities can streamline your development and deployment process. The possibilities are vast, and you can tailor your tagging strategy to fit your specific needs and operational workflows.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The versioning capabilities in Pulumi ESC mark a significant step towards a more developer-friendly and efficient platform for configuration and secrets management. These features provide a robust foundation for secure, reliable, and auditable deployments, whether you&amp;rsquo;re rolling out infrastructure updates or ensuring compliance with industry regulations.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;re excited to see how you leverage these powerful capabilities. Your feedback is crucial in helping us shape the product to better serve your needs. We encourage you to open new issues on our &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;GitHub repository&lt;/a&gt;, upvote existing &lt;a href="https://github.com/pulumi/esc/issues"&gt;ones&lt;/a&gt;, or join the conversation on our &lt;a href="https://slack.pulumi.com/"&gt;community Slack&lt;/a&gt; channel.&lt;/p&gt;
&lt;p&gt;Check out the &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_env/"&gt;Pulumi CLI&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/esc/environments/#versioning-environments"&gt;Versioning&lt;/a&gt; docs.&lt;/p&gt;</description><author>Arun Loganathan</author><author>Pat Gavlin</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Simplify OIDC Trust with the New Pulumi GitHub Action</title><link>https://www.pulumi.com/blog/oidc-trust-github-action/</link><pubDate>Mon, 20 May 2024 21:45:13 +0000</pubDate><guid>https://www.pulumi.com/blog/oidc-trust-github-action/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/oidc-trust-github-action/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce a new GitHub Action that simplifies the integration of Pulumi&amp;rsquo;s powerful &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/"&gt;OpenID Connect&lt;/a&gt; (OIDC) Trust feature into your &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/github/"&gt;GitHub Actions&lt;/a&gt; workflows. This action streamlines secure authentication with Pulumi Cloud, allowing you to leverage GitHub as an identity provider and eliminate the need for long-lived Pulumi access tokens.&lt;/p&gt;
&lt;h2 id="a-quick-refresher-on-pulumis-oidc-trust"&gt;A Quick Refresher on Pulumi&amp;rsquo;s OIDC Trust&lt;/h2&gt;
&lt;p&gt;The OIDC Trust feature allows you to configure trusted OIDC identity providers, such as GitHub, GitLab, or Google Cloud, within your Pulumi organization. This feature ensures secure and straightforward integration of &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/"&gt;Pulumi Cloud&lt;/a&gt; within any OIDC-compliant system. Once set up, you can securely exchange short-lived OIDC tokens from these providers for temporary Pulumi access tokens. These tokens can then be used to authenticate to Pulumi and perform actions such as deploying your infrastructure using Pulumi IaC, retrieving secrets stored in Pulumi ESC, etc. This approach enhances security by eliminating the need to store long-lived sensitive credentials and aligns with best cloud practices.&lt;/p&gt;
&lt;h2 id="streamlining-oidc-trust-with-github-actions"&gt;Streamlining OIDC Trust with GitHub Actions&lt;/h2&gt;
&lt;p&gt;Our new GitHub Action makes using OIDC Trust even easier. It automates the secure retrieval of Pulumi access tokens directly within your &lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/continuous-delivery/github-actions/"&gt;GitHub workflows&lt;/a&gt;, streamlining the authentication process and eliminating manual steps. This automation reduces errors, enhances security by reducing potential token leakage, and improves the maintainability of your workflows, making them cleaner, more readable, and easier to update.&lt;/p&gt;
&lt;h2 id="example-usage"&gt;Example Usage&lt;/h2&gt;
&lt;p&gt;This example demonstrates how to use the Action to authenticate with OIDC and run the &lt;code&gt;pulumi preview&lt;/code&gt; command.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Pulumi preview&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;on&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;workflow_dispatch&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;permissions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;id-token&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;write&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;contents&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;read&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;jobs&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;run_cron_job&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;runs-on&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ubuntu-latest&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;steps&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;actions/checkout@v4&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pulumi/auth-actions@v1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;with&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;organization&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;org-name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;requested-token-type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;urn:pulumi:token-type:access_token:organization&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pulumi/actions@v5&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;with&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;command&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;preview&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;stack-name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;org-name/stack-name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;For more information about the &lt;code&gt;pulumi/auth-actions@v1&lt;/code&gt; Action, check the &lt;a href="https://github.com/marketplace/actions/pulumi-auth-action"&gt;Pulumi Auth Action documentation&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The new GitHub Action for Pulumi OIDC Trust makes it easier than ever to incorporate secure, short-lived credential management into your GitHub Actions workflows. Embrace the power of OIDC, eliminate the &amp;ldquo;secret zero&amp;rdquo; problem, and streamline your Pulumi deployments with ease.&lt;/p&gt;
&lt;p&gt;Give the action a try in your next GitHub Actions workflow and let us know what you think! Check out our &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc/client/github/"&gt;documentation&lt;/a&gt; for more details.&lt;/p&gt;</description><author>Germán Lena</author><author>Arun Loganathan</author><category>oidc</category><category>openid-connect</category><category>features</category></item><item><title>Org-only Template Gallery and Setting Default Repositories: Streamline Your Development</title><link>https://www.pulumi.com/blog/new-project-wizard-apr2024-updates/</link><pubDate>Fri, 19 Apr 2024 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/new-project-wizard-apr2024-updates/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/new-project-wizard-apr2024-updates/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re constantly evolving the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/developer-portals/new-project-wizard/"&gt;New Project Wizard&lt;/a&gt; to make it the preferred choice for platform teams to empower their internal teams to deploy resources quickly and in adherence to organizational standards. In January, we launched the &lt;a href="https://www.pulumi.com/blog/developer-portal-gallery/"&gt;Developer Portal Gallery&lt;/a&gt; to boost development velocity and reduce operational friction. Since then, we have seen strong adoption from our customers and received several new requests. We are excited to share the latest improvements we&amp;rsquo;ve made.&lt;/p&gt;
&lt;h2 id="primer-on-new-project-wizard-and-developer-portal-gallery"&gt;Primer on New Project Wizard and Developer Portal Gallery&lt;/h2&gt;
&lt;h3 id="the-new-project-wizard"&gt;The New Project Wizard&lt;/h3&gt;
&lt;p&gt;The New Project Wizard is a core component of &lt;a href="https://www.pulumi.com/blog/building-developer-portals/"&gt;Pulumi for Developer Portal&lt;/a&gt; that guides users through a structured process to deploy infrastructure resources through Pulumi. It allows users to select from pre-defined templates or generate new programs through Pulumi AI, configure, and deploy them without leaving the browser. This wizard significantly reduced the time and effort required to get projects off the ground, enabling developers to concentrate more on their development tasks and less on initial setup. Platform teams using the New Project Wizard do not have to custom-build and maintain complex tooling.&lt;/p&gt;
&lt;h3 id="overview-of-the-developer-portal-gallery"&gt;Overview of the Developer Portal Gallery&lt;/h3&gt;
&lt;p&gt;The Developer Portal Gallery allows platform teams to curate and distribute approved project templates within their organization. This feature supports compliance and standardization by ensuring that all projects adhere to organizational policies and best practices right from the start. The gallery not only facilitates the discovery and use of these templates but also makes it easy for developers to start new projects with templates that are pre-vetted and ready to deploy.&lt;/p&gt;
&lt;p&gt;Using the Developer Portal Gallery can enhance collaboration across teams by standardizing the tools and processes used for creating and deploying projects. This alignment helps in maintaining a high level of governance as projects scale and ensures consistency across the development lifecycle. Platform teams can oversee template usage and configurations, making sure that each project conforms to the required security, architecture, and performance standards.&lt;/p&gt;
&lt;h2 id="whats-new"&gt;What&amp;rsquo;s New?&lt;/h2&gt;
&lt;p&gt;Here’s a breakdown of the latest enhancements:&lt;/p&gt;
&lt;h3 id="org-only-template-sources"&gt;Org-only Template Sources&lt;/h3&gt;
&lt;p&gt;Previously, the Developer Portal Gallery included both the Organization&amp;rsquo;s custom templates as well as Pulumi-authored templates. With this update, you can now add or remove the Pulumi-authored templates, ensuring that users only deploy organizationally approved templates. This simplifies template discovery and selection, reinforcing governance and compliance across development projects.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Org-only Template Sources"
autoplay muted playsinline
loop &gt;
&lt;source src="./org-only-templates.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="default-repository-locations"&gt;Default Repository Locations&lt;/h3&gt;
&lt;p&gt;We heard from customers they want their developers to not even have to worry about what repo their Pulumi code lives in. Starting today, admins can set default repository locations for each template source within the gallery. This eliminates the need for developers to select a repository, automatically using predetermined locations and streamlining their deployment process.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Org-only Template Sources"
autoplay muted playsinline
loop &gt;
&lt;source src="./default-repos.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="auto-generated-project-names"&gt;Auto-generated Project Names&lt;/h3&gt;
&lt;p&gt;Another improvement is the auto-generation of project names. Previously, users had to specify a project name, requiring additional input and sometimes leading to naming conflicts. Now, we automatically generate unique project names, further reducing friction and simplifying the project creation process.&lt;/p&gt;
&lt;h2 id="wrapping-up"&gt;Wrapping up&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;re continuously striving to make your experience with Pulumi Cloud as seamless and efficient as possible. Your feedback, big or small, is valuable to us, please feel free to share it in the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud Requests repository&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Happy building!&lt;/p&gt;</description><author>Arun Loganathan</author><category>features</category><category>new-project-wizard</category><category>developer-portals</category><category>platform-engineering</category></item><item><title>Pulumi Release Notes: Pulumi Dev Releases, Pulumi ESC Table Editor, 1Password Support , and more!</title><link>https://www.pulumi.com/blog/pulumi-release-notes-103/</link><pubDate>Mon, 15 Apr 2024 11:06:04 -0800</pubDate><guid>https://www.pulumi.com/blog/pulumi-release-notes-103/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-release-notes-103/index.png" /&gt;
&lt;p&gt;As always, we have been actively rolling out new features in response to the invaluable feedback from our ever-growing community. We&amp;rsquo;ve shipped several security and usability features to &lt;a href="https://www.pulumi.com/docs/esc"&gt;Pulumi ESC&lt;/a&gt; in response to feedback from our growing user base. Moreover, we&amp;rsquo;ve also added new enhancements to our core Platform CLI and Providers. In addition to the release notes, stay up-to-date with all things Pulumi by following the &lt;a href="https://www.pulumi.com/blog/tag/features"&gt;new features blogs&lt;/a&gt; and the &lt;a href="https://github.com/pulumi/pulumi-aws-native/releases"&gt;pulumi/pulumi repo changelog&lt;/a&gt;. With so much to explore, let’s dive into the major updates across Pulumi from the past two months!&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-cloud"&gt;Pulumi Cloud&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-1password-support"&gt;Pulumi ESC 1Password Support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-key-value-table-editor"&gt;Pulumi ESC Table view&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-yaml-code-editor-enhancements"&gt;Pulumi ESC YAML Code Editor Enhancements&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-oidc-customization"&gt;Pulumi ESC OIDC customization&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-audit-logs"&gt;Pulumi ESC Audit Logs&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#core"&gt;Core&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#dev-releases-for-the-pulumi-cli-and-sdks"&gt;Dev Releases for the Pulumi CLI and SDKs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#automation-api-support-to-install-pulumi-cli"&gt;Automation API support to install Pulumi CLI&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#nodejs-monorepo-support"&gt;Node.js Monorepo Support&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#providers-and-packages"&gt;Providers and Packages&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#new-provider-resources"&gt;New Provider Resources&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#new-community-providers"&gt;New Community Providers&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-registry-documentation-update"&gt;Pulumi Registry Documentation Update&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#ai"&gt;AI&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-ai-evolution"&gt;Pulumi AI Evolution&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#wrap-up"&gt;Wrap up&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="pulumi-cloud"&gt;Pulumi Cloud&lt;/h2&gt;
&lt;h3 id="pulumi-esc-1password-support"&gt;Pulumi ESC 1Password Support&lt;/h3&gt;
&lt;p&gt;In collaboration with 1Password, we&amp;rsquo;ve launched the &lt;a href="https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/1password-secrets/"&gt;1Password provider&lt;/a&gt; for Pulumi ESC in public preview. This feature, highly requested by our community, allows you to pull secrets and configurations stored in 1Password directly into ESC, and use them as &lt;a href="https://www.pulumi.com/docs/esc/environments/working-with-environments/#projecting-environment-variables"&gt;environment variables&lt;/a&gt; or within &lt;a href="https://www.pulumi.com/docs/esc/integrations/infrastructure/pulumi-iac/"&gt;Pulumi Config&lt;/a&gt;. This integration eliminates the need for manual secret copy and paste, enhancing both security and efficiency. For more details, refer to our &lt;a href="https://www.pulumi.com/blog/pulumi-esc-public-preview-for-1password-support/"&gt;blog post&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC 1Password Provider Demo"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/esc-1password-provider-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="pulumi-esc-table-view"&gt;Pulumi ESC Table view&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve rolled out the &lt;a href="https://www.pulumi.com/blog/esc-key-value-table-editor-launch/"&gt;Pulumi ESC Table view&lt;/a&gt;, offering a novel, user-friendly interface for managing secrets and configurations. This addition complements the existing YAML-based editor, providing intuitive and familiar experiences for your workflows with secrets and configurations. Table Editor supports capabilities including CRUD operations for secrets and plaintext values, secret decryption, &lt;a href="https://www.pulumi.com/docs/esc/environments/imports/"&gt;environment imports&lt;/a&gt;, variable projections, and &lt;a href="https://www.pulumi.com/docs/esc/environments/working-with-environments/#interpolating-values"&gt;interpolations&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/esc-key-value-table-editor-launch/esc-key-value-table-editor.png" alt="Table view"&gt;&lt;/p&gt;
&lt;h3 id="pulumi-esc-yaml-code-editor-enhancements"&gt;Pulumi ESC YAML Code Editor Enhancements&lt;/h3&gt;
&lt;p&gt;We&amp;rsquo;ve upgraded the Pulumi ESC YAML editor with features aimed at simplifying the environment authoring process and enhancing developer productivity. Key enhancements include auto-complete for faster coding, enhanced diagnostics offering deeper error insights, and hover documentation for easy access to information, reducing the need for context switching. Additionally, we have added support for accessing &lt;a href="https://www.pulumi.com/docs/esc/environments/working-with-environments/#pulumi-contextual-information"&gt;contextual information&lt;/a&gt; about the current user and current environments. This support can be used to fine-tune OIDC claims and enhance audit logs. For more details, check out our &lt;a href="https://www.pulumi.com/blog/esc-editor-enhancements/"&gt;blog post&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC editor enhancements demo"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/esc-editor-enhancements-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="pulumi-esc-oidc-customization"&gt;Pulumi ESC OIDC customization&lt;/h3&gt;
&lt;p&gt;Pulumi ESC now offers &lt;a href="https://www.pulumi.com/docs/esc/environments/configuring-oidc/azure/#subject-customization"&gt;subject customization&lt;/a&gt; for OIDC tokens, enhancing security across AWS, GCP and Azure by aligning federated credentials with specific identifiers. By configuring the &lt;code&gt;subjectAttributes&lt;/code&gt; setting, users can include specific environment, user, and organization information in the &lt;a href="https://www.pulumi.com/docs/esc/environments/configuring-oidc"&gt;OIDC&lt;/a&gt; token subject claim, offering more granular control and customization for cloud resource access. This capability is especially valuable for customers using Azure, where subject claims are required to precisely match the string specified in the policy.&lt;/p&gt;
&lt;h3 id="pulumi-esc-audit-logs"&gt;Pulumi ESC Audit Logs&lt;/h3&gt;
&lt;p&gt;Pulumi ESC now features comprehensive Audit Logs for all Create, Read, Open, Update, and Delete (CRUD) operations, strengthening your cloud security framework. This critical addition to Pulumi ESC enables organizations to closely monitor and audit their cloud infrastructure changes, ensuring enhanced oversight and security compliance. Through detailed logging, teams gain valuable insights into their operational activities, facilitating improved governance and accountability across cloud resources.&lt;/p&gt;
&lt;h2 id="core"&gt;Core&lt;/h2&gt;
&lt;h3 id="dev-releases-for-the-pulumi-cli-and-sdks"&gt;Dev Releases for the Pulumi CLI and SDKs&lt;/h3&gt;
&lt;p&gt;We introduced &lt;a href="https://www.pulumi.com/blog/introducing-dev-releases/"&gt;Dev Releases&lt;/a&gt;, allowing developers to access the latest features and improvements in Pulumi&amp;rsquo;s infrastructure as code tools ahead of their official release. With this initiative, we aim to engage our community and gather early feedback, enhancing the product development process. This is crucial for identifying and resolving potential issues early, contributing to a smoother transition to new releases. Dev Releases will also be at the cutting edge of Pulumi&amp;rsquo;s evolving capabilities, with the latest bug fixes and features available within minutes of Pulumi developers merging. For instructions on how to use the CLI Dev releases see the &lt;a href="https://www.pulumi.com/docs/install/#installing-dev-releases"&gt;install docs&lt;/a&gt;, and for pre-release versions of Dev SDKs see the docs for &lt;a href="https://www.pulumi.com/docs/languages-sdks/javascript/#dev-versions"&gt;Node.js&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/languages-sdks/python/#dev-versions"&gt;Python&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/languages-sdks/dotnet/#dev-versions"&gt;.NET&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/docs/languages-sdks/go/#dev-versions"&gt;Go&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="automation-api-support-to-install-pulumi-cli"&gt;Automation API support to install Pulumi CLI&lt;/h3&gt;
&lt;p&gt;The Pulumi Automation API now offers the functionality to install the Pulumi CLI directly through the API. This feature enables deploying programs utilizing the Automation API without the need for prior CLI installation. Explore an &lt;a href="https://github.com/pulumi/automation-api-examples/tree/main/go/cli_installation"&gt;example in Go&lt;/a&gt; and refer to the new APIs in &lt;a href="https://pkg.go.dev/github.com/pulumi/pulumi/sdk/v3/go/auto#InstallPulumiCommand"&gt;Go&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/classes/automation.PulumiCommand.html#install"&gt;Node.js&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.automation.PulumiCommand.install"&gt;Python&lt;/a&gt;, and &lt;a href="https://github.com/pulumi/pulumi-dotnet/blob/edf4a5e904110f198d579d8db0b178aa9af9cdfa/sdk/Pulumi.Automation/Commands/LocalPulumiCommand.cs#L107"&gt;.NET&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="nodejs-monorepo-support"&gt;Node.js Monorepo Support&lt;/h3&gt;
&lt;p&gt;Pulumi now seamlessly integrates with Node.js monorepos using tools like Nx. We&amp;rsquo;ve enhanced Pulumi to support yarn/npm workspaces, widely used in Node.js monorepos. This enhancement facilitates better project management by automatically handling dependencies and building processes. The integration allows Pulumi infrastructure codes to coexist with application codes in the same repository, improving development workflow efficiency by using Nx&amp;rsquo;s capabilities to manage build and deploy dependencies effectively. Check out the &lt;a href="https://www.pulumi.com/blog/nx-monorepo/"&gt;blog post&lt;/a&gt; for more details.&lt;/p&gt;
&lt;h2 id="providers-and-packages"&gt;Providers and Packages&lt;/h2&gt;
&lt;h3 id="new-provider-resources"&gt;New Provider Resources&lt;/h3&gt;
&lt;p&gt;We have added 121 functions and 159 resources across our most popular providers, along with many more throughout our ecosystem. Notably, Palo Alto Networks is now supported in the &lt;a href="https://www.pulumi.com/registry/packages/azure-native/"&gt;Azure Native Provider&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="new-provider-resources-functions.png" alt="New Provider Resources and Functions"&gt;&lt;/p&gt;
&lt;h3 id="new-community-providers"&gt;New Community Providers&lt;/h3&gt;
&lt;p&gt;&lt;img src="new-community-providers.png" alt="new_community_providers"&gt;&lt;/p&gt;
&lt;p&gt;We welcome new providers to our registry!&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/influxdb/"&gt;Influx db&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/zpa/"&gt;Zscalar Private Access&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/zia/"&gt;Zscalar Internet Access&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/ctfd/"&gt;CTFD&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="pulumi-registry-documentation-update"&gt;Pulumi Registry Documentation Update&lt;/h3&gt;
&lt;p&gt;The &lt;a href="https://www.pulumi.com/registry"&gt;Pulumi Registry&lt;/a&gt; documentation has significantly improved example code generation across programming languages. Systemic improvements benefit over 900 examples—700+ in Python, 200+ in Go, and a selection in C#—with notable improvements in type instantiations.&lt;/p&gt;
&lt;h2 id="ai"&gt;AI&lt;/h2&gt;
&lt;h3 id="pulumi-ai-evolution"&gt;Pulumi AI Evolution&lt;/h3&gt;
&lt;p&gt;We continue to invest in &lt;a href="https://www.pulumi.com/product/neo/"&gt;Pulumi Neo&lt;/a&gt; and improve the quality of programs in TypeScript, Python, Go, and C#. Key enhancements include generating code that accurately imports providers, with a special focus on those authored by our community and partners, ensuring the use of correct syntax for Pulumi YAML, embracing modern C# syntax like top-level statements, and implementing comprehensive spellchecking for modules and parameters. These updates continue to push Pulumi AI as a robust, developer-friendly platform, enabling you to build with greater confidence and efficiency. Moreover, you can now cancel in-progress prompts within Pulumi AI should you need to make any changes to your prompt.&lt;/p&gt;
&lt;h2 id="wrap-up"&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;That marks the end of this update on Pulumi&amp;rsquo;s latest enhancements! We can&amp;rsquo;t wait to see what you build with these new tools. Your feedback drives our innovation. Feel free to open an issue in the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud requests repository&lt;/a&gt; or in the &lt;a href="https://github.com/pulumi/pulumi"&gt;pulumi/pulumi repository&lt;/a&gt; for anything CLI. Keep an eye on us for more exciting updates!&lt;/p&gt;</description><author>Arun Loganathan</author><category>features</category><category>release-notes</category></item><item><title>Introducing the Table Editor for Pulumi ESC</title><link>https://www.pulumi.com/blog/esc-key-value-table-editor-launch/</link><pubDate>Tue, 26 Mar 2024 00:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/esc-key-value-table-editor-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-key-value-table-editor-launch/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce the launch of the Pulumi Environments, Secrets, and Configurations (&lt;a href="https://www.pulumi.com/product/esc"&gt;ESC&lt;/a&gt;) Table Editor. At Pulumi, we&amp;rsquo;re committed to providing flexible solutions that cater to diverse development needs and practices. This latest addition underscores our dedication to this principle by offering a user-friendly interface for managing complex configurations and secrets.&lt;/p&gt;
&lt;p&gt;Pulumi ESC simplifies the management of secrets and configurations by reducing duplication and drift, empowering development teams to focus on building and deploying. The existing YAML-based code editor offers a native way for developers to author and manage configurations.&lt;/p&gt;
&lt;p&gt;The Table Editor we are launching today introduces an alternate visual interface for handling configuration tasks, enabling the direct input of plaintext and secret values. Key capabilities of the Table Editor include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;CRUD Operations&lt;/strong&gt;: Perform Create, Read, Update, and Delete (CRUD) operations on your secrets and plaintext values&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Decrypting Secrets&lt;/strong&gt;: Safely decrypt secrets one at a time, directly within the editor&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Environment Imports&lt;/strong&gt;: &lt;a href="https://www.pulumi.com/docs/esc/environments/#importing-other-environments"&gt;Import environments&lt;/a&gt; and define the order of imports to suit your project&amp;rsquo;s needs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Variables Projections&lt;/strong&gt;: Make variables available as &lt;a href="https://www.pulumi.com/docs/esc/environments/#using-environments-with-pulumi-iac"&gt;Pulumi Config&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/esc/environments/#projecting-environment-variables"&gt;environment variables&lt;/a&gt;, and files, streamlining your deployment and runtime configuration.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Interpolations and References&lt;/strong&gt;: Add references to existing path-values, or add &lt;a href="https://www.pulumi.com/docs/esc/environments/#interpolating-values"&gt;interpolations&lt;/a&gt; to dynamically generate values&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="esc-key-value-table-editor.png" alt="Table Editor"&gt;&lt;/p&gt;
&lt;p&gt;In the current release of the Table view, &lt;a href="https://www.pulumi.com/docs/esc/integrations"&gt;provider configurations&lt;/a&gt; and functions are set to read-only.&lt;/p&gt;
&lt;h2 id="whats-next"&gt;What’s Next?&lt;/h2&gt;
&lt;p&gt;Looking to the future, we are already working on the next set of enhancements for the Table view. Soon, you will have the capability to add and edit provider configurations directly within the table view.&lt;/p&gt;
&lt;p&gt;Pulumi ESC&amp;rsquo;s diverse array of providers not only allows teams to dynamically acquire cloud provider credentials at runtime, thus eliminating the need for static, long-lived credentials but also enables retrieving secrets from external secrets managers, such as AWS Secrets Manager and HashiCorp Vault, directly within ESC. This means users can seamlessly pull and utilize secrets within ESC, enhancing security and flexibility. The upcoming provider configuration support in the Table view will offer a guided experience, simplifying the process of leveraging Pulumi ESC&amp;rsquo;s comprehensive set of providers.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The launch of the Table view marks an important step in our mission to make infrastructure as code more accessible and manageable for developers.&lt;/p&gt;
&lt;p&gt;Your &lt;a href="https://github.com/pulumi/esc/issues/new/choose"&gt;feedback&lt;/a&gt; is the cornerstone of our development process. As we look ahead, we&amp;rsquo;re focusing on incorporating your insights to further enhance the Table view. Together, we can continue to refine and advance Pulumi ESC, making it an even more powerful tool for the developer community.&lt;/p&gt;
&lt;p&gt;Check out our &lt;a href="https://www.pulumi.com/docs/esc"&gt;documentation&lt;/a&gt; to learn more about Pulumi ESC.&lt;/p&gt;</description><author>Arun Loganathan</author><author>Kimberley Mackenzie</author><category>esc</category><category>secrets</category><category>configuration-management</category><category>features</category></item><item><title>Introducing the Latest ESC Editor Enhancements for Improved Authoring</title><link>https://www.pulumi.com/blog/esc-editor-enhancements/</link><pubDate>Thu, 22 Feb 2024 00:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/esc-editor-enhancements/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/esc-editor-enhancements/index.png" /&gt;
&lt;p&gt;With &lt;a href="https://www.pulumi.com/product/esc"&gt;Pulumi ESC&lt;/a&gt;, our goal is to not only create a tool that simplifies the development process but also one that developers love. In pursuit of this goal, we&amp;rsquo;re excited to announce enhancements to the Pulumi ESC environment editor. These enhancements are focused on addressing common challenges encountered when authoring environments: syntax errors, type errors, frequent context switches to and from documentation, and more. Our aim is to make the process of authoring environments as straightforward as possible by removing common hurdles.&lt;/p&gt;
&lt;h2 id="highlights"&gt;Highlights&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Auto-complete&lt;/strong&gt;: This feature provides suggestions for code snippets and resource properties, easing the need to reference documentation. It is engineered to accelerate and refine the coding process, enabling developers to concentrate on innovation and problem-solving.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Diagnostics&lt;/strong&gt;: These diagnostics go beyond basic syntax checks by providing in-depth, as-you-type insights into errors.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hover Documentation&lt;/strong&gt;: Hover over any piece of code to see a detailed tooltip with relevant documentation and examples. This instant access to information reduces the need to context switch, streamlining the development process and minimizing disruptions.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Tap &amp;lsquo;Ctrl+Space&amp;rsquo; in the editor reveal the list of functions and properties.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi ESC editor enhancements demo"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/esc-editor-enhancements-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="contextual-information-to-your-environments"&gt;Contextual Information to your environments&lt;/h2&gt;
&lt;p&gt;We have also added support for accessing contextual information from within an ESC environment such as the current user, organization, and environment name. You can use this information to enrich audit logs, refine OIDC claims for more granular access, and more! This information is available by accessing the &lt;code&gt;context&lt;/code&gt; property, and contains the following information:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;context.rootEnvironment.name&lt;/code&gt;: the name of the root environment being evaluated&lt;/li&gt;
&lt;li&gt;&lt;code&gt;context.currentEnvironment.name&lt;/code&gt;: the name of the current environment being evaluated&lt;/li&gt;
&lt;li&gt;&lt;code&gt;context.user.login&lt;/code&gt;: the login of the user evaluating the environment&lt;/li&gt;
&lt;li&gt;&lt;code&gt;context.organization.login&lt;/code&gt;: the name of the user&amp;rsquo;s organization&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;values&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rootEnv&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${context.rootEnvironment.name}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;currentUser&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${context.user.login}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="a-seamless-authoring-experience-awaits"&gt;A Seamless Authoring Experience Awaits&lt;/h2&gt;
&lt;p&gt;The updated editor experience is designed to minimize friction, boost productivity, and transform cloud development into a more enjoyable and effective journey. We are eager for you to explore these new features and see firsthand how they enhance your development process.&lt;/p&gt;
&lt;p&gt;Discover more about the capabilities of Pulumi ESC and how it can support your projects by checking out our &lt;a href="https://www.pulumi.com/docs/esc"&gt;documentation&lt;/a&gt;.&lt;/p&gt;</description><author>Pat Gavlin</author><author>Arun Loganathan</author><category>esc</category><category>secrets</category><category>features</category></item><item><title>Pulumi Release Notes: Pulumi ESC, Deployments GA, Pulumi AI Improvements, AWS S3 Express One Zone Support, and more!</title><link>https://www.pulumi.com/blog/pulumi-release-notes-99/</link><pubDate>Thu, 01 Feb 2024 11:06:04 -0800</pubDate><guid>https://www.pulumi.com/blog/pulumi-release-notes-99/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-release-notes-99/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;ve had a busy last few months at Pulumi. From shipping a brand new product offering, Pulumi ESC, to adding several major features in Pulumi Cloud and updates to various Pulumi providers - there is lots to catch up on. In addition to reading these release notes, check out the &lt;a href="https://github.com/pulumi/pulumi/blob/master/CHANGELOG.md"&gt;pulumi/pulumi repo changelog&lt;/a&gt; to stay up to date with CLI enhancements after each CLI release. For Pulumi Cloud updates, follow the &lt;a href="https://www.pulumi.com/blog/tag/features"&gt;new features blogs&lt;/a&gt; to stay updated on the latest feature releases. Let&amp;rsquo;s walk through the major updates across Pulumi from the last few months!&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#ai"&gt;AI&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#deploy-with-pulumi-within-pulumi-ai"&gt;Deploy with Pulumi within Pulumi AI&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-ai-coverage-and-performance"&gt;Pulumi AI coverage and performance&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-ai-answers"&gt;Pulumi AI Answers&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-cloud"&gt;Pulumi Cloud&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#pulumi-esc-preview"&gt;Pulumi ESC Preview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#developer-portal-gallery"&gt;Developer Portal Gallery&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#deployments-ga"&gt;Deployments GA&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#customer-managed-agents"&gt;Customer Managed Agents&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#mfa-in-pulumi-cloud"&gt;MFA in Pulumi Cloud&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pricing-calculator"&gt;Pricing Calculator&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#historical-views"&gt;Historical Views&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#core"&gt;Core&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#import-improvements"&gt;Import Improvements&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#providers-and-packages"&gt;Providers and Packages&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#awsx-now-uses-aws-60"&gt;AWSX now uses AWS 6.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#pulumi-google-cloud-classic-70"&gt;Pulumi Google Cloud Classic 7.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#aws-s3-express-one-zone-support"&gt;AWS S3 Express One Zone Support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#new-provider-resources"&gt;New Provider Resources&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#new-community-providers"&gt;New Community Providers&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href="#wrap-up"&gt;Wrap up&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="ai"&gt;AI&lt;/h2&gt;
&lt;h3 id="deploy-with-pulumi-within-pulumi-ai"&gt;Deploy with Pulumi within Pulumi AI&lt;/h3&gt;
&lt;p&gt;Pulumi AI&amp;rsquo;s new feature enables &lt;a href="https://www.pulumi.com/blog/pulumi-ai-new"&gt;deploying cloud infrastructure using AI prompts&lt;/a&gt;. Users can rapidly generate and deploy templates through natural language inputs in &amp;lsquo;pulumi new&amp;rsquo; CLI command and new project wizard, significantly streamlining the cloud setup process. Additionally, you now have the option to deploy the Pulumi AI generated Pulumi programs from within &lt;a href="https://www.pulumi.com/product/neo/"&gt;Pulumi Neo&lt;/a&gt; and in the New Project Wizard in the Pulumi Cloud console.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi new AI and deploy"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/pulumi-new-ai.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="pulumi-ai-coverage-and-performance"&gt;Pulumi AI coverage and performance&lt;/h3&gt;
&lt;p&gt;Pulumi AI can now write Pulumi programs for all 150 cloud providers in the &lt;a href="https://www.pulumi.com/registry/"&gt;Pulumi registry&lt;/a&gt; - up from 20 cloud providers. Pulumi AI has also been updated to OpenAI&amp;rsquo;s GPT-4 Turbo for enhanced performance along with fine tuning our prompts to improve our AI&amp;rsquo;s ability to write code.&lt;/p&gt;
&lt;h3 id="pulumi-ai-answers"&gt;Pulumi AI Answers&lt;/h3&gt;
&lt;p&gt;Pulumi AI Answers, launched late last year, has become a go-to repository, hosting an extensive collection of over 50,000 anonymized, infrastructure-as-code commonly asked queries, all carefully selected and presented by Pulumi. As this repository continues to expand, we&amp;rsquo;re seeing an exponential increase in user traffic, underscoring the immense value it offers. It&amp;rsquo;s inspiring to see the Pulumi community actively leveraging it as they build and scale their cloud infrastructure&lt;/p&gt;
&lt;h2 id="pulumi-cloud"&gt;Pulumi Cloud&lt;/h2&gt;
&lt;h3 id="pulumi-esc-preview"&gt;Pulumi ESC Preview&lt;/h3&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi Environment, Secrets and Configuration (ESC)&lt;/a&gt; is our answer to the growing needs of our customers to manage secret sprawl and streamline config management. Pulumi ESC allows teams to store and aggregate secrets and configuration from various sources into a composable collection called an environment. You can dynamically generate &lt;a href="https://www.pulumi.com/docs/esc/environments/configuring-oidc"&gt;OIDC credentials&lt;/a&gt; from all three major cloud providers (AWS, Azure and GCP), and integrate with other &lt;a href="https://www.pulumi.com/docs/esc/get-started/retrieve-external-secrets/"&gt;secrets managers&lt;/a&gt; like AWS Secrets Manager, Hashicorp Vault, Azure Vault and GCP Secret manager to pull secrets during runtime. Its hierarchical structure simplifies the composition and reuse of configurations, ensuring secure, auditable management and robust access control. With Pulumi ESC, the trend is clear: organizations are choosing its comprehensive approach for managing secrets and configurations, and they are here to stay. &lt;a href="https://www.pulumi.com/docs/esc/get-started/"&gt;Get started&lt;/a&gt; with Pulumi ESC&lt;/p&gt;
&lt;p&gt;&lt;img src="pulumi-esc-growth.png" alt="Pulumi ESC Growth"&gt;&lt;/p&gt;
&lt;h3 id="developer-portal-gallery"&gt;Developer Portal Gallery&lt;/h3&gt;
&lt;p&gt;We launched a new template gallery in the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/developer-portals/new-project-wizard"&gt;New Project Wizard&lt;/a&gt;, supercharging Platform teams to provision and distribute organization templates for their development teams to get up and running fast. Developers can generate Pulumi programs from these templates, commit and push code to GitHub and trigger deployment within the Pulumi Cloud console. The gallery supports three template types: Organization Templates for custom internal projects, Pulumi Templates authored by Pulumi to cover common architectural patterns and AI-Generated Templates created through Pulumi AI. For more information, check out the full &lt;a href="https://www.pulumi.com/blog/developer-portal-gallery/"&gt;blog post&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi new AI and deploy"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/gallery.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="deployments-ga"&gt;Deployments GA&lt;/h3&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments"&gt;Pulumi Deployments&lt;/a&gt; was made &lt;a href="https://www.pulumi.com/blog/deployments-ga"&gt;generally available&lt;/a&gt; with new improvements such as support for &lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/continuous-delivery/github-app/#github-enterprise-server-support"&gt;GitHub Enterprise&lt;/a&gt;. Since launch, Pulumi Deployments has made infrastructure management at scale seamless for our customers, offering out of the box features such as &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/review-stacks"&gt;Review Stacks&lt;/a&gt; and multiple deployment triggers.&lt;/p&gt;
&lt;h3 id="customer-managed-agents"&gt;Customer Managed Agents&lt;/h3&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/customer-managed-deployment-agents-launch/"&gt;Customer Managed Agents&lt;/a&gt; for Pulumi Deployments enable customers with hard security and compliance requirements to take advantage of the powerful capabilities of Pulumi Deployments. By self-hosting the agents, you can host them anywhere within your infrastructure on any hardware and environment in order to meet compliance requirements to keep cloud provider credentials within your private network.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Pulumi new AI and deploy"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/verify-setup.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="mfa-in-pulumi-cloud"&gt;MFA in Pulumi Cloud&lt;/h3&gt;
&lt;p&gt;We now support &lt;a href="https://www.pulumi.com/blog/multi-factor-auth-mfa-in-pulumi-cloud/"&gt;multi-factor authentication&lt;/a&gt; to prevent unauthorized access, ensuring robust security within your organization. Enable MFA by navigating to your account settings.&lt;/p&gt;
&lt;h3 id="pricing-calculator"&gt;Pricing Calculator&lt;/h3&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/pricing/#calculator"&gt;Pulumi cost calculator&lt;/a&gt; for Team Edition enables you to quickly estimate the cost of using Pulumi Cloud. Simply input the number of resources in all your cloud accounts and the percentage of time they will be running to quickly get the total cost per month with a break down of estimated credits, free credits and cost per credit. You can also use the calculator to estimate the cost of using Pulumi Deployments.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/pricing-calculator-blog/pricing_calc.png" alt="Screenshot of the pricing calculator"&gt;&lt;/p&gt;
&lt;h3 id="historical-views"&gt;Historical Views&lt;/h3&gt;
&lt;p&gt;The Pulumi Cloud stack update page now contains the historical resources in the stack and the historical stack outputs. Simply click on details on each Pulumi update to see the resource state and stack output at the time of the update. This history extends all the way back to the first update of the stack. See the &lt;a href="https://www.pulumi.com/blog/update-page-improvements/"&gt;historical views blog post&lt;/a&gt; for more details.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/update-page-improvements/update-page.png" alt="Historical views"&gt;&lt;/p&gt;
&lt;h2 id="core"&gt;Core&lt;/h2&gt;
&lt;h3 id="import-improvements"&gt;Import Improvements&lt;/h3&gt;
&lt;p&gt;We have made several improvements to the &lt;a href="https://www.pulumi.com/docs/iac/adopting-pulumi/import/#pulumi-import-command"&gt;&lt;code&gt;pulumi import&lt;/code&gt;&lt;/a&gt; command to make it easier to &lt;a href="https://www.pulumi.com/docs/iac/adopting-pulumi/import/#bulk-import-operations"&gt;bulk import&lt;/a&gt; resources into complex programs and &lt;a href="https://www.pulumi.com/docs/concepts/resources/components/"&gt;components&lt;/a&gt;. You can now:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Import one resource and then use that resource as the parent for another imported resource. Previously, parents could only refer to resources that already existed; i.e., you would have had to do two imports&lt;/li&gt;
&lt;li&gt;Specify that a resource is a component to be used as the parent of other imported resources via a new &lt;code&gt;component&lt;/code&gt; property in the import file&lt;/li&gt;
&lt;li&gt;Specify parents by name without having to include the parent URN in the &lt;code&gt;nameTable&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Specify the &lt;a href="https://www.pulumi.com/docs/concepts/resources/names/#logicalname"&gt;&lt;code&gt;logicalName&lt;/code&gt;&lt;/a&gt; of resources&lt;/li&gt;
&lt;li&gt;Run &lt;code&gt;pulumi preview --import-file &amp;lt;file&amp;gt;&lt;/code&gt; on a program to generate a placeholder import file for every resource that would be created as part of the program. The generated file will contain all the names, types, and URNs already filled in, with blank &lt;code&gt;id&lt;/code&gt; fields that need to be filled in. This is useful when you already have the structure of the resources for your program and only need to fill in the IDs of existing resources&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Additionally, the import system no longer renames resources to try and make unique names and no longer generates errors just because two resources of different types have the same name. The rules for uniqueness now match what&amp;rsquo;s valid when writing a Pulumi program. The import system will generate an error if you try to import two resources that would end up with the same URN.&lt;/p&gt;
&lt;h2 id="providers-and-packages"&gt;Providers and Packages&lt;/h2&gt;
&lt;h3 id="awsx-now-uses-aws-60"&gt;AWSX now uses AWS 6.0&lt;/h3&gt;
&lt;p&gt;We have launched &lt;a href="https://www.pulumi.com/registry/packages/awsx/"&gt;AWSx&lt;/a&gt; 2.0, bringing all the benefits &lt;a href="https://www.pulumi.com/blog/announcing-6-0-of-the-pulumi-aws-classic-provider/"&gt;AWS 6.0&lt;/a&gt; to Pulumi Crosswalk for AWS (AWSx). The new versions offer several fixes and improvements, including support for the latest Terraform Plugin Framework, 56 new resources and 23 new functions for various AWS services.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/announcing-6-0-of-the-pulumi-aws-classic-provider/aws_api.png" alt="AWS 6.0 vs 5.0 provider coverage"&gt;&lt;/p&gt;
&lt;h3 id="pulumi-google-cloud-classic-70"&gt;Pulumi Google Cloud Classic 7.0&lt;/h3&gt;
&lt;p&gt;We have updated the &lt;a href="https://www.pulumi.com/registry/packages/gcp/"&gt;Pulumi Google Cloud Classic Provider&lt;/a&gt; to reflect the latest developments from Google Cloud, including updates to existing resources and adding support for new resources, functions and input properties. One of the key update is the &lt;a href="https://github.com/pulumi/pulumi-gcp/issues/722"&gt;fix&lt;/a&gt; for renaming of the Service Account resource for consistency and ease of use. We also made changes to align with &lt;a href="https://www.pulumi.com/blog/google-cloud-7-0/#:~:text=upstream%20documentation"&gt;upstream changes&lt;/a&gt; to labels. Upgrading to this new version is straightforward. Check out our &lt;a href="https://www.pulumi.com/blog/google-cloud-7-0/"&gt;blog post&lt;/a&gt; and &lt;a href="https://www.pulumi.com/registry/packages/gcp/how-to-guides/7-0-migration/"&gt;migration guide&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="aws-s3-express-one-zone-support"&gt;AWS S3 Express One Zone Support&lt;/h3&gt;
&lt;p&gt;We &lt;a href="https://www.pulumi.com/blog/amazon-s3-express-one-zone/"&gt;added support&lt;/a&gt; for &lt;a href="https://aws.amazon.com/s3/storage-classes/express-one-zone/"&gt;Amazon S3 Express One Zone&lt;/a&gt;, a new storage class offering up to 10x faster performance and reduced request costs by 50%. S3 Express One Zone is ideal for data-intensive applications such as AI/ML, HPC, etc. This update is part of our commitment to provide timely and effective support for the latest AWS offerings.&lt;/p&gt;
&lt;h3 id="new-provider-resources"&gt;New Provider Resources&lt;/h3&gt;
&lt;p&gt;We have added 641 functions and 662 resources across our most popular providers, along with many more throughout our ecosystem.&lt;/p&gt;
&lt;p&gt;&lt;img src="new-provider-resources-functions.png" alt="New Provider Resources and Functions"&gt;&lt;/p&gt;
&lt;h3 id="new-community-providers"&gt;New Community Providers&lt;/h3&gt;
&lt;p&gt;We welcome new providers to our registry!&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/pinecone/"&gt;Pinecone&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/packages/talos/"&gt;Talos Linux&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="new-community-providers.png" alt="New Community Providers"&gt;&lt;/p&gt;
&lt;h2 id="wrap-up"&gt;Wrap up&lt;/h2&gt;
&lt;p&gt;That&amp;rsquo;s a wrap on our latest Pulumi release notes! With each new feature and improvement, from AI advancements to enhanced cloud deployment tools, we&amp;rsquo;re excited to see how you leverage these updates. Your feedback is crucial in shaping our path forward, feel free to open issues in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud requests repository&lt;/a&gt; or in the &lt;a href="https://github.com/pulumi/pulumi"&gt;pulumi/pulumi repository&lt;/a&gt; for CLI feedback. Stay connected for more updates, and here&amp;rsquo;s to building a more efficient cloud future together!&lt;/p&gt;</description><author>Arun Loganathan</author><author>Justin Van Patten</author><category>features</category><category>release-notes</category></item><item><title>Introducing Customer-Managed Agents for Pulumi Deployments</title><link>https://www.pulumi.com/blog/customer-managed-deployment-agents-launch/</link><pubDate>Mon, 08 Jan 2024 08:06:12 -0700</pubDate><guid>https://www.pulumi.com/blog/customer-managed-deployment-agents-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/customer-managed-deployment-agents-launch/index.png" /&gt;
&lt;p&gt;At Pulumi, we constantly strive to build solutions that not only simplify infrastructure management but also align with the diverse and specific needs of our customers. To that end, we&amp;rsquo;re thrilled to announce the general availability of Customer-Managed Agents for Pulumi Deployments.&lt;/p&gt;
&lt;h2 id="primer-on-pulumi-deployments"&gt;Primer on Pulumi Deployments&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployments&lt;/a&gt; is a fully managed platform for managing infrastructure at scale, providing easy-to-use building blocks that can be used as a simple CI/CD platform or to build a sophisticated self-serve platform to support thousands of engineers. &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/versus"&gt;Traditional CI/CD platforms&lt;/a&gt; focus on Git-push workflows which fall short when managing infrastructure where the same code base is used to create new infrastructure with no explicit Git-push event. Pulumi Deployments goes beyond the Git-push based workflows to offer deployment triggers based on the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/api"&gt;Pulumi Deployments REST API&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/reference/#click-to-deploy"&gt;click to deploy&lt;/a&gt; in the Pulumi Cloud console, &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/review-stacks"&gt;Review Stacks&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/using-pulumi/automation-api"&gt;remote Automation API&lt;/a&gt;, and many more features to come.&lt;/p&gt;
&lt;p&gt;Since its launch, Pulumi Deployments has transformed how organizations manage their infrastructure, offloading the execution of Pulumi infrastructure as code (IaC) actions &amp;mdash; such as previews, updates, destroys, and refreshes &amp;mdash; to Pulumi Cloud. Our customers have used it to deploy and manage mission-critical services, driving efficiencies and reducing the operational burden of deploying and managing infrastructure.&lt;/p&gt;
&lt;h2 id="deploy-on-your-terms-launching-customer-managed-agents"&gt;Deploy on Your Terms: Launching Customer-Managed Agents&lt;/h2&gt;
&lt;p&gt;With the launch of Customer-Managed Agents, you can now self-host the deployment agents within your infrastructure, bringing the same power and flexibility of Pulumi-hosted deployments to isolated environments. Customers with hard security and compliance requirements can now fully leverage Pulumi Deployments.&lt;/p&gt;
&lt;p&gt;Newton, a leading crypto trading platform and a Pulumi Cloud customer, was in the private beta of Customer-Managed Agents. “Pulumi&amp;rsquo;s rapid innovation and customer-centric approach never fail to impress. The introduction of Customer-Managed Agents is a testament to their ongoing commitment,” said Shaun Martin, Director of Engineering at Newton. “We&amp;rsquo;re thrilled with the turnkey solutions Pulumi Deployments offer, enhancing our infrastructure management while upholding our stringent security requirements.”&lt;/p&gt;
&lt;h2 id="key-benefits-of-customer-managed-deployment-agents"&gt;Key Benefits of Customer-Managed Deployment Agents&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Host anywhere&lt;/strong&gt;: You can host the deployment agents anywhere to manage infrastructure, even within your fully private VPCs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Any hardware, any environment&lt;sup&gt;1&lt;/sup&gt;&lt;/strong&gt;: Run the agents on any hardware of your choice and configure the environment that meets your needs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Mix &amp;amp; match&lt;/strong&gt;: You can use standard Pulumi-hosted deployments for your development stacks and use self-hosted Customer-Managed Agents for your private network infrastructure. You can mix and match to suit your unique needs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Multiple pools&lt;/strong&gt;: You can set up multiple deployment agent pools, assign stacks to specific pools, and scale agents dynamically to increase your deployment concurrency. Customers can have up to 150 concurrent deployments&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Meet compliance&lt;/strong&gt;: You can configure the agents with the credentials needed to manage your infrastructure. This way your cloud provider credentials never leave your private network&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;sup&gt;1&lt;/sup&gt; &lt;em&gt;Currently Linux and MacOS are supported&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Customer-Managed Agents support all the deployment triggers currently offered by Pulumi Deployments such as click to deploy, the Pulumi Deployments REST API, Git push to deploy, Review Stacks, and remote Automation API.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Customer-Managed Agents is available on the Business Critical edition of Pulumi Cloud. &lt;a href="https://www.pulumi.com/contact/?form=sales"&gt;Contact sales&lt;/a&gt; if you are interested and want to enable Customer-Managed Agents. If you are a self-hosted Pulumi Cloud customer, please &lt;a href="https://share.hsforms.com/1YajiJ73sSuGn5RoTkyvKxg2mxud"&gt;get in touch&lt;/a&gt; to be notified when it is available.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="how-to-get-started"&gt;How to get started&lt;/h2&gt;
&lt;p&gt;Before you begin, ensure you have installed the &lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/continuous-delivery/github-app/"&gt;Pulumi Github App&lt;/a&gt; and update the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/get-started"&gt;source control settings&lt;/a&gt;. &lt;a href="https://docs.docker.com/engine/"&gt;Docker&lt;/a&gt; is a requirement for the agent.&lt;/p&gt;
&lt;h3 id="install-and-configure-the-agent"&gt;Install and configure the agent&lt;/h3&gt;
&lt;p&gt;Go to &lt;strong&gt;Deployment runners&lt;/strong&gt; under Organization Settings in the left-hand navigation menu. Once on the Deployment runners page, choose &lt;strong&gt;Add a new pool&lt;/strong&gt;. Next, provide a name and description for your agent. You will then get a new access token for the pool. Be sure to copy and save this token in a secure location.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Create a new pool"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/create-new-pool.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;p&gt;Download and install the agents using the command provided. Once installed, provide the access token previously copied to configure the agent.&lt;/p&gt;
&lt;div class="note note-warning"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-warning-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;If you run into issues, ensure docker is running before you configure and start the agents. Ensure you restart or refresh the shell session (example: &lt;code&gt;source ~/.zshrc&lt;/code&gt;).&lt;/div&gt;
&lt;/div&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Configure the agents"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/configure-agents.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;p&gt;Now your first agent should be up and running! You can verify the status of the agent by refreshing the page. Additionally, you can use the same token to set up multiple agents to increase concurrency of your deployments and they will be assigned to the same pool.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/customer-managed-deployment-agents-launch/view-agent-status.png" alt="Pool Details view"&gt;&lt;/p&gt;
&lt;p&gt;Agents poll Pulumi Cloud every 30 seconds to check for pending deployments. In the pool page, you can see the last online status of the agents. Agents will disappear from the list after 1-2 hours of being offline. If you are running the agent inside a firewall ensure to allow outbound requests to api.pulumi.com.&lt;/p&gt;
&lt;h3 id="configure-stack"&gt;Configure Stack&lt;/h3&gt;
&lt;p&gt;Go to deployment settings, found under the settings tab on a stack under &amp;lsquo;Deploy&amp;rsquo;. Scroll down and select the pool you created under the Deployment Runner pool drop-down.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Assign Stack to Deployment Pool"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/configure-stack.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;p&gt;Ensure that agents have the cloud provider credentials to be able to deploy in your environments. You have two methods:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Use &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/oidc"&gt;OpenID Connect (OIDC) to generate credentials&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Directly provide credentials to agents through environment variables configured in the host, or passing the environment variables when invoking the binary. Example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nv"&gt;VARIABLE&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;value customer-managed-deployment-agent run
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;You also need to update the &lt;code&gt;pulumi-deployment-agent.yaml&lt;/code&gt; configuration file by setting &lt;code&gt;env_forward_allowlist&lt;/code&gt;. The configuration file can be found in the directory where the agent is extracted. &lt;code&gt;env_forward_allowlist&lt;/code&gt; expects an array of strings. Example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;token&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pul-d2d2….&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;version&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;v0.0.5&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;env_forward_allowlist&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;key_one&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;key_two&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;key_three&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="verify-setup"&gt;Verify setup&lt;/h3&gt;
&lt;p&gt;You have completed the setup. Try out the agent by doing &lt;code&gt;pulumi refresh&lt;/code&gt; through the &lt;strong&gt;Actions&lt;/strong&gt; drop-down in your stack page.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Run a deployment on the agent"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/verify-setup.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;p&gt;You should see the logs in the agent running on the machine you configured and also in the Pulumi Cloud console.&lt;/p&gt;
&lt;p&gt;On the deployments page, you can see all the deployments including pending deployments, and which deployment agents were used in a deployment.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/customer-managed-deployment-agents-launch/view-deployment-status.png" alt="Deployments page"&gt;&lt;/p&gt;
&lt;h2 id="your-journey-our-support"&gt;Your Journey, Our Support&lt;/h2&gt;
&lt;p&gt;Customer-Managed Agents empower you to align your deployment strategies with the specific requirements of your infrastructure. Whether it&amp;rsquo;s ensuring compliance, enhancing security, or customizing deployment processes, Customer-Managed Agents provide the flexibility you need.&lt;/p&gt;
&lt;p&gt;Embark on this journey to simplify your infrastructure deployments with our new feature. We are here every step of the way to assist you. Share any feedback in the &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/new/choose"&gt;Pulumi Cloud Requests repository&lt;/a&gt; with us.&lt;/p&gt;</description><author>Arun Loganathan</author><author>Germán Lena</author><category>features</category></item></channel></rss>