<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Perspectives</title><link>https://www.pulumi.com/blog/category/perspectives/</link><description>Pulumi blog posts: Perspectives.</description><language>en-us</language><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><item><title>Stop Prompting. Design the Loop.</title><link>https://www.pulumi.com/blog/stop-prompting-design-the-loop/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/stop-prompting-design-the-loop/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/stop-prompting-design-the-loop/index.png" /&gt;
&lt;p&gt;For about two years, the unit of work with a coding agent was the prompt. You wrote a good one, you gave it enough context, you read what came back, and you wrote the next one. The agent was a tool, and you were holding it the entire time, one turn after another.&lt;/p&gt;
&lt;p&gt;That part is ending. &lt;a href="https://x.com/addyosmani"&gt;Addy Osmani&lt;/a&gt;, a director of AI at Google Cloud, has a name for what replaces it, and I have not stopped thinking about it since: &lt;a href="https://x.com/addyosmani/status/2064127981161959567"&gt;loop engineering&lt;/a&gt;. You stop being the person who prompts the agent. You design the loop that prompts it for you.&lt;/p&gt;
&lt;p&gt;In my phrasing: you stop being the thing that runs, and start designing the thing that runs. The leverage moves up a layer. What I want to do here is take an honest look at the pieces, and at the part nobody automates.&lt;/p&gt;
&lt;h2 id="the-leverage-moved-up-a-layer"&gt;The leverage moved up a layer&lt;/h2&gt;
&lt;p&gt;The people building these tools have already made the jump. &lt;a href="https://x.com/steipete"&gt;Peter Steinberger&lt;/a&gt; has been posting it as a monthly reminder.&lt;/p&gt;
&lt;figure&gt;
&lt;img src="./steinberger-loops.png" alt="A post by Peter Steinberger (@steipete) on X: 'Here's your monthly reminder that you shouldn't be prompting coding agents anymore. You should be designing loops that prompt your agents.'"&gt;
&lt;figcaption&gt;&lt;em&gt;Peter Steinberger (&lt;a href="https://x.com/steipete"&gt;@steipete&lt;/a&gt;) on X.&lt;/em&gt;&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;p&gt;&lt;a href="https://x.com/bcherny"&gt;Boris Cherny&lt;/a&gt;, who heads Claude Code at Anthropic, says the same thing about his own job. He does not prompt Claude anymore. He has loops running that prompt Claude and decide what to do next, scanning the issue tracker, the team chat, and the timeline for what to build. &amp;ldquo;My job is to write loops.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;A loop is a goal that prompts itself. You set the purpose, and the system keeps iterating until it&amp;rsquo;s met. In practice it finds the work, hands it out, checks the result, writes down what got finished, and decides the next thing, then it pokes the agent instead of you. You build that small system once and let it run.&lt;/p&gt;
&lt;p&gt;Look closer, and a loop is really two loops nested. The inner one does the work against a spec. The outer one decides what the work should be: it watches an issue tracker, an error feed, a changelog, then writes the next spec and hands it down. Most people are still running that outer loop by hand, in their head, and calling it a backlog.&lt;/p&gt;
&lt;p&gt;The part that surprised me is that this is barely a tooling problem anymore. A year ago a loop meant a pile of bash you wrote and maintained forever. Now the pieces ship inside the products, and the same shapes show up in Claude Code and in Codex. Osmani puts loop engineering one floor above the harness, the context and tooling you wire around a single agent. I wrote about &lt;a href="https://www.pulumi.com/blog/stop-tuning-prompts-build-a-harness/"&gt;that harness&lt;/a&gt; a couple of weeks ago. The loop is the thing that runs on top of it: it runs on a timer, it spawns helpers, and it feeds itself.&lt;/p&gt;
&lt;h2 id="the-five-pieces-and-the-one-that-holds-them-together"&gt;The five pieces, and the one that holds them together&lt;/h2&gt;
&lt;p&gt;Strip loop engineering down and you get roughly five building blocks, plus one place to remember things. Both Claude Code and Codex have all five now. The names differ here and there; the capability is the same.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Automations are the heartbeat.&lt;/strong&gt; They are what make a loop an actual loop and not one run you did once. A prompt or command on a cadence, a scheduled task, a hook that fires at a point in the agent&amp;rsquo;s lifecycle, or a job on CI that keeps running after you close the laptop. Discovery and triage run themselves, and the findings that matter come to you.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Worktrees keep parallel from turning into chaos.&lt;/strong&gt; The second you run more than one agent, the files start colliding. Two agents writing the same file is the same headache as two engineers committing to the same lines with nobody talking first. A git worktree is a separate working directory on its own branch, so one agent&amp;rsquo;s edits cannot touch another&amp;rsquo;s checkout.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Skills are intent, written down.&lt;/strong&gt; An agent starts every session cold and fills any hole in your intent with a confident guess. A skill is that intent written on the outside: the conventions, the build steps, the &amp;ldquo;we don&amp;rsquo;t do it like this because of that one incident,&amp;rdquo; recorded once where the agent reads it every run. Without skills, the loop re-derives your whole project from zero every cycle.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Connectors let the loop touch your real tools.&lt;/strong&gt; Built on MCP, they let the agent read the issue tracker, query a database, hit a staging API, or drop a message in chat. This is the difference between an agent that says &amp;ldquo;here is the fix&amp;rdquo; and a loop that opens the pull request, links the ticket, and pings the channel once CI goes green.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sub-agents keep the maker away from the checker.&lt;/strong&gt; The model that wrote the code is far too generous grading its own homework. A second agent with different instructions, and sometimes a different model, catches the things the first one talked itself into. Worktrees and a cold-context reviewer are two pieces I have &lt;a href="https://www.pulumi.com/blog/parallel-coding-playbook-for-pulumi/"&gt;written about before&lt;/a&gt;, back when the question was running agents in parallel without them trampling each other.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then the sixth thing: memory. A markdown file, a Linear board, a state file, anything that lives outside the single conversation and holds what is done and what is next. It sounds too dumb to matter, and it&amp;rsquo;s the whole game. The model forgets everything between runs, so the memory has to live on disk, not in the context window. The agent forgets. The repo does not.&lt;/p&gt;
&lt;h2 id="what-makes-a-loop-hold-together"&gt;What makes a loop hold together&lt;/h2&gt;
&lt;p&gt;A loop running unattended is also a loop making mistakes unattended. The one thing that keeps it honest is verification, and verification needs an oracle, something outside the model that returns a hard yes or no. Passing tests, a clean build, a green pipeline, a real production signal. Without an oracle, the loop compounds confidently wrong work, faster than you can read it.&lt;/p&gt;
&lt;p&gt;The cleanest version of this already ships in the tools. Claude Code&amp;rsquo;s &lt;code&gt;/goal&lt;/code&gt; keeps working across turns until a condition you actually wrote holds, something like &amp;ldquo;every test in &lt;code&gt;auth/&lt;/code&gt; passes and lint is clean,&amp;rdquo; and after every turn a separate, faster model reads the transcript and decides whether you are there yet. The agent that wrote the code is not the one that grades it. That is the maker-and-checker split applied to the stop condition itself. Codex&amp;rsquo;s &lt;code&gt;/goal&lt;/code&gt; reaches the same finish line a different way: the agent audits its own work against the evidence before it can call the goal done.&lt;/p&gt;
&lt;h2 id="what-the-loop-still-wont-do-for-you"&gt;What the loop still won&amp;rsquo;t do for you&lt;/h2&gt;
&lt;p&gt;The loop changes the shape of the work. It does not take it off your desk. And a few things get sharper as the loop gets better, not softer.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Verification is still on you.&lt;/strong&gt; The split reviewer is what makes &amp;ldquo;it&amp;rsquo;s done&amp;rdquo; mean something, but &amp;ldquo;done&amp;rdquo; is a claim, not a proof. Your job is still to ship code you confirmed works, which is harder to remember when the diff arrived while you were at lunch.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The bill comes in two currencies.&lt;/strong&gt; Tokens and attention. A single unattended run can burn through millions of tokens, and that is only worth it when the tokens buy something worth more than they cost. The quieter trap is the second currency: memory is what lets a loop compound over time, and slop compounds right alongside it. A loop pointed at a vague goal does not get tired and stop. It gets faster.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Your understanding rots if you let it.&lt;/strong&gt; The faster the loop ships code you did not write, the wider the gap between what exists in the repo and what you actually understand. A smooth loop grows that gap faster, not slower, unless you read what it made. The comfortable posture, where you stop having an opinion and take whatever the loop gives back, is the risky one. Two engineers can build the exact same loop and get opposite results, one moving faster on work they understand deeply, the other avoiding the work entirely. The loop cannot tell which one you are.&lt;/p&gt;
&lt;h2 id="when-the-loop-reaches-production"&gt;When the loop reaches production&lt;/h2&gt;
&lt;p&gt;Most of this thinking grew up around application code, where a bad run costs you a revert. When the loop reaches into infrastructure, the blast radius is a production outage rather than a revert, and the verification bar has to rise to meet it. The upside is that infrastructure hands the loop a better oracle than application code does. A plan diff is deterministic and machine-readable, a policy check returns a hard verdict, and drift and cost are numbers you can put a threshold on. A reviewer, whether human or agent, can read the change cold, with no memory of the prompt that produced it. That cold-context check is exactly what an unattended loop needs, and it&amp;rsquo;s the reason an infrastructure loop can be built to hold together while you sleep. &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;Pulumi Neo reasons over the state graph directly&lt;/a&gt;, so the checker grounds every claim in what the change actually does, not in what the writer says it does.&lt;/p&gt;
&lt;h2 id="where-to-start"&gt;Where to start&lt;/h2&gt;
&lt;p&gt;Pick the loop you can actually trust first. In order:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Start where &amp;ldquo;done&amp;rdquo; is unambiguous.&lt;/strong&gt; CI triage, dependency bumps, a flaky-test hunt, a failing job you keep re-running by hand. Loops need an oracle, so begin where the oracle already exists.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Write the memory file before the loop.&lt;/strong&gt; One markdown file, or a board. What is done, what is next, what was tried and failed. This is the spine, and everything else hangs off it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Split the checker from the maker.&lt;/strong&gt; Use &lt;code&gt;/goal&lt;/code&gt; with a verifiable condition, or a second agent with its own instructions. Never let the agent that did the work be the one that decides the work is finished.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cap it, then read everything.&lt;/strong&gt; A max-iteration count, a token budget, a teardown step. Run it once, end to end, then read every line it shipped. The first run is the measurement, not the payoff.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Then look at what you built. You designed it once, and it ran without you steering each step. That is the real shift. But the leverage only holds if you wire the loop like an engineer, not like someone looking for permission to stop thinking. Read what it ships. Keep an opinion. Judgment is the one part that does not move up a layer.&lt;/p&gt;
&lt;p&gt;The loop will do the typing. The thinking is the work.&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/product/neo/"
class="btn btn-outline"
&gt;
See how Pulumi Neo closes the loop on your infrastructure
&lt;/a&gt;</description><author>Engin Diri</author><category>ai</category><category>ai-agents</category><category>automation</category><category>claude</category><category>pulumi-neo</category><category>platform-engineering</category></item><item><title>Stop Tuning Prompts. Build a Harness.</title><link>https://www.pulumi.com/blog/stop-tuning-prompts-build-a-harness/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/stop-tuning-prompts-build-a-harness/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/stop-tuning-prompts-build-a-harness/index.png" /&gt;
&lt;p&gt;Anthropic shipped a piece earlier this month called &lt;a href="https://claude.com/blog/how-claude-code-works-in-large-codebases-best-practices-and-where-to-start"&gt;How Claude Code Works in Large Codebases&lt;/a&gt;. I have not read anything more useful about coding agents this year. The core claim, in their words: &lt;em&gt;&amp;ldquo;the ecosystem built around the model—the harness—determines how Claude Code performs more than the model alone.&amp;rdquo;&lt;/em&gt; In my phrasing: in a real codebase, the model is the smaller variable. The layer of context and tooling you wire around the agent matters more than which version of Sonnet or Opus is behind it.&lt;/p&gt;
&lt;p&gt;The post stays high-level, which is the right move for a launch piece. What I want to do here is land it. Same seven pieces, but with the wiring you would actually put in a repo, in the order I would put it.&lt;/p&gt;
&lt;h2 id="how-claude-code-navigates-without-an-index"&gt;How Claude Code navigates without an index&lt;/h2&gt;
&lt;p&gt;Anthropic&amp;rsquo;s writeup says Claude Code works from the live codebase and does not require a &lt;a href="https://claude.com/blog/how-claude-code-works-in-large-codebases-best-practices-and-where-to-start"&gt;codebase index&lt;/a&gt; to be built, maintained, or uploaded. The agent navigates the way an engineer would, with &lt;code&gt;grep&lt;/code&gt;, &lt;code&gt;find&lt;/code&gt;, &lt;code&gt;ls&lt;/code&gt;, file reads, and reference-following. Anthropic calls this &lt;a href="https://www.anthropic.com/claude-code"&gt;agentic search&lt;/a&gt;, and the upside is obvious: no separate index exists for you to keep fresh.&lt;/p&gt;
&lt;p&gt;The downside is also obvious. An engineer who has never seen your repo and only has shell tools will flounder if you drop them in the root with no map. That is your agent on day one. Everything that follows is about giving it the map.&lt;/p&gt;
&lt;h2 id="the-ai-layer-in-seven-pieces"&gt;The AI layer in seven pieces&lt;/h2&gt;
&lt;p&gt;Every codebase used to have two artifacts engineers cared about: the code and the tests. A third exists now. Call it the AI layer, or the harness, or whatever you want. This layer is the set of context and tools you give your coding agent to operate in this specific repo. Anthropic breaks it into seven pieces, and each one solves a different scaling problem.&lt;/p&gt;
&lt;p&gt;&lt;img src="./harness-layers.png" alt="Three layers of a codebase: code, tests, and the AI layer expanded into CLAUDE.md, hooks, skills, plugins, LSP, MCP servers, and subagents."&gt;&lt;/p&gt;
&lt;p&gt;Anthropic gives each piece a role: CLAUDE.md is the foundation, hooks do self-improvement, skills are progressive disclosure, plugins handle distribution, LSP gives navigation, MCP is extension, subagents split exploration from editing. They are not equal in usage either. CLAUDE.md is read at the start of each session and stays in context for the duration. The others fire when relevant.&lt;/p&gt;
&lt;h2 id="lean-and-layered-claudemd"&gt;Lean and layered CLAUDE.md&lt;/h2&gt;
&lt;p&gt;The single biggest mistake I see is a root &lt;code&gt;CLAUDE.md&lt;/code&gt; that has grown into a small book. Two thousand lines of conventions for parts of the repo the current task will never touch. Every session pays the tax. Anthropic&amp;rsquo;s own guidance is to keep these files focused on what applies broadly so they do not become a drag on performance, and you can feel that drag in practice: the agent gets cautious, slow, and oddly literal.&lt;/p&gt;
&lt;p&gt;Keep the root file lean. What is this repo, broadly. The tech stack. The commands the agent will need (&lt;code&gt;make test&lt;/code&gt;, &lt;code&gt;make lint&lt;/code&gt;, how to run the dev server). General conventions that apply everywhere. That is most of what belongs there.&lt;/p&gt;
&lt;p&gt;Local conventions go in subdirectory &lt;code&gt;CLAUDE.md&lt;/code&gt; files. When the agent starts in a subdirectory, Claude Code walks upward from the working directory and loads every &lt;code&gt;CLAUDE.md&lt;/code&gt; it finds on the way to the repo root, so root context is never lost and intermediate layers stack in the order you would expect. Claude Code can also discover files below the current working directory when it reads files in those subdirectories. That means &lt;code&gt;services/api/CLAUDE.md&lt;/code&gt; only joins the session when the work reaches that service. Same for &lt;code&gt;services/billing/&lt;/code&gt;, the frontend, the data layer.&lt;/p&gt;
&lt;p&gt;If you already know the task is scoped to one service, start the agent in that subdirectory. The working directory becomes the focus, and the agent stays out of unrelated code unless you tell it otherwise. Most of the time, you know.&lt;/p&gt;
&lt;p&gt;Two more cheap wins live in the same neighborhood. Scope the &lt;code&gt;make test&lt;/code&gt; and &lt;code&gt;make lint&lt;/code&gt; commands so the subdirectory version runs only the slice the agent is working in, instead of the whole repo on every change. And version-control your exclusion rules in &lt;code&gt;.claude/settings.json&lt;/code&gt; so the agent never reads &lt;code&gt;dist/&lt;/code&gt;, generated SDKs, or vendored code. Every file the agent skips is tokens you keep for the work that matters. If your directory layout is unconventional or has historical baggage, Anthropic also suggests adding a short codebase map to the root &lt;code&gt;CLAUDE.md&lt;/code&gt; so the agent has somewhere to anchor.&lt;/p&gt;
&lt;h2 id="hooks-that-make-the-harness-self-improving"&gt;Hooks that make the harness self-improving&lt;/h2&gt;
&lt;p&gt;Most teams use hooks as guardrails. Block edits in &lt;code&gt;vendor/&lt;/code&gt;, refuse to delete migrations, kill the run if a secret turns up in a diff. That is fine and you should do it. But hooks have a second life that almost no one uses, and that second life is the more interesting one.&lt;/p&gt;
&lt;p&gt;Both kinds register the same way, in &lt;code&gt;.claude/settings.json&lt;/code&gt;, against named events Claude Code fires during a session:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;hooks&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;SessionStart&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;hooks&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;command&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;command&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;uv run --directory \&amp;#34;$CLAUDE_PROJECT_DIR\&amp;#34; python .claude/hooks/session_start_context.py&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;Stop&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;hooks&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;command&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;command&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;uv run --directory \&amp;#34;$CLAUDE_PROJECT_DIR\&amp;#34; python .claude/hooks/propose_claude_md.py&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;A &lt;code&gt;SessionStart&lt;/code&gt; hook fires before the agent has done anything. Whatever the script prints to stdout is injected straight into the session as context, so you can preload the things the agent would otherwise have to spend a turn discovering: the current branch, the uncommitted diff, the last few commits. For a larger team you might fetch the Confluence or Notion page that owns the directory the engineer is working in. Every developer starts each session pre-oriented, with no manual setup.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;&amp;#34;&amp;#34;SessionStart hook — prints orientation Claude reads as session context.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;os&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nn"&gt;subprocess&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pathlib&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Path&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;root&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;Path&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;CLAUDE_PROJECT_DIR&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;.&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;git&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;out&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;run&lt;/span&gt;&lt;span class="p"&gt;([&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;git&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="n"&gt;cwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;root&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;capture_output&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;out&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;stdout&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;strip&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;# Orientation&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;## Branch&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;git&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;rev-parse&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;--abbrev-ref&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;HEAD&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;## Uncommitted changes&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;git&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;status&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;--porcelain&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;(clean)&amp;#39;&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;## Recent commits&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;git&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;log&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;-5&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;--oneline&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The &lt;code&gt;Stop&lt;/code&gt; hook is the more interesting one. It fires when the agent finishes its turn. At that moment the session context is still fresh, the diff is still small, and you have a free shot at a question nobody asks: did anything I changed invalidate the rules I wrote down? Spawn a separate headless Claude session, hand it the diff and the relevant &lt;code&gt;CLAUDE.md&lt;/code&gt; files, ask it to propose updates, and write the result to a markdown review file. You read it when you are ready. The CLAUDE.md files stop going stale on their own.&lt;/p&gt;
&lt;p&gt;The trick is to make the hook itself cheap and dispatch the LLM call in the background, so the end of every turn does not block on a reflection:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;&amp;#34;&amp;#34;Stop hook — dispatch a headless Claude reflection in the background.&amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;os&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nn"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nn"&gt;sys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pathlib&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Path&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# The reflector spawns its own headless Claude, whose Stop hook lands back&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# here. The lock prevents infinite recursion.&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;REFLECT_LOCK&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;exit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;root&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;Path&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;CLAUDE_PROJECT_DIR&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;.&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;diff&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;run&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;git&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;diff&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;HEAD&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="n"&gt;cwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;root&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;capture_output&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;stdout&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;diff&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;strip&lt;/span&gt;&lt;span class="p"&gt;():&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;exit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;env&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="o"&gt;**&lt;/span&gt;&lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;environ&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;REFLECT_LOCK&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Popen&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;uv&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;run&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;python&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;.claude/hooks/reflect_claude_md.py&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;cwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;root&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;env&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;env&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;stdout&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;DEVNULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;stderr&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;DEVNULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;code&gt;reflect_claude_md.py&lt;/code&gt; is the part that calls a headless &lt;code&gt;claude&lt;/code&gt; against the diff and writes &lt;code&gt;.claude/claude-md-review.md&lt;/code&gt;. You can grow it from twenty lines to two hundred without ever blocking the agent.&lt;/p&gt;
&lt;p&gt;The pattern that ties the two together: hooks let the harness improve itself in the background while you do the actual work.&lt;/p&gt;
&lt;h2 id="path-scoped-skills"&gt;Path-scoped skills&lt;/h2&gt;
&lt;p&gt;Skills are where the agent learns how to do a &lt;em&gt;thing&lt;/em&gt;. CLAUDE.md is conventions (&amp;ldquo;every route is registered here&amp;rdquo;). Skills are workflows (&amp;ldquo;here is how you add a new route in this repo, end to end&amp;rdquo;). The two overlap, but the framing keeps me honest: rules in CLAUDE.md, recipes in skills.&lt;/p&gt;
&lt;p&gt;The piece of the skills system most teams miss is the path scope. A skill can declare which directories it activates in. A &lt;code&gt;create-api-endpoint&lt;/code&gt; skill that only loads when the agent is editing under &lt;code&gt;services/api/&lt;/code&gt; is invisible the rest of the time. With dozens of skills in a real repo, scoping is the difference between a useful library and a wall of irrelevant prompts.&lt;/p&gt;
&lt;p&gt;The mental model: progressive disclosure for expertise. Most knowledge in a large codebase is local. Load it locally.&lt;/p&gt;
&lt;h2 id="symbol-level-search-through-lsp-and-mcp"&gt;Symbol-level search through LSP and MCP&lt;/h2&gt;
&lt;p&gt;&lt;code&gt;grep&lt;/code&gt; is fine until it isn&amp;rsquo;t. Past six-digit line counts, plain string search gets slow, returns too much, and burns tokens reading files the agent did not need to open. You also lose what every IDE has done for decades: jump-to-definition, find-references, hover-for-types.&lt;/p&gt;
&lt;p&gt;You can give the agent the same navigation. Run a language server locally, wrap it in a small MCP server, expose two or three tools: &lt;code&gt;where_is&lt;/code&gt;, &lt;code&gt;find_references&lt;/code&gt;, &lt;code&gt;goto_definition&lt;/code&gt;. The agent now searches by symbol, not by string. A request like &amp;ldquo;find every place &lt;code&gt;monthly_total_cents&lt;/code&gt; is referenced&amp;rdquo; returns one definition and the actual references, instead of fifty grep hits that mention the substring in unrelated comments.&lt;/p&gt;
&lt;p&gt;This is also where bigger orgs invest. Custom MCP servers that expose internal search systems, the code-ownership graph, the design-doc index. The patterns are the same; the targets are domain-specific. The point is that the agent does not have to brute-force its way through your repo when you already have better tools for finding things.&lt;/p&gt;
&lt;figure&gt;
&lt;img src="./harness-frequency.png" alt="The Claude Code harness as a Gantt-style timeline across a session. CLAUDE.md spans the full session as a foundation. Hooks fire at the start and end. Skills, LSP, and MCP servers light up sporadically. Subagents run as a single longer task between exploration and editing."&gt;
&lt;figcaption&gt;&lt;em&gt;Image: &lt;a href="https://claude.com/blog/how-claude-code-works-in-large-codebases-best-practices-and-where-to-start"&gt;Anthropic, How Claude Code Works in Large Codebases&lt;/a&gt;.&lt;/em&gt;&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;h2 id="subagents-for-exploration"&gt;Subagents for exploration&lt;/h2&gt;
&lt;p&gt;The rule I follow: split exploration from editing. A subagent runs in its own context window. You ask which files implement the billing webhook flow, or what the user model looks like across services. It does the digging, and only the summary comes back to your primary session.&lt;/p&gt;
&lt;p&gt;The win is context budget, not parallelism. Exploration is wasteful by nature. The agent reads forty files to find the three that matter, and most of those forty get thrown away. If that happens in your primary session, your editing turns start with a context window already half full of noise. If it happens in a subagent, the noise stays there. You get the answer.&lt;/p&gt;
&lt;p&gt;Use the built-in Explore subagent liberally. Custom subagents earn their place when you have a workflow specific enough that a generic explorer is the wrong tool. The file shape is small: a single markdown file under &lt;code&gt;.claude/agents/&lt;/code&gt;, a short frontmatter block, and a prompt body. &lt;code&gt;name&lt;/code&gt;, &lt;code&gt;description&lt;/code&gt;, &lt;code&gt;tools&lt;/code&gt;, and &lt;code&gt;model&lt;/code&gt; are enough to start:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-markdown" data-lang="markdown"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;---
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;name: explorer
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;description: Read-only repo explorer. Map a service or package without burning the main session&amp;#39;s context, then return findings.
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;tools: Read, Grep, Glob
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;model: sonnet
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;---
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;You are a read-only explorer. The parent agent will hand you one service or
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;package to map. Read its &lt;span class="sb"&gt;`CLAUDE.md`&lt;/span&gt; if there is one, then trace entry points,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;the public surface, and dependencies. Return findings as your final response.
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;No edits.
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Restricting &lt;code&gt;tools&lt;/code&gt; to read-only is the load-bearing line. The model only sees the tools you expose, so an explorer subagent without &lt;code&gt;Write&lt;/code&gt; or &lt;code&gt;Edit&lt;/code&gt; has nothing to call when it gets tempted, even if the prompt body forgot to say so. Treat that as a strong default. If you need a hard guarantee, layer a &lt;code&gt;PreToolUse&lt;/code&gt; hook on top.&lt;/p&gt;
&lt;h2 id="dont-let-it-rot"&gt;Don&amp;rsquo;t let it rot&lt;/h2&gt;
&lt;p&gt;The harness is not a one-time setup. Models improve, and rules written for last year&amp;rsquo;s model often constrain this year&amp;rsquo;s. A note like &amp;ldquo;always split refactors into single-file changes&amp;rdquo; might have saved you in 2024 and might block a beneficial cross-file edit in 2026. Anthropic suggests reviewing your CLAUDE.md files every three to six months, or whenever performance feels like it has plateaued after a major model release. The stop-hook reflection gives you a head start. The rest is on you.&lt;/p&gt;
&lt;h2 id="assign-an-owner"&gt;Assign an owner&lt;/h2&gt;
&lt;p&gt;The last piece is not technical. The teams that get value out of Claude Code at scale have someone who owns the harness. A small platform-engineering team, or one DRI, or a hybrid PM/engineer doing it half-time. Their job is the same shape as owning a CI pipeline: write the conventions, build the skills, run the LSP wrapper, version the hooks, evangelize what works, retire what does not.&lt;/p&gt;
&lt;p&gt;Plugins are the distribution vehicle. A good harness that lives in one engineer&amp;rsquo;s dotfiles stays tribal. The same harness packaged as a plugin (or a private marketplace) is how a team of five hundred ends up running the same skills, the same MCP servers, and the same hooks without anyone having to remember to copy a config.&lt;/p&gt;
&lt;p&gt;The pattern that fails: ship Claude Code to the org on a Friday, hope adoption goes viral, watch every team grow its own slightly different version of &lt;code&gt;CLAUDE.md&lt;/code&gt; for six months. The pattern that works: a quiet build-out period, a small set of approved skills, a working plugin or two, a documented governance story, then broad access.&lt;/p&gt;
&lt;p&gt;Treat the harness like infrastructure.&lt;/p&gt;
&lt;h2 id="where-to-start"&gt;Where to start&lt;/h2&gt;
&lt;p&gt;The order that has worked for me, in any repo:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Trim the root &lt;code&gt;CLAUDE.md&lt;/code&gt; until it fits on one screen. Move the rest into subdirectories.&lt;/li&gt;
&lt;li&gt;Add a &lt;code&gt;Stop&lt;/code&gt; hook that proposes updates to those &lt;code&gt;CLAUDE.md&lt;/code&gt; files in headless mode.&lt;/li&gt;
&lt;li&gt;Convert your three most common repeated tasks into path-scoped skills.&lt;/li&gt;
&lt;li&gt;Run a language server behind an MCP server. Stop searching by string.&lt;/li&gt;
&lt;li&gt;Get comfortable dispatching exploration to subagents.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Most teams will plateau on step one for a week and find the agent is already noticeably sharper. The rest compounds. I have written more on the agent-tooling shift this is part of in &lt;a href="https://www.pulumi.com/blog/how-building-ai-agents-has-changed/"&gt;How Building AI Agents Has Changed in 2026&lt;/a&gt;, and on the workflow side in &lt;a href="https://www.pulumi.com/blog/top-8-claude-skills-devops-2026/"&gt;The Claude Skills I Actually Use for DevOps&lt;/a&gt; and &lt;a href="https://www.pulumi.com/blog/claude-code-orchestration-frameworks/"&gt;Superpowers, GSD, and GSTACK&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The model will keep getting better. The harness is the work.&lt;/p&gt;</description><author>Engin Diri</author><category>ai</category><category>ai-agents</category><category>claude</category><category>mcp</category><category>devops</category></item><item><title>How Building AI Agents Has Changed in 2026</title><link>https://www.pulumi.com/blog/how-building-ai-agents-has-changed/</link><pubDate>Thu, 14 May 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/how-building-ai-agents-has-changed/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/how-building-ai-agents-has-changed/index.png" /&gt;
&lt;p&gt;Twelve months ago, building an AI agent meant picking a framework, defining your tools, standing up a RAG pipeline, and writing a stack of glue code to wire it all together. That was the default playbook. The post-mortem on six months of work usually went the same way: half the time went into infrastructure that had nothing to do with the agent&amp;rsquo;s actual job.&lt;/p&gt;
&lt;p&gt;That isn&amp;rsquo;t where the work is anymore. Most of the middle layer is gone. The SDKs ship with the tools, the skills system replaced the upfront tool registry, and longer context windows pushed vector search out of the default slot it held all of last year.&lt;/p&gt;
&lt;p&gt;The shape is the same as a lot of infrastructure shifts before it. The hard thing got cheap, the cheap thing got expected, and the question moved up a level.&lt;/p&gt;
&lt;h2 id="the-old-playbook"&gt;The old playbook&lt;/h2&gt;
&lt;p&gt;A 2024 to 2025 agent project looked like this. You picked a framework, usually &lt;a href="https://www.langchain.com/"&gt;LangChain&lt;/a&gt;, &lt;a href="https://www.llamaindex.ai/"&gt;LlamaIndex&lt;/a&gt;, or an early version of &lt;a href="https://ai.pydantic.dev/"&gt;Pydantic AI&lt;/a&gt;. You wrote tool definitions, usually a wrapper around an API the agent would call. You stood up a RAG pipeline: chunk your documents, embed them, pick a vector database, write retrievers, layer reranking on top. Then you wrote the agent loop yourself, including prompt assembly, tool dispatch, retry logic, and observability.&lt;/p&gt;
&lt;p&gt;This was the default for good reasons. Foundation models had short context windows. They didn&amp;rsquo;t ship with file access. They couldn&amp;rsquo;t run code. If you wanted an agent to do anything useful with your data, you had to bring the data to the model in pre-digested chunks.&lt;/p&gt;
&lt;p&gt;The cost wasn&amp;rsquo;t only setup time. It was infra bills, retries against embedding APIs, and a context strategy that fought the model as the model got better. By mid-2025 the retrieval layer was often the bottleneck on quality. The agent would ask a question, get five plausible-looking chunks, and answer from those instead of the document you actually wanted it to read. Chunking decisions made on a Tuesday in March were still hurting answer quality six months later.&lt;/p&gt;
&lt;p&gt;Most teams I talked to in 2025 were tuning their RAG pipeline. Almost nobody enjoyed it.&lt;/p&gt;
&lt;h2 id="the-shift-three-things-changed-at-once"&gt;The shift: three things changed at once&lt;/h2&gt;
&lt;p&gt;Three changes landed close enough together that they collapsed the middle layer.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Built-in tools.&lt;/strong&gt; The &lt;a href="https://code.claude.com/docs/en/agent-sdk/overview"&gt;Claude Agent SDK&lt;/a&gt; ships with Read, Write, Edit, Bash, Grep, Glob, WebSearch, and WebFetch out of the box. &lt;a href="https://developers.openai.com/codex/sdk"&gt;OpenAI&amp;rsquo;s Codex SDK&lt;/a&gt; is similar in shape, with shell and file tools available to the agent by default. These are the tools every agent project was rebuilding in 2024, often as a side quest to the work the agent was actually meant to do. A &lt;code&gt;Read&lt;/code&gt; that handles binary files. A &lt;code&gt;Bash&lt;/code&gt; that streams output and respects working directory. A &lt;code&gt;Grep&lt;/code&gt; that doesn&amp;rsquo;t choke on large files. The 80% of agent tooling everyone was paying their team to reimplement is now table stakes.&lt;/p&gt;
&lt;p&gt;The consequence is that you can give an agent the ability to do real work with about ten lines of configuration. The flip side is that the differentiator moved up a layer. The value isn&amp;rsquo;t in having &lt;code&gt;Read&lt;/code&gt;. It&amp;rsquo;s in what the agent does with it.&lt;/p&gt;
&lt;p&gt;Anything outside the built-in toolbox plugs in through &lt;a href="https://modelcontextprotocol.io/"&gt;MCP&lt;/a&gt; servers. &lt;a href="https://thenewstack.io/model-context-protocol-roadmap-2026/"&gt;The registry has grown nearly 8x since early 2025&lt;/a&gt;, and every major model vendor now ships first-party support. The picture in 2026 is more layered than that, though. A lot of what used to call for an MCP server is now better served by the agent invoking a CLI through &lt;code&gt;Bash&lt;/code&gt; and wrapping the recipe in a skill. &lt;a href="https://www.scalekit.com/blog/mcp-vs-cli-use"&gt;Benchmarks put CLI-based tool calls at a fraction of the context cost of equivalent MCP calls&lt;/a&gt;, with fewer round-trips and fewer failure modes. MCP still earns its place for protocol-heavy work like browser control, OAuth flows, and streaming services, but it stopped being the automatic answer to &amp;ldquo;how do I give my agent a new capability.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Skills replaced tool stuffing.&lt;/strong&gt; The old way was to register every tool the agent might need at startup, eating context every turn whether the agent used the tool or not. A hundred tools meant a heavy system prompt before the agent had thought about anything. The skills pattern flips that. A skill is a small markdown package with a name and a one-line description. The agent sees the description (around 100 tokens) and only loads the body when it decides the skill is relevant. A hundred skills no longer means a hundred tools&amp;rsquo; worth of context tax. &lt;a href="https://www.anthropic.com/engineering/equipping-agents-for-the-real-world-with-agent-skills"&gt;Anthropic frames this as progressive disclosure&lt;/a&gt;: because the body only loads on demand, the amount of content you can bundle into a single skill is effectively unbounded.&lt;/p&gt;
&lt;p&gt;Progressive disclosure isn&amp;rsquo;t a new idea. What&amp;rsquo;s new is that the agent harness now treats it as the default loading strategy instead of something you have to engineer.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;RAG got demoted.&lt;/strong&gt; This is the change with the biggest blast radius and the smallest amount of commentary. A year ago, &amp;ldquo;we need to add RAG&amp;rdquo; was the reflex answer when somebody asked how an agent would handle a corpus. Today that question splits three ways. If the corpus fits in the context window, put it in. If the agent can grep the filesystem, let it grep. If the corpus is genuinely too large for either, vector search is still right, but you&amp;rsquo;ll find that&amp;rsquo;s a smaller set of cases than it used to be. You can see this in the coding agents that already ship today. &lt;a href="https://cursor.com/blog/fast-regex-search"&gt;Cursor&lt;/a&gt;, Claude Code, and Devin lean on grep, find, and direct file reads more than vector search. &lt;a href="https://www.llamaindex.ai/blog/agentic-rag-with-llamaindex-2721b8a49ff6"&gt;LlamaIndex&amp;rsquo;s own writing on agentic retrieval&lt;/a&gt; is one of the clearer reads on where this is going.&lt;/p&gt;
&lt;p&gt;Vector search didn&amp;rsquo;t get worse. The context around it improved enough that it stopped being the right first move.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/how-building-ai-agents-has-changed/eras.png" alt="Three eras of agent building. 2024 to 2025: framework plus tools plus RAG plus glue code. Early 2026: SDK with built-in tools plus skills plus MCP. Today: same SDK base, with frameworks layered on only for multi-provider or complex orchestration."&gt;&lt;/p&gt;
&lt;p&gt;Taken together, what got pulled into the SDK is the middle of an agent project: the tools layer, the retrieval layer, and the loop. What&amp;rsquo;s left for the team is the system prompt, the skills, and the policies around what the agent is allowed to do.&lt;/p&gt;
&lt;h2 id="when-you-still-need-a-framework"&gt;When you still need a framework&lt;/h2&gt;
&lt;p&gt;The first reaction to a lot of this is to declare that frameworks are over. They aren&amp;rsquo;t, but the cases where you reach for one have narrowed.&lt;/p&gt;
&lt;p&gt;Pydantic AI is still the right choice when you want strong typing, deterministic output schemas, and an evaluation loop that matches how the rest of your Python codebase already thinks. &lt;a href="https://www.langchain.com/langgraph"&gt;LangGraph&lt;/a&gt; is still the right choice when your problem is genuinely a graph of agent states with branching and human approval steps. &lt;a href="https://openai.github.io/openai-agents-python/"&gt;OpenAI&amp;rsquo;s Agents SDK&lt;/a&gt; is built around explicit handoffs between agents and earns its place when that pattern fits how you want to decompose the work. &lt;a href="https://www.crewai.com/"&gt;CrewAI&lt;/a&gt; is the fastest path I&amp;rsquo;ve seen for prototyping a multi-agent system, as long as you can live with its opinions. Any team running production traffic across multiple model providers is going to want a routing layer that the official SDK from any single vendor isn&amp;rsquo;t going to give them. &lt;a href="https://www.anthropic.com/research/building-effective-agents"&gt;Anthropic&amp;rsquo;s own writing on building effective agents&lt;/a&gt; lands in the same place: start with the simplest thing, add complexity only when the problem demands it.&lt;/p&gt;
&lt;p&gt;The mental model that works for me: start with the SDK, reach for a framework when you outgrow it. &amp;ldquo;Outgrow&amp;rdquo; usually means one of four things:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Multi-provider routing.&lt;/strong&gt; You&amp;rsquo;re running production traffic across more than one model vendor and need a routing layer the official SDKs don&amp;rsquo;t ship.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Multi-agent orchestration.&lt;/strong&gt; Your problem genuinely decomposes into separate agents with handoffs, branching, or human approval steps.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deterministic typing.&lt;/strong&gt; You need strong schemas and validation around inputs and outputs, and the rest of your codebase already thinks that way.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Production observability.&lt;/strong&gt; You need eval loops, replay, or tracing beyond what the SDK provides out of the box.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;If none of those four are biting, the SDK is probably enough, and adding a framework on top is a layer you&amp;rsquo;ll regret in six months.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/how-building-ai-agents-has-changed/decision.png" alt="Decision flow for picking an agent stack. Start with the SDK. If you need multi-provider routing, multi-agent orchestration, deterministic typing, or deeper observability, add a framework. Otherwise stay with the SDK."&gt;&lt;/p&gt;
&lt;h2 id="where-this-lands-for-infrastructure-work"&gt;Where this lands for infrastructure work&lt;/h2&gt;
&lt;p&gt;Two things from the new agent shape map cleanly onto infrastructure work. The first is that &amp;ldquo;built-in tools plus governed actions&amp;rdquo; is the model an IaC platform was already running. The SDK assumes the agent has tools that do real work. The platform assumes those tools have policies, audit logs, and short-lived credentials around them. Those assumptions stack.&lt;/p&gt;
&lt;p&gt;The second is that a state graph is already structured context. You don&amp;rsquo;t need to chunk it. You don&amp;rsquo;t need to embed it. An agent reasoning over a Pulumi stack can grep its way through the program graph the same way it greps a codebase, and the answers are grounded in the same source of truth the rest of your platform uses. I wrote the deeper version in &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;Grounded AI: Why Neo Knows Your Infrastructure&lt;/a&gt;. The dark-factory and sprawl posts (&lt;a href="https://www.pulumi.com/blog/dark-factory-pattern-pulumi-autonomous-iac/"&gt;The Dark Factory Pattern for Infrastructure&lt;/a&gt; and &lt;a href="https://www.pulumi.com/blog/agent-sprawl-iac-platform-is-the-answer/"&gt;Agent Sprawl Is Here. Your IaC Platform Is the Answer.&lt;/a&gt;) are the places to go if you want to push on this further.&lt;/p&gt;
&lt;h2 id="start-with-the-sdk"&gt;Start with the SDK&lt;/h2&gt;
&lt;p&gt;A year ago, an agent project was 80% glue code and 20% the thing the agent actually did. On most projects today that ratio is flipped. If you&amp;rsquo;ve been sitting on an agent idea, build it the SDK way first and reach for a framework only when you hit something the SDK genuinely can&amp;rsquo;t do. Most teams will be surprised how often they don&amp;rsquo;t.&lt;/p&gt;
&lt;p&gt;There&amp;rsquo;s one agent you don&amp;rsquo;t have to build at all. &lt;a href="https://www.pulumi.com/product/neo/"&gt;Pulumi Neo&lt;/a&gt; is the same SDK-first shape applied to the IaC slice: tools that reason directly over your state graph, governed by the controls the rest of your platform already runs on. Save your own SDK time for the agents only you can build.&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/product/neo/"
class="btn btn-outline"
&gt;
See how Pulumi Neo works
&lt;/a&gt;</description><author>Engin Diri</author><category>ai</category><category>ai-agents</category><category>claude</category><category>mcp</category><category>rag</category></item><item><title>Agent Sprawl Is Here. Your IaC Platform Is the Answer.</title><link>https://www.pulumi.com/blog/agent-sprawl-iac-platform-is-the-answer/</link><pubDate>Wed, 22 Apr 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/agent-sprawl-iac-platform-is-the-answer/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/agent-sprawl-iac-platform-is-the-answer/index.png" /&gt;
&lt;p&gt;Somewhere in your company right now, a developer is building an AI agent. Maybe it&amp;rsquo;s a release agent that cuts tags when tests pass. Maybe it&amp;rsquo;s a cost agent that shuts down idle EC2 overnight. It&amp;rsquo;s running, it&amp;rsquo;s in production, and there&amp;rsquo;s a decent chance the platform team doesn&amp;rsquo;t know it exists.&lt;/p&gt;
&lt;p&gt;This isn&amp;rsquo;t a thought experiment. OutSystems just surveyed 1,900 IT leaders and the numbers are rough: 96% of enterprises run AI agents in production today, 94% say the sprawl is becoming a real security problem, and only 12% have any central way to manage it. Twelve percent. You can &lt;a href="https://www.outsystems.com/news/enterprise-ai-agent-report-2026/"&gt;read the full report here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The real question is where those agents run. Inside the platform you&amp;rsquo;ve already built, or somewhere off to the side where nobody on the platform team can see them.&lt;/p&gt;
&lt;h2 id="the-new-platform-tension"&gt;The new platform tension&lt;/h2&gt;
&lt;p&gt;Platform teams have always had two jobs that pull in opposite directions. Let developers ship without waiting on a ticket. Keep the infrastructure coherent while they do. Golden paths, review stacks, a catalog of components that don&amp;rsquo;t fight each other.&lt;/p&gt;
&lt;p&gt;Agents break the second half of that deal.&lt;/p&gt;
&lt;p&gt;A developer with a sharp prompt can spin up an SRE agent that watches a queue, a release agent that cuts tags when the test suite goes green, or a cost agent that kills idle infra at 2 a.m. That&amp;rsquo;s useful. It&amp;rsquo;s also running on your production cloud account, using credentials you never provisioned, writing to systems you never approved, and the only audit trail is whatever the developer remembered to log. The &lt;a href="https://www.salesforce.com/news/stories/connectivity-report-announcement-2026/"&gt;Salesforce 2026 Connectivity Benchmark&lt;/a&gt; pegs the average enterprise at twelve agents today, projected to grow 67% over the next two years. Most teams aren&amp;rsquo;t ready for one, let alone twenty.&lt;/p&gt;
&lt;p&gt;This is the same shape as every sprawl problem before it. I wrote about the last one in &lt;a href="https://www.pulumi.com/blog/how-secrets-sprawl-is-slowing-you-down/"&gt;&lt;em&gt;How Secrets Sprawl Is Slowing You Down&lt;/em&gt;&lt;/a&gt;, and the pattern keeps repeating. When something useful gets cheap, it proliferates. When it proliferates without structure, it becomes a liability.&lt;/p&gt;
&lt;p&gt;The clock is also ticking on the compliance side. The &lt;a href="https://artificialintelligenceact.eu/implementation-timeline/"&gt;EU AI Act&amp;rsquo;s high-risk obligations kick in on 2 August 2026&lt;/a&gt;. &lt;a href="https://leg.colorado.gov/bills/sb25b-004"&gt;Colorado&amp;rsquo;s AI Act goes live on 30 June 2026&lt;/a&gt; after last year&amp;rsquo;s delay. A folder of unreviewed agent scripts isn&amp;rsquo;t going to hold up against either of those.&lt;/p&gt;
&lt;h2 id="three-ways-to-respond-only-one-of-them-works"&gt;Three ways to respond (only one of them works)&lt;/h2&gt;
&lt;p&gt;There are roughly three paths from here.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/agent-sprawl-iac-platform-is-the-answer/three-responses.png" alt="Three platform responses to agent sprawl: do nothing leads to unmanaged sprawl, mandating centralization creates developer friction, and making the platform the obvious path produces voluntary adoption"&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Do nothing.&lt;/strong&gt; Accept the sprawl and hope nothing catches fire. This is the default, and it&amp;rsquo;s also how you end up explaining to an auditor why some finance agent moved data between three systems last Thursday and nobody remembers which prompt triggered it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Mandate centralization.&lt;/strong&gt; Tell developers every agent has to be registered and approved before it runs. This sounds responsible on a slide, and it falls apart inside a sprint. Developers route around friction. If the official path takes a week and the unofficial path takes an afternoon, the unofficial path wins, and you&amp;rsquo;ve just pushed the sprawl underground where you can&amp;rsquo;t see it anymore.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Make the platform the obvious path.&lt;/strong&gt; Build the thing developers actually want to use. A place where an agent inherits the guardrails, credentials, policies, and audit trail by default, because that&amp;rsquo;s what&amp;rsquo;s on offer. Adoption becomes a side effect of shipping something good.&lt;/p&gt;
&lt;p&gt;Option three is the only one that scales. It&amp;rsquo;s also the one where most platform teams look at their existing stack and assume they need to build a pile of new scaffolding. I don&amp;rsquo;t think they do, and the rest of this post is why.&lt;/p&gt;
&lt;h2 id="the-seven-things-an-ai-agent-needs-from-your-platform"&gt;The seven things an AI agent needs from your platform&lt;/h2&gt;
&lt;p&gt;An agent needs seven concrete things from the platform it runs on. Each one maps to a Pulumi primitive you already own.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/agent-sprawl-iac-platform-is-the-answer/seven-pillars.png" alt="Seven things an AI agent needs from your platform mapped to their Pulumi primitives: context to state graph and Neo, integrations to providers and ESC, actions to Deployments and Automation API, policy to CrossGuard, audit to Pulumi Cloud activity log, review to pulumi preview and review stacks, approval to Deployments approvals and Neo"&gt;&lt;/p&gt;
&lt;h3 id="1-a-trustworthy-context-lake"&gt;1. A trustworthy context lake&lt;/h3&gt;
&lt;p&gt;Agents are only as good as the context they can reason over. Drop a generic LLM into your cloud account and you&amp;rsquo;ll get plausible-sounding nonsense, because the model has never seen your environment. What you actually need is a grounded source of truth: what resources exist, how they relate, which stack owns what, which version is running where.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/iac/concepts/state-and-backends/"&gt;Pulumi state&lt;/a&gt; is already that. Your program graph, your stack outputs, your resource metadata, all of it adds up to a structured record of what you&amp;rsquo;ve actually deployed. &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;Pulumi Neo reasons directly over that graph&lt;/a&gt;, which is why it can tell you why a deployment drifted instead of guessing. I wrote the long version of that argument there. Short version: you already have the context lake. Point agents at it.&lt;/p&gt;
&lt;h3 id="2-pre-cleared-integrations"&gt;2. Pre-cleared integrations&lt;/h3&gt;
&lt;p&gt;An agent that needs to touch five systems shouldn&amp;rsquo;t need five separate credential dances. That&amp;rsquo;s where credential sprawl starts. Every agent gets a long-lived key, every key ends up in somebody&amp;rsquo;s &lt;code&gt;.env&lt;/code&gt;, and every rotation turns into an incident.&lt;/p&gt;
&lt;p&gt;The Pulumi surface here is the &lt;a href="https://www.pulumi.com/registry/"&gt;200+ providers&lt;/a&gt; plus &lt;a href="https://www.pulumi.com/product/esc/"&gt;Pulumi ESC&lt;/a&gt; handling dynamic credentials through OIDC. An agent doesn&amp;rsquo;t ask for an AWS access key. It asks ESC for a short-lived, scoped token bound to the environment it&amp;rsquo;s allowed to operate in, and the token expires when the task ends. No static keys, no rotation pain, no awkward postmortem about how something got committed to GitHub. &lt;a href="https://www.pulumi.com/blog/top-8-claude-skills-devops-2026/"&gt;The ESC patterns I walked through in the Claude skills post&lt;/a&gt; work just as well for an autonomous agent as they do for a human developer, which is really the whole point.&lt;/p&gt;
&lt;h3 id="3-governed-actions"&gt;3. Governed actions&lt;/h3&gt;
&lt;p&gt;There&amp;rsquo;s a real difference between &amp;ldquo;an agent can see your infrastructure&amp;rdquo; and &amp;ldquo;an agent can change your infrastructure.&amp;rdquo; The second one is where you actually need structure. &lt;a href="https://www.pulumi.com/docs/deployments/"&gt;Pulumi Deployments&lt;/a&gt; gives you that structure: defined workflows, controlled triggers, running inside your Pulumi Cloud boundary instead of whatever environment the developer happened to spin up. &lt;a href="https://www.pulumi.com/docs/iac/automation-api/"&gt;The Automation API&lt;/a&gt; lets you build higher-order orchestration on the same primitives your developers already use.&lt;/p&gt;
&lt;p&gt;The framing I keep coming back to goes like this. An agent shouldn&amp;rsquo;t call &lt;code&gt;pulumi up&lt;/code&gt; directly. It should submit an action to a governed pipeline that runs &lt;code&gt;pulumi up&lt;/code&gt; on its behalf, inside an environment you control, with a log trail and the guardrails already in place. Same effect, very different threat model.&lt;/p&gt;
&lt;h3 id="4-deterministic-policy"&gt;4. Deterministic policy&lt;/h3&gt;
&lt;p&gt;Real governance lives outside the prompt. &amp;ldquo;Please don&amp;rsquo;t delete production&amp;rdquo; is a wish written into a system prompt, not an enforced control. And when an agent overrides your intent to do what it thought you meant, it&amp;rsquo;s behaving exactly the way the technology was designed to behave.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Pulumi Policies&lt;/a&gt; is the answer the IaC community landed on years ago: policy as code, written in a real programming language, evaluated deterministically at preview and update time. Disallow production RDS deletions. Require encryption at rest. Block S3 buckets with public ACLs. An agent running through Pulumi hits those gates whether it &amp;ldquo;wants&amp;rdquo; to or not, because the gates live in the pipeline and not in the prompt. This is the pillar most teams underweight, and it&amp;rsquo;s the first one most auditors ask about.&lt;/p&gt;
&lt;h3 id="5-an-audit-trail"&gt;5. An audit trail&lt;/h3&gt;
&lt;p&gt;When something goes wrong at 3 a.m. (and with enough agents running, something will), you need answers fast. What changed, who changed it, and why. Not just &amp;ldquo;which agent,&amp;rdquo; but which version of which agent, triggered by what event, authorized by which policy, touching which resources.&lt;/p&gt;
&lt;p&gt;Pulumi Cloud&amp;rsquo;s activity log, the stack update history, and &lt;a href="https://www.pulumi.com/docs/esc/administration/audit-logs/"&gt;ESC audit logs&lt;/a&gt; already capture all of that. Every update is versioned. Every secret access is logged. Every policy evaluation is recorded. When an agent submits a change through your Pulumi pipeline, it inherits that audit surface for free. The alternative is reconstructing an incident from a mix of Slack messages, container logs, and developer memory, which is roughly the state most teams without a platform are in today.&lt;/p&gt;
&lt;h3 id="6-a-review-process"&gt;6. A review process&lt;/h3&gt;
&lt;p&gt;Not every agent action should wait for a human. But agents do need a promotion path, the same way new platform components do. Experimental, then reviewed, then trusted, then autonomous. That&amp;rsquo;s exactly what &lt;code&gt;pulumi preview&lt;/code&gt;, review stacks, and Deployments PR workflows already model for human contributors. An agent that wants to make a change should have to submit it the same way a junior engineer would. As a diff, with a plan, against a preview environment, until it earns the trust to skip steps.&lt;/p&gt;
&lt;p&gt;This connects back to the pattern I laid out in &lt;a href="https://www.pulumi.com/blog/golden-paths-infrastructure-components-and-templates/"&gt;&lt;em&gt;Golden Paths: Infrastructure Components and Templates&lt;/em&gt;&lt;/a&gt;. Golden paths were never only for humans. They&amp;rsquo;re just paths, and agents can walk them too.&lt;/p&gt;
&lt;h3 id="7-human-in-the-loop-approval"&gt;7. Human-in-the-loop approval&lt;/h3&gt;
&lt;p&gt;The last pillar is the one that keeps the other six honest. Some decisions shouldn&amp;rsquo;t be automated, full stop. Production rollbacks outside business hours. Destructive changes above a certain blast-radius threshold. Anything that touches a regulated data boundary. For those cases, you want a forced human checkpoint that the agent can&amp;rsquo;t route around.&lt;/p&gt;
&lt;p&gt;Pulumi Deployments approvals already play that role for human changes. &lt;a href="https://www.pulumi.com/product/neo/"&gt;Pulumi Neo&amp;rsquo;s review steps&lt;/a&gt; add the AI-aware version: a structured plan, a diff, a named approver, and a record of what they decided and why. I walked through what this looks like in practice in &lt;a href="https://www.pulumi.com/blog/self-verifying-ai-agents-vercels-agent-browser-in-the-ralph-wiggum-loop/"&gt;&lt;em&gt;Self-Verifying AI Agents&lt;/em&gt;&lt;/a&gt;. Short version: an agent that proposes is much safer than an agent that commits.&lt;/p&gt;
&lt;h2 id="why-iac-is-the-natural-substrate-for-this"&gt;Why IaC is the natural substrate for this&lt;/h2&gt;
&lt;p&gt;Step back from the seven pillars and look at what they have in common. Context, integrations, governed actions, deterministic policy, audit, review, approval. None of those are new problems that AI agents invented. They&amp;rsquo;re the problems infrastructure-as-code has been quietly solving for a decade, for human developers.&lt;/p&gt;
&lt;p&gt;Every meaningful agent action ends up being a change, whether that&amp;rsquo;s to infrastructure, configuration, secrets, or state. IaC is the one layer in your stack that already treats change as the unit of work. Plan, preview, apply, record. If you want governance for agents and you don&amp;rsquo;t want to build it twice, the most efficient move is to route agent changes through the same substrate your humans already use.&lt;/p&gt;
&lt;p&gt;I made the same point from a different angle in &lt;a href="https://www.pulumi.com/blog/token-efficiency-vs-cognitive-efficiency-choosing-iac-for-ai-agents/"&gt;&lt;em&gt;Token Efficiency vs Cognitive Efficiency: Choosing IaC for AI Agents&lt;/em&gt;&lt;/a&gt;. An IaC platform that models your world as a graph of typed resources is a much better reasoning surface for an agent than a stack of YAML or a bash script somebody wrote on a Friday. The structure is what makes it work.&lt;/p&gt;
&lt;h2 id="what-this-means-for-the-platform-engineer"&gt;What this means for the platform engineer&lt;/h2&gt;
&lt;p&gt;There&amp;rsquo;s a narrative floating around that AI is going to make platform engineers less relevant. I haven&amp;rsquo;t seen it hold up against an actual production environment. Every stat I&amp;rsquo;ve looked at points the other way. Gartner expects &lt;a href="https://www.itential.com/resource/analyst-report/gartner-predicts-2026-ai-agents-will-reshape-infrastructure-operations/"&gt;70% of enterprises to deploy agentic AI as part of IT infrastructure and operations by 2029, up from less than 5% in 2025&lt;/a&gt;. LangChain&amp;rsquo;s &lt;a href="https://www.langchain.com/state-of-agent-engineering"&gt;State of Agent Engineering report already has 57% of teams running agents in production today&lt;/a&gt;. And Gartner projects that &lt;a href="https://deviniti.com/blog/leadership-teamwork/40-devops-stats-for-2026/"&gt;80% of large software engineering orgs will have a platform team by end of 2026, up from 45% in 2022&lt;/a&gt;. More agents means more changes, more changes means more blast radius, and more blast radius means more need for the thing platform teams are uniquely equipped to provide.&lt;/p&gt;
&lt;p&gt;Your classic responsibilities haven&amp;rsquo;t gone anywhere either. Golden paths, service catalogs, CI/CD, on-call rotations, all of that is still yours. Agents are an additional layer that needs the same discipline. The upside is that if your platform already runs on a mature IaC surface, you&amp;rsquo;re extending a muscle you&amp;rsquo;ve been building for years instead of growing a new one.&lt;/p&gt;
&lt;p&gt;The developer-facing side matters too. A developer building an agent needs to know what&amp;rsquo;s available to them, needs templates that work on the first try, and needs to see what teammates have already built so they don&amp;rsquo;t start from a blank page. That&amp;rsquo;s the territory &lt;a href="https://www.pulumi.com/blog/top-8-claude-skills-devops-2026/"&gt;the Claude skills post&lt;/a&gt; and &lt;a href="https://www.pulumi.com/blog/idp-strategy-planning-self-service-infrastructure-that-balances-developer-autonomy-with-operational-control/"&gt;&lt;em&gt;IDP Strategy: Self-Service Infrastructure That Balances Autonomy With Control&lt;/em&gt;&lt;/a&gt; cover. That&amp;rsquo;s the experience layer that makes developers actually choose your platform instead of routing around it. You need both sides working at once. The governance your security team cares about, and the experience your developers will actually reach for.&lt;/p&gt;
&lt;h2 id="close-the-window"&gt;Close the window&lt;/h2&gt;
&lt;p&gt;The agents your developers are shipping this week are going to outlive the experiment that started them. Some of them will become critical. At least one will cause an incident. At least one will eventually show up in an audit. All of them are going to be easier to govern if they were built on your platform from day one than if you try to wrap policy around them later.&lt;/p&gt;
&lt;p&gt;If you want the longer view on where this is going, &lt;a href="https://www.pulumi.com/blog/ai-predictions-2026-devops-guide/"&gt;&lt;em&gt;AI Predictions for 2026: A DevOps Engineer&amp;rsquo;s Guide&lt;/em&gt;&lt;/a&gt; is the companion piece. If you want the developer-facing version of the grounding argument, &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;&lt;em&gt;Grounded AI&lt;/em&gt;&lt;/a&gt; is what to read next.&lt;/p&gt;
&lt;p&gt;Either way, here&amp;rsquo;s where I land. The substrate for agent governance is already running in your stack. You&amp;rsquo;ve been pointing it at human changes for years. Now point it at the agents too.&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/product/neo/"
class="btn btn-outline"
&gt;
See how Pulumi Neo governs agent actions
&lt;/a&gt;</description><author>Engin Diri</author><category>ai</category><category>ai-agents</category><category>platform-engineering</category><category>devops</category><category>infrastructure-as-code</category></item><item><title>Superpowers, GSD, and GSTACK: Picking the Right Framework for Your Coding Agent</title><link>https://www.pulumi.com/blog/claude-code-orchestration-frameworks/</link><pubDate>Mon, 13 Apr 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/claude-code-orchestration-frameworks/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/claude-code-orchestration-frameworks/index.png" /&gt;
&lt;p&gt;Three community frameworks have emerged that fix the specific ways AI coding agents break down on real projects. &lt;a href="https://github.com/obra/superpowers"&gt;Superpowers&lt;/a&gt; enforces test-driven development. &lt;a href="https://github.com/gsd-build/get-shit-done"&gt;GSD&lt;/a&gt; prevents context rot. &lt;a href="https://github.com/garrytan/gstack"&gt;GSTACK&lt;/a&gt; adds role-based governance. All three started with Claude Code but now work across Cursor, Codex, Windsurf, Gemini CLI, and more.&lt;/p&gt;
&lt;p&gt;Pulumi uses general-purpose programming languages to define infrastructure. TypeScript, Python, Go, C#, Java. Every framework that makes AI agents write better TypeScript also makes your &lt;code&gt;pulumi up&lt;/code&gt; better. After spending a few weeks with each one, I have opinions about when to use which.&lt;/p&gt;
&lt;h2 id="the-problem-all-three-frameworks-solve"&gt;The problem all three frameworks solve&lt;/h2&gt;
&lt;p&gt;AI coding agents are impressive for the first 30 minutes. Then things go sideways. The patterns are predictable enough that three separate teams independently built frameworks to fix them.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Context rot.&lt;/strong&gt; Every LLM has a context window. As that window fills up, earlier instructions fade. You start a session asking for an &lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/guides/"&gt;S3 bucket&lt;/a&gt; with AES-256 encryption, proper ACLs, and access logging. Two hours and 200K tokens later, the agent creates a new bucket with none of those requirements. The context window got crowded and your original instructions lost weight.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;No test discipline.&lt;/strong&gt; Agents write code that looks plausible. Plausible code compiles. Plausible code even runs, for a while. But plausible code without tests is a liability. The agent adds a feature and quietly breaks two others because nothing verified the existing behavior was preserved.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Scope drift.&lt;/strong&gt; You ask for a &lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/guides/vpc/"&gt;VPC with three subnets&lt;/a&gt;. The agent decides you also need a NAT gateway, a transit gateway, a VPN endpoint, and a custom DNS resolver. Helpful in theory. In practice, you now have infrastructure you never requested and barely understand. You will also pay for it monthly.&lt;/p&gt;
&lt;p&gt;These problems are not specific to Claude Code or any particular agent. They happen with Cursor, Codex, Windsurf, and every other LLM-powered coding tool. The context window does not care which brand name is on the wrapper.&lt;/p&gt;
&lt;h2 id="superpowers-the-test-driven-discipline-enforcer"&gt;Superpowers: the test-driven discipline enforcer&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://github.com/obra/superpowers"&gt;Superpowers&lt;/a&gt; was created by &lt;a href="https://www.linkedin.com/in/jessevincent/"&gt;Jesse Vincent&lt;/a&gt; and has accumulated over 149K GitHub stars. The core idea is simple: no production code gets written without a failing test first.&lt;/p&gt;
&lt;p&gt;The framework enforces a 7-phase workflow. Brainstorm the approach. Write a spec. Create a plan. Write failing tests (TDD). Spin up subagents to implement. Review. Finalize. Every phase has gates. You cannot skip ahead. The iron law is that production code only exists to make a failing test pass.&lt;/p&gt;
&lt;p&gt;This sounds rigid. It is. That is the point.&lt;/p&gt;
&lt;p&gt;Superpowers includes a Visual Companion for design decisions, which helps when you are making architectural choices that need visual reasoning. The main orchestrator manages the entire workflow from a single context window, delegating implementation work to subagents that run in isolation.&lt;/p&gt;
&lt;p&gt;The tradeoff is that the mega-orchestrator pattern means the orchestrator itself can hit context limits on very long sessions. One big brain coordinating everything works well until the big brain fills up. For most projects, this is not an issue. For marathon sessions with dozens of files, keep it in mind.&lt;/p&gt;
&lt;p&gt;The workflow breaks down into skills that trigger automatically:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Skill&lt;/th&gt;
&lt;th&gt;Phase&lt;/th&gt;
&lt;th&gt;What it does&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;brainstorming&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Design&lt;/td&gt;
&lt;td&gt;Refines rough ideas through Socratic questions, saves design doc&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;writing-plans&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Planning&lt;/td&gt;
&lt;td&gt;Breaks work into 2-5 minute tasks with exact file paths and code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;test-driven-development&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Implementation&lt;/td&gt;
&lt;td&gt;RED-GREEN-REFACTOR: failing test first, minimal code, commit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;subagent-driven-development&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Implementation&lt;/td&gt;
&lt;td&gt;Dispatches fresh subagent per task with two-stage review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;requesting-code-review&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Review&lt;/td&gt;
&lt;td&gt;Reviews against plan, blocks progress on critical issues&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;finishing-a-development-branch&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Finalize&lt;/td&gt;
&lt;td&gt;Verifies tests pass, presents merge/PR/keep/discard options&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The results speak for themselves. The &lt;a href="https://github.com/chardet/chardet"&gt;chardet&lt;/a&gt; maintainer used Superpowers to rewrite chardet v7.0.0 from scratch, achieving a 41x performance improvement. Not a 41% improvement. 41 times faster. That is what happens when every code change has to pass a test: the agent optimizes aggressively because it has a safety net.&lt;/p&gt;
&lt;p&gt;Superpowers works with Claude Code, Cursor, Codex, OpenCode, GitHub Copilot CLI, and Gemini CLI.&lt;/p&gt;
&lt;h2 id="gsd-preventing-context-rot-before-it-ruins-your-project"&gt;GSD: preventing context rot before it ruins your project&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://github.com/gsd-build/get-shit-done"&gt;GSD&lt;/a&gt; (Get Shit Done) was created by &lt;a href="https://www.linkedin.com/in/lexchristopherson/"&gt;Lex Christopherson&lt;/a&gt; and has over 51K stars. Where Superpowers focuses on test discipline, GSD attacks the context window problem directly.&lt;/p&gt;
&lt;p&gt;The key architectural decision: GSD does not use a single mega-orchestrator. Instead, it assigns a separate orchestrator to each phase of work. Each orchestrator stays under 50% of its context capacity. When a phase completes, the orchestrator writes its state to disk as Markdown files, then a fresh orchestrator picks up where the last one left off.&lt;/p&gt;
&lt;p&gt;Think about why this matters. With a single orchestrator, your 200K token context window is a shared resource. Instructions from hour one compete with code from hour three. GSD sidesteps this entirely. Every phase starts with a full context budget because the previous phase&amp;rsquo;s orchestrator handed off cleanly and shut down.&lt;/p&gt;
&lt;p&gt;The state files use XML-formatted instructions because (it turns out) LLMs parse structured XML more reliably than freeform Markdown. GSD also includes quality gates that detect schema drift and scope reduction. If the agent starts cutting corners or wandering from the plan, the gates catch it.&lt;/p&gt;
&lt;p&gt;GSD evolved from v1 (pure Markdown configuration) to v2 (TypeScript SDK), which tells you something about the level of engineering behind it. The v2 SDK gives you programmatic control over orchestration, not just static instruction files.&lt;/p&gt;
&lt;p&gt;The tradeoff: GSD has more ceremony than the other two frameworks. For a quick script or a single-file change, the phase-based workflow is overkill. GSD earns its keep on projects that span multiple files, multiple sessions, or multiple days.&lt;/p&gt;
&lt;p&gt;The core commands map to a phase-based workflow:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;th&gt;What it does&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-new-project&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Full initialization: questions, research, requirements, roadmap&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-discuss-phase&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Capture implementation decisions before planning starts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-plan-phase&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Research, plan, and verify for a single phase&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-execute-phase&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Execute all plans in parallel waves, verify when complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-verify-work&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Manual user acceptance testing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-ship&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Create PR from verified phase work with auto-generated body&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/gsd-fast&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Inline trivial tasks, skips planning entirely&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;GSD supports the widest range of agents: 14 and counting. Claude Code, Cursor, Windsurf, Codex, Copilot, Gemini CLI, Cline, Augment, Trae, Qwen Code, and more.&lt;/p&gt;
&lt;h2 id="gstack-when-you-need-a-whole-team-not-just-an-engineer"&gt;GSTACK: when you need a whole team, not just an engineer&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://github.com/garrytan/gstack"&gt;GSTACK&lt;/a&gt; was created by &lt;a href="https://www.linkedin.com/in/garrytan/"&gt;Garry Tan&lt;/a&gt; (CEO of Y Combinator) and has over 71K stars. It takes a fundamentally different approach from the other two frameworks.&lt;/p&gt;
&lt;p&gt;Instead of disciplining a single agent, GSTACK models a 23-person team. CEO, product manager, QA lead, engineer, designer, security reviewer. Each role has its own responsibilities, its own constraints, and its own slice of the problem.&lt;/p&gt;
&lt;p&gt;The framework enforces five layers of constraint. Role focus keeps each specialist in their lane. Data flow controls what information passes between roles. Quality control gates ensure standards at handoff points. The &amp;ldquo;boil the lake&amp;rdquo; principle means each role finishes what it can do perfectly and skips what it cannot, rather than producing mediocre work across everything. And the simplicity layer pushes back against unnecessary complexity.&lt;/p&gt;
&lt;p&gt;The role isolation is what makes GSTACK distinctive. The engineer role does not see the product roadmap. The QA role does not see the implementation details. Each role only receives the context it needs to do its job. This is not just about efficiency. It prevents the kind of scope creep where an agent that knows everything tries to do everything.&lt;/p&gt;
&lt;p&gt;&amp;ldquo;Boil the lake&amp;rdquo; is my favorite principle across all three frameworks. It is the opposite of how most agents work. Agents default to attempting everything and producing something mediocre. GSTACK says: do fewer things, but do them right.&lt;/p&gt;
&lt;p&gt;The tradeoff: 23 specialist roles feels heavy for pure infrastructure work. If you are writing Pulumi programs and deploying cloud resources with &lt;a href="https://www.pulumi.com/docs/iac/concepts/components/"&gt;component resources&lt;/a&gt;, you probably do not need a product manager role or a designer role. GSTACK shines when you are building a product, not just provisioning infrastructure.&lt;/p&gt;
&lt;p&gt;Each slash command activates a different specialist:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;What it does&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/office-hours&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;YC partner&lt;/td&gt;
&lt;td&gt;Six forcing questions that reframe your product before you write code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/plan-ceo-review&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;CEO&lt;/td&gt;
&lt;td&gt;Four modes: expand scope, selective expand, hold, reduce&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/plan-eng-review&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Engineering manager&lt;/td&gt;
&lt;td&gt;Lock architecture, map data flow, list edge cases&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/review&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Staff engineer&lt;/td&gt;
&lt;td&gt;Find bugs that pass CI but break in production, auto-fix the obvious ones&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/qa&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;QA lead&lt;/td&gt;
&lt;td&gt;Real Playwright browser testing, not simulated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/ship&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Release engineer&lt;/td&gt;
&lt;td&gt;One-command deploy with coverage audit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;/cso&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Security officer&lt;/td&gt;
&lt;td&gt;OWASP and STRIDE security audits&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;GSTACK works with Claude Code, Codex CLI, OpenCode, Cursor, Factory Droid, Slate, and Kiro.&lt;/p&gt;
&lt;h2 id="where-each-framework-fits"&gt;Where each framework fits&lt;/h2&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Superpowers&lt;/th&gt;
&lt;th&gt;GSD&lt;/th&gt;
&lt;th&gt;GSTACK&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;What it locks down&lt;/td&gt;
&lt;td&gt;The dev process itself&lt;/td&gt;
&lt;td&gt;The execution environment&lt;/td&gt;
&lt;td&gt;Who decides what&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Orchestration&lt;/td&gt;
&lt;td&gt;Single orchestrator&lt;/td&gt;
&lt;td&gt;Per-phase orchestrators&lt;/td&gt;
&lt;td&gt;23 specialist roles&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Context management&lt;/td&gt;
&lt;td&gt;One window&lt;/td&gt;
&lt;td&gt;State-to-disk, fresh per phase&lt;/td&gt;
&lt;td&gt;Role-scoped handoffs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Where it shines&lt;/td&gt;
&lt;td&gt;TDD, subagent delegation, disciplined plan execution&lt;/td&gt;
&lt;td&gt;Marathon sessions, parallel workstreams, crash recovery&lt;/td&gt;
&lt;td&gt;Product strategy, multi-perspective review, real browser QA&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Where it struggles&lt;/td&gt;
&lt;td&gt;Anything beyond the build phase&lt;/td&gt;
&lt;td&gt;Overkill for small tasks, no role separation&lt;/td&gt;
&lt;td&gt;The actual writing-code part&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best for&lt;/td&gt;
&lt;td&gt;Solo devs who need test discipline&lt;/td&gt;
&lt;td&gt;Complex projects that span days or weeks&lt;/td&gt;
&lt;td&gt;Founder-engineers shipping a product&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GitHub stars&lt;/td&gt;
&lt;td&gt;149K&lt;/td&gt;
&lt;td&gt;51K&lt;/td&gt;
&lt;td&gt;71K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent support&lt;/td&gt;
&lt;td&gt;6 agents&lt;/td&gt;
&lt;td&gt;14+ agents&lt;/td&gt;
&lt;td&gt;7 agents&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;For infrastructure work, GSD&amp;rsquo;s context management matters most. Long Pulumi sessions that provision dozens of resources across multiple stacks are exactly the scenario where context rot bites hardest. GSD&amp;rsquo;s phase-based approach keeps each orchestrator fresh.&lt;/p&gt;
&lt;p&gt;Superpowers&amp;rsquo; TDD workflow maps well to application code where unit tests are straightforward. Infrastructure testing is different. You cannot unit test whether an &lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/guides/iam/"&gt;IAM policy&lt;/a&gt; actually grants the right permissions. You can test the shape of the policy with &lt;a href="https://www.pulumi.com/docs/iac/guides/testing/"&gt;Pulumi&amp;rsquo;s testing frameworks&lt;/a&gt;, but the real validation happens at &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_preview/"&gt;&lt;code&gt;pulumi preview&lt;/code&gt;&lt;/a&gt; and &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_up/"&gt;&lt;code&gt;pulumi up&lt;/code&gt;&lt;/a&gt;. Superpowers still helps here (discipline is discipline), but the TDD cycle is less natural for infra than for app code.&lt;/p&gt;
&lt;p&gt;GSTACK shines when the project has product dimensions. If you are building a SaaS platform where the infrastructure serves a product vision, GSTACK&amp;rsquo;s multi-role governance keeps the product thinking connected to the engineering work. For pure infra provisioning, the extra roles add overhead without much benefit.&lt;/p&gt;
&lt;p&gt;My honest take: none of these is universally best. Knowing your failure mode is the real decision.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;What keeps going wrong&lt;/th&gt;
&lt;th&gt;Try this&lt;/th&gt;
&lt;th&gt;The reason&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Code works today, breaks tomorrow&lt;/td&gt;
&lt;td&gt;Superpowers&lt;/td&gt;
&lt;td&gt;Forces every change through a failing test first&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Quality drops after the first hour&lt;/td&gt;
&lt;td&gt;GSD&lt;/td&gt;
&lt;td&gt;Fresh context per phase, nothing carries over&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;You ship features nobody asked for&lt;/td&gt;
&lt;td&gt;GSTACK&lt;/td&gt;
&lt;td&gt;Product review before engineering starts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;All of the above&lt;/td&gt;
&lt;td&gt;GSTACK for direction, bolt on Superpowers TDD&lt;/td&gt;
&lt;td&gt;No single framework covers everything yet&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id="combining-frameworks-with-pulumi-workflows"&gt;Combining frameworks with Pulumi workflows&lt;/h2&gt;
&lt;p&gt;These frameworks solve the &amp;ldquo;how&amp;rdquo; of agent orchestration. &lt;a href="https://www.pulumi.com/blog/top-8-claude-skills-devops-2026/"&gt;Skills&lt;/a&gt; (like the ones from &lt;a href="https://github.com/pulumi/agent-skills"&gt;Pulumi Agent Skills&lt;/a&gt;) solve the &amp;ldquo;what,&amp;rdquo; teaching agents the right patterns for specific technologies. Frameworks and skills complement each other. A skill tells the agent to use &lt;a href="https://www.pulumi.com/docs/esc/guides/configuring-oidc/aws/"&gt;OIDC&lt;/a&gt; instead of hardcoded credentials. A framework makes sure the agent still remembers that instruction 200K tokens later.&lt;/p&gt;
&lt;p&gt;GSD&amp;rsquo;s state-to-disk approach pairs naturally with &lt;a href="https://www.pulumi.com/docs/iac/concepts/inputs-outputs/"&gt;Pulumi stack outputs&lt;/a&gt;. Each phase can read the previous phase&amp;rsquo;s stack outputs from the state files, so a networking phase can provision a VPC and the compute phase can reference the subnet IDs without any context window gymnastics.&lt;/p&gt;
&lt;p&gt;Superpowers&amp;rsquo; TDD cycle maps to infrastructure validation. Write a failing test (the expected shape of your infrastructure). Run &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_preview/"&gt;&lt;code&gt;pulumi preview&lt;/code&gt;&lt;/a&gt; (red, the resources do not exist yet). Run &lt;a href="https://www.pulumi.com/docs/iac/cli/commands/pulumi_up/"&gt;&lt;code&gt;pulumi up&lt;/code&gt;&lt;/a&gt; (green, the infrastructure matches the test). This is not a perfect analogy since infrastructure tests are broader than unit tests, but the discipline of &amp;ldquo;verify before moving on&amp;rdquo; translates directly.&lt;/p&gt;
&lt;p&gt;You do not have to pick one framework and commit forever. Try GSD for a long multi-stack project. Try Superpowers for a focused library. See which failure mode bites you most and let that guide your choice.&lt;/p&gt;
&lt;h2 id="getting-started"&gt;Getting started&lt;/h2&gt;
&lt;a href="https://github.com/obra/superpowers" target="_blank" rel="noopener noreferrer" class="github-card"&gt;
&lt;img
src="https://opengraph.githubassets.com/1/obra/superpowers"
alt="GitHub repository: obra/superpowers"
class="github-card-image"
loading="lazy"
/&gt;
&lt;div class="github-card-content"&gt;
&lt;div class="github-card-domain"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon github-card-icon" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#b-github"/&gt;&lt;/svg&gt;
github.com/obra/superpowers
&lt;/div&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;a href="https://github.com/gsd-build/get-shit-done" target="_blank" rel="noopener noreferrer" class="github-card"&gt;
&lt;img
src="https://opengraph.githubassets.com/1/gsd-build/get-shit-done"
alt="GitHub repository: gsd-build/get-shit-done"
class="github-card-image"
loading="lazy"
/&gt;
&lt;div class="github-card-content"&gt;
&lt;div class="github-card-domain"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon github-card-icon" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#b-github"/&gt;&lt;/svg&gt;
github.com/gsd-build/get-shit-done
&lt;/div&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;a href="https://github.com/garrytan/gstack" target="_blank" rel="noopener noreferrer" class="github-card"&gt;
&lt;img
src="https://opengraph.githubassets.com/1/garrytan/gstack"
alt="GitHub repository: garrytan/gstack"
class="github-card-image"
loading="lazy"
/&gt;
&lt;div class="github-card-content"&gt;
&lt;div class="github-card-domain"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon github-card-icon" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#b-github"/&gt;&lt;/svg&gt;
github.com/garrytan/gstack
&lt;/div&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;p&gt;All three frameworks support multiple agents. For Claude Code, the install commands are straightforward:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Superpowers&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;/plugin install superpowers@claude-plugins-official
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# GSD (the installer asks which agents and whether to install globally or locally)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;npx get-shit-done-cc@latest
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# GSTACK&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;git clone --single-branch --depth &lt;span class="m"&gt;1&lt;/span&gt; https://github.com/garrytan/gstack.git ~/.claude/skills/gstack &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;cd&lt;/span&gt; ~/.claude/skills/gstack &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; ./setup
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Check each repository&amp;rsquo;s README for Cursor, Codex, Windsurf, and other agents.&lt;/p&gt;
&lt;p&gt;If you want a managed experience that handles orchestration for you, &lt;a href="https://www.pulumi.com/product/neo/"&gt;Pulumi Neo&lt;/a&gt; is &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;grounded in your actual infrastructure&lt;/a&gt;, not internet patterns. It understands your stacks, your dependencies, and your deployment history. The &lt;a href="https://www.pulumi.com/blog/10-things-you-can-do-with-neo/"&gt;10 things you can do with Neo&lt;/a&gt; post shows what that looks like in practice.&lt;/p&gt;
&lt;p&gt;Pick one and give it a project. You will know within an hour whether it fixes your particular failure mode.&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/docs/get-started/"
class="btn btn-outline"
&gt;
Try Pulumi for Free
&lt;/a&gt;</description><author>Engin Diri</author><category>ai</category><category>claude-code</category><category>ai-agents</category><category>devops</category><category>cursor</category><category>ai-coding</category></item><item><title>Token Efficiency vs Cognitive Efficiency: Choosing IaC for AI Agents</title><link>https://www.pulumi.com/blog/token-efficiency-vs-cognitive-efficiency-choosing-iac-for-ai-agents/</link><pubDate>Tue, 03 Mar 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/token-efficiency-vs-cognitive-efficiency-choosing-iac-for-ai-agents/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/token-efficiency-vs-cognitive-efficiency-choosing-iac-for-ai-agents/index.png" /&gt;
&lt;p&gt;When an AI agent writes infrastructure code, two things matter: how compact the output is (token efficiency) and how well the model actually reasons about what it&amp;rsquo;s writing (cognitive efficiency). HCL produces fewer tokens for the same resource. But does that make it the better choice when agents need to refactor, debug, and iterate? We ran a benchmark across &lt;a href="https://docs.anthropic.com/en/docs/about-claude/models"&gt;Claude Opus 4.6&lt;/a&gt; and &lt;a href="https://platform.openai.com/docs/models"&gt;GPT-5.2-Codex&lt;/a&gt; to find out.&lt;/p&gt;
&lt;h2 id="these-two-goals-pull-in-opposite-directions"&gt;These two goals pull in opposite directions&lt;/h2&gt;
&lt;p&gt;You might assume that the language producing fewer tokens is also the one models reason about best. Research into LLM-driven infrastructure generation suggests otherwise.&lt;/p&gt;
&lt;h2 id="where-hcl-wins-on-tokens"&gt;Where HCL wins on tokens&lt;/h2&gt;
&lt;p&gt;HCL is declarative and minimal. It requires no imports, no runtime constructs, and no language scaffolding. For simple infrastructure generation, HCL leads to fewer tokens and lower generation cost.&lt;/p&gt;
&lt;p&gt;For a straightforward resource definition, HCL gets straight to the point:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-hcl" data-lang="hcl"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;aws_s3_bucket&amp;#34; &amp;#34;example&amp;#34;&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt; bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;my-bucket&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Compare that with the Pulumi TypeScript equivalent:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;aws&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@pulumi/aws&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;aws&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;s3&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Bucket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;example&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;bucket&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;my-bucket&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The HCL version requires fewer tokens. No import statement, no variable declaration, no constructor syntax. For single-shot generation of simple resources, that compactness matters. But the picture changes once you account for deployability and refactoring.&lt;/p&gt;
&lt;h2 id="what-the-data-shows"&gt;What the data shows&lt;/h2&gt;
&lt;p&gt;HCL&amp;rsquo;s token advantage is real for simple generation. But agents don&amp;rsquo;t just generate once. They validate, repair failures, and refactor. We built a benchmark that measures the full cycle: an open-source tool that sends identical prompts to Claude Opus 4.6 (&lt;code&gt;claude-opus-4-6&lt;/code&gt;) and OpenAI GPT-5.2-Codex (&lt;code&gt;gpt-5.2-codex&lt;/code&gt;), requesting both Terraform HCL and Pulumi TypeScript for the same AWS infrastructure (VPC with public and private subnets across 2 AZs, an EC2 instance with security groups for SSH and HTTP, and an RDS PostgreSQL instance with a security group allowing port 5432 only from the EC2 security group, plus all networking: internet gateway, NAT gateway, route tables, and associations). We measured token consumption, cost, and deployability across two scenarios: initial generation and refactoring into reusable components.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Methodology:&lt;/strong&gt; Temperature 0, 5 runs per combination, randomized execution order. Each generated output goes through a three-stage validation pipeline: formatting (&lt;code&gt;terraform fmt&lt;/code&gt; for HCL, &lt;code&gt;prettier&lt;/code&gt; for TypeScript), static analysis (&lt;code&gt;terraform validate&lt;/code&gt; for HCL, &lt;code&gt;tsc --noEmit&lt;/code&gt; for TypeScript), and provider-level validation (&lt;code&gt;terraform plan&lt;/code&gt; for HCL, &lt;code&gt;pulumi preview&lt;/code&gt; for TypeScript). Both plan and preview check against real AWS provider schemas without creating resources, making their pass rates comparable across formats. If plan/preview fails, the benchmark feeds the error back to the model for one self-repair attempt. At temperature 0, Claude Opus 4.6 produced near-identical outputs across runs (sd=0-4 tokens). GPT-5.2-Codex showed more natural variation (sd=130-165 tokens). With 5 runs per combination the results are directional, not statistically conclusive. Costs are estimates based on published pricing as of 2026-02-22. Full methodology and reproducible code:&lt;/p&gt;
&lt;a href="https://github.com/dirien/iac-token-benchmark" target="_blank" rel="noopener noreferrer" class="github-card"&gt;
&lt;img
src="https://opengraph.githubassets.com/1/dirien/iac-token-benchmark"
alt="GitHub repository: dirien/iac-token-benchmark"
class="github-card-image"
loading="lazy"
/&gt;
&lt;div class="github-card-content"&gt;
&lt;div class="github-card-domain"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon github-card-icon" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#b-github"/&gt;&lt;/svg&gt;
github.com/dirien/iac-token-benchmark
&lt;/div&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h3 id="scenario-1-generation"&gt;Scenario 1: Generation&lt;/h3&gt;
&lt;p&gt;HCL uses fewer tokens for generation:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Provider&lt;/th&gt;
&lt;th&gt;Format&lt;/th&gt;
&lt;th&gt;Output tokens (mean)&lt;/th&gt;
&lt;th&gt;LOC (mean)&lt;/th&gt;
&lt;th&gt;Cost (mean)&lt;/th&gt;
&lt;th&gt;Plan/Preview pass&lt;/th&gt;
&lt;th&gt;Repairs needed&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;2,007&lt;/td&gt;
&lt;td&gt;212&lt;/td&gt;
&lt;td&gt;$0.051&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;td&gt;0/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;2,555&lt;/td&gt;
&lt;td&gt;200&lt;/td&gt;
&lt;td&gt;$0.065&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;td&gt;0/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;1,565&lt;/td&gt;
&lt;td&gt;110&lt;/td&gt;
&lt;td&gt;$0.022&lt;/td&gt;
&lt;td&gt;2/5&lt;/td&gt;
&lt;td&gt;2/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;2,322&lt;/td&gt;
&lt;td&gt;147&lt;/td&gt;
&lt;td&gt;$0.033&lt;/td&gt;
&lt;td&gt;0/5&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;HCL produces 21-33% fewer output tokens across both models. For simple resource generation, this translates directly to lower cost. Pulumi TypeScript uses more tokens for fewer lines of code because imports, type annotations, and constructor syntax add tokens without adding functional lines.&lt;/p&gt;
&lt;p&gt;The Plan/Preview column tells a more complete story. Claude Opus 4.6 produced deployable code on the first pass for both formats: 5/5 for Terraform and 5/5 for Pulumi. Neither needed repairs. GPT-5.2-Codex struggled with both formats, but Terraform fared slightly better (2/5 vs 0/5).&lt;/p&gt;
&lt;h3 id="scenario-2-refactoring-into-reusable-components"&gt;Scenario 2: Refactoring into reusable components&lt;/h3&gt;
&lt;p&gt;We took each model&amp;rsquo;s generation output and asked it to refactor the code into a reusable module or component with parameterized environment name, instance sizes, and availability zone count.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Provider&lt;/th&gt;
&lt;th&gt;Format&lt;/th&gt;
&lt;th&gt;Output tokens (mean)&lt;/th&gt;
&lt;th&gt;LOC (mean)&lt;/th&gt;
&lt;th&gt;Cost (mean)&lt;/th&gt;
&lt;th&gt;Plan/Preview pass&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;2,720&lt;/td&gt;
&lt;td&gt;218&lt;/td&gt;
&lt;td&gt;$0.082&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;3,379&lt;/td&gt;
&lt;td&gt;345&lt;/td&gt;
&lt;td&gt;$0.095&lt;/td&gt;
&lt;td&gt;5/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;2,477&lt;/td&gt;
&lt;td&gt;248&lt;/td&gt;
&lt;td&gt;$0.038&lt;/td&gt;
&lt;td&gt;4/5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;1,356&lt;/td&gt;
&lt;td&gt;119&lt;/td&gt;
&lt;td&gt;$0.021&lt;/td&gt;
&lt;td&gt;0/5&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This is where the results get interesting. Opus + Pulumi refactoring used 20% fewer tokens, cost 14% less, and passed &lt;code&gt;pulumi preview&lt;/code&gt; on every run (5/5) with zero repairs. Opus + Terraform also ended up at 5/5 for &lt;code&gt;terraform plan&lt;/code&gt;, but it needed repair cycles to get there. The benchmark run log tells the story:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-console" data-lang="console"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gp"&gt;#&lt;/span&gt; Pulumi refactoring: runs 29-33, sequential, no &lt;span class="nv"&gt;gaps&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; zero repairs
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [29/40] anthropic/pulumi-ts/refactor run 1 — 2721 tokens, $0.0817
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [30/40] anthropic/pulumi-ts/refactor run 2 — 2721 tokens, $0.0817
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [31/40] anthropic/pulumi-ts/refactor run 3 — 2721 tokens, $0.0817
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [32/40] anthropic/pulumi-ts/refactor run 4 — 2721 tokens, $0.0817
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [33/40] anthropic/pulumi-ts/refactor run 5 — 2714 tokens, $0.0816
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="err"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gp"&gt;#&lt;/span&gt; Terraform refactoring: 34→36→38→40→42, every run skips a &lt;span class="nv"&gt;number&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; every run triggered self-repair
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [34/40] anthropic/terraform/refactor run 1 — 3388 tokens, $0.0956
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [36/40] anthropic/terraform/refactor run 2 — 3339 tokens, $0.0944
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [38/40] anthropic/terraform/refactor run 3 — 3390 tokens, $0.0957
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [40/40] anthropic/terraform/refactor run 4 — 3388 tokens, $0.0956
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;✓ [42/40] anthropic/terraform/refactor run 5 — 3388 tokens, $0.0956
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The skipped numbers (35, 37, 39, 41) are self-repair turns where the model received &lt;code&gt;terraform plan&lt;/code&gt; errors and regenerated the code. Each repair consumed additional tokens that do not show up in the first-generation cost but do show up in the total pipeline cost.&lt;/p&gt;
&lt;p&gt;GPT-5.2-Codex tells a different story. Both formats needed repair on every run, but what happened after repair is what matters:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-console" data-lang="console"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gp"&gt;#&lt;/span&gt; Codex + Terraform refactoring: repaired, but still failed plan &lt;span class="o"&gt;(&lt;/span&gt;0/5 deployable&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;terraform run 1 turn 2: plan_valid=False tokens=1559
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;terraform run 2 turn 2: plan_valid=False tokens=1165
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;terraform run 3 turn 2: plan_valid=False tokens=1068
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;terraform run 4 turn 2: plan_valid=False tokens=1134
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;terraform run 5 turn 2: plan_valid=False tokens=1101
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="err"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gp"&gt;#&lt;/span&gt; Codex + Pulumi refactoring: repaired, and preview passed &lt;span class="o"&gt;(&lt;/span&gt;4/5 deployable&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;pulumi-ts run 1 turn 2: plan_valid=True tokens=2246
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;pulumi-ts run 2 turn 2: plan_valid=True tokens=2567
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;pulumi-ts run 3 turn 2: plan_valid=True tokens=2187
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;pulumi-ts run 4 turn 2: plan_valid=True tokens=2531
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="go"&gt;pulumi-ts run 5 turn 2: plan_valid=False tokens=2647
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Codex + Terraform used fewer tokens but produced zero deployable refactored code after repair. Codex + Pulumi used more tokens but recovered to deployable code 4 out of 5 times. TypeScript&amp;rsquo;s type errors gave the model enough information to fix the problems. HCL&amp;rsquo;s plan errors did not.&lt;/p&gt;
&lt;h3 id="total-pipeline-cost"&gt;Total pipeline cost&lt;/h3&gt;
&lt;p&gt;This is the number that matters for production agent workflows. It includes generation, any self-repair cycles, and refactoring:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Provider&lt;/th&gt;
&lt;th&gt;Format&lt;/th&gt;
&lt;th&gt;Total tokens (mean)&lt;/th&gt;
&lt;th&gt;Total cost (mean)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;8,183&lt;/td&gt;
&lt;td&gt;$0.146&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Claude Opus 4.6&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;14,669&lt;/td&gt;
&lt;td&gt;$0.249&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Terraform&lt;/td&gt;
&lt;td&gt;8,723&lt;/td&gt;
&lt;td&gt;$0.084&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5.2-Codex&lt;/td&gt;
&lt;td&gt;Pulumi TS&lt;/td&gt;
&lt;td&gt;15,211&lt;/td&gt;
&lt;td&gt;$0.138&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Opus + Pulumi had the lowest total pipeline cost at $0.146, 41% cheaper than Opus + Terraform at $0.249. The difference comes entirely from repair cycles: Pulumi needed zero repairs across both scenarios, while Terraform refactoring triggered self-repair on every run.&lt;/p&gt;
&lt;p&gt;With Codex, Terraform had the lower pipeline cost ($0.084 vs $0.138), driven by its smaller token output. But Codex + Terraform produced zero deployable refactored code (0/5 plan pass), while Codex + Pulumi produced deployable code 4 out of 5 times.&lt;/p&gt;
&lt;h3 id="what-this-means"&gt;What this means&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;HCL uses fewer tokens per generation.&lt;/strong&gt; For single-shot resource creation, HCL&amp;rsquo;s compactness saves 21-33% on output tokens. That advantage is consistent across both models.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pulumi produces deployable refactored code more reliably.&lt;/strong&gt; With Opus, Pulumi refactoring passed preview 5/5 with zero repairs. Codex + Pulumi passed 4/5. Codex + Terraform passed 0/5.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Total pipeline cost favors Pulumi with Opus.&lt;/strong&gt; Opus + Pulumi cost 41% less than Opus + Terraform across the full pipeline ($0.146 vs $0.249), because Terraform refactoring needed repair cycles that Pulumi did not.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The tradeoff depends on your model and workflow.&lt;/strong&gt; Codex + Terraform is cheapest on raw tokens but produces no deployable refactored code. Codex + Pulumi costs more per token but actually deploys. Opus + Pulumi is the best of both: fewer refactoring tokens and zero repairs.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="why-pulumi-refactoring-deploys-cleaner"&gt;Why Pulumi refactoring deploys cleaner&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://arxiv.org/abs/2601.08734"&gt;TerraFormer project&lt;/a&gt; identified what they call the &lt;strong&gt;correctness-congruence gap&lt;/strong&gt;: LLMs generate configurations that look valid but fail to match the user&amp;rsquo;s architectural intent. An &lt;a href="https://arxiv.org/abs/2512.14792"&gt;error taxonomy study&lt;/a&gt; cataloged the same pattern across models. A &lt;a href="https://arxiv.org/html/2404.00227v1"&gt;survey of LLMs for IaC&lt;/a&gt; found the gap between syntax validity and architectural correctness widens with infrastructure complexity.&lt;/p&gt;
&lt;p&gt;Refactoring is where this gap bites hardest. Turning a flat resource list into a parameterized, reusable module requires the model to restructure dependencies, introduce variables, and compose abstractions. With Pulumi, the model can use TypeScript&amp;rsquo;s standard refactoring patterns: extract a class, add typed constructor parameters, compose functions. These are patterns it has practiced across millions of repositories during training. With HCL, the same refactoring requires &lt;code&gt;count&lt;/code&gt;, &lt;code&gt;for_each&lt;/code&gt;, &lt;code&gt;dynamic&lt;/code&gt; blocks, and module variable plumbing, domain-specific constructs that have far less representation in training data.&lt;/p&gt;
&lt;p&gt;Our benchmark confirms this directly. Opus produced 2,720 tokens for Pulumi refactoring versus 3,379 for Terraform, a 20% reduction, and every Pulumi run passed &lt;code&gt;pulumi preview&lt;/code&gt; without repair. The Terraform refactoring runs all triggered self-repair because the restructured HCL modules had issues that &lt;code&gt;terraform plan&lt;/code&gt; caught.&lt;/p&gt;
&lt;p&gt;Training data distribution makes this structural. LLMs have far more TypeScript than HCL in their corpora. A model refactoring TypeScript draws on patterns from the entire open-source ecosystem. A model refactoring HCL modules has a much smaller pool. Since general-purpose languages dominate new code production, this gap will widen over time.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;p&gt;Tooling can close the gap further. The &lt;a href="https://www.pulumi.com/docs/iac/using-pulumi/mcp-server/"&gt;Pulumi MCP server&lt;/a&gt; gives AI agents direct access to resource schemas at generation time. A tool like &lt;code&gt;get-resource&lt;/code&gt; returns every property, type, and required field for a given cloud resource. The agent does not have to guess from what it memorized during training. It can look up the correct schema before writing a single line of code.&lt;/p&gt;
&lt;p&gt;This changes the workflow from &amp;ldquo;generate, fail, read error, retry&amp;rdquo; to &amp;ldquo;look up schema, generate correctly.&amp;rdquo; Agent skills push this further by encoding working Pulumi idioms as structured prompts, so the model starts from a known-good baseline. Terraform has no equivalent to this MCP-based schema lookup. That difference matters more with every iteration.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="where-the-industry-is-heading"&gt;Where the industry is heading&lt;/h2&gt;
&lt;p&gt;One way to think about IaC language choice is through the lens of &lt;a href="https://www.principalengineer.com/p/the-7-levels-of-software-engineering"&gt;AI engineering maturity levels&lt;/a&gt;. At Level 3 (agentic coding), agents generate infrastructure from prompts. HCL&amp;rsquo;s 21-33% token savings on generation matters here. At Levels 4-5, agents iterate on specifications, refactor code, and maintain systems over time. Our benchmark shows this is where Pulumi pulls ahead: 41% lower total pipeline cost with Opus, and more deployable refactored output with both models.&lt;/p&gt;
&lt;p&gt;The industry is moving toward Levels 4-5. Agents are taking on refactoring, feature flags, environment parameterization. &lt;a href="https://overmind.tech/blog/the-best-ai-for-terraform"&gt;43% of DevOps teams need four or more deployment iterations&lt;/a&gt; before infrastructure is production-ready. The first-generation token advantage HCL holds applies to the task that is shrinking as a share of agent workloads. The refactoring and deployability advantages that Pulumi offers apply to the tasks that are growing.&lt;/p&gt;
&lt;h2 id="choosing-based-on-your-workflow"&gt;Choosing based on your workflow&lt;/h2&gt;
&lt;p&gt;If your agents primarily generate well-scoped resource definitions, HCL saves 21-33% on output tokens. That advantage is real and consistent.&lt;/p&gt;
&lt;p&gt;If your agents need deployable output on the first pass (which avoids repair costs entirely), our data shows Opus + Pulumi is the strongest combination: 5/5 plan/preview pass for both generation and refactoring, zero repairs, lowest total pipeline cost.&lt;/p&gt;
&lt;p&gt;If your agents evolve infrastructure over time through refactoring and modularizing, Pulumi produced deployable refactored code more reliably across both models we tested (5/5 and 4/5 vs 5/5 and 0/5 for Terraform).&lt;/p&gt;
&lt;p&gt;Pulumi covers the full iteration loop, from generation through repair to refactoring, using the same language patterns and tooling that models already know.&lt;/p&gt;
&lt;h2 id="get-started"&gt;Get started&lt;/h2&gt;
&lt;p&gt;Ready to explore how AI agents work with Pulumi? Check out &lt;a href="https://www.pulumi.com/ai/"&gt;Pulumi AI&lt;/a&gt; to see LLM-powered infrastructure generation in action, or get started with &lt;a href="https://www.pulumi.com/docs/get-started/"&gt;Pulumi&amp;rsquo;s documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Join the conversation in the &lt;a href="https://slack.pulumi.com/"&gt;Pulumi Community Slack&lt;/a&gt; or &lt;a href="https://github.com/pulumi/pulumi/discussions"&gt;Pulumi Community Discussions&lt;/a&gt;.&lt;/p&gt;</description><author>Engin Diri</author><category>ai</category><category>infrastructure-as-code</category><category>llm</category></item><item><title>The Superintelligence Flywheel: Infrastructure for the AI Era</title><link>https://www.pulumi.com/blog/the-superintelligence-flywheel/</link><pubDate>Thu, 11 Dec 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/the-superintelligence-flywheel/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/the-superintelligence-flywheel/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;ve been in the infrastructure business for nearly a decade, and we&amp;rsquo;ve never been more excited about, or in awe of, the scale we are seeing as the industry pursues superintelligence. We are now hitting a tipping point that requires entirely different approaches to managing and scaling infrastructure in this new era.&lt;/p&gt;
&lt;p&gt;What do we mean by superintelligence? Superintelligence means AI systems that operate with genuine autonomy&amp;mdash;planning, reasoning, executing, adapting&amp;mdash;at scale, on the path toward human-level and eventually superhuman intelligence. The infrastructure needed to accomplish this is greater than anything we&amp;rsquo;ve ever seen. Jensen Huang projects $600 billion in AI infrastructure spending this year, scaling to $3-4 trillion by decade&amp;rsquo;s end. Stargate committed $500 billion to AI infrastructure in the U.S. Microsoft, Meta, and Google are each spending $70-90 billion annually on datacenters. AWS just activated Project Rainier, a data center scaling to one million custom Trainium chips for Anthropic&amp;rsquo;s frontier models.&lt;/p&gt;
&lt;p&gt;Superintelligence is driving the biggest, fastest infrastructure scaling period in the history of computing. This is exciting but comes with challenges: all of that infrastructure has to be managed, secured, scaled, made compliant, and cost effective. Legacy infrastructure tools weren&amp;rsquo;t built for this reality&amp;mdash;they add friction that slows progress or breaks it altogether.&lt;/p&gt;
&lt;p&gt;This reveals an important insight:&lt;/p&gt;
&lt;div style="text-align: center; font-size: 1.5em; font-style: italic; margin: 2em 0;"&gt;
The infrastructure required to build superintelligence demands superintelligence for infrastructure.
&lt;/div&gt;
&lt;p&gt;The systems being built today for superintelligence are already straining human platform teams to their limits and yet we&amp;rsquo;re still only just getting started. To succeed, we will have no choice but to use AI itself to help us manage the infrastructure scaling ahead on the path to superintelligence.&lt;/p&gt;
&lt;p&gt;Superintelligence demands more infrastructure, which demands superintelligent approaches to managing and scaling that infrastructure, which leads to faster progress towards superintelligence.&lt;/p&gt;
&lt;p&gt;We call this the &lt;em&gt;superintelligence flywheel&lt;/em&gt;.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="the-flywheel-defined"&gt;The Flywheel Defined&lt;/h2&gt;
&lt;p&gt;The superintelligence flywheel describes a self-reinforcing cycle between two forces:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/product/superintelligence-infrastructure/"&gt;Superintelligence Infrastructure&lt;/a&gt;&lt;/strong&gt;: The massively distributed compute, storage, networking, and orchestration systems required to train and serve frontier AI models.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Infrastructure Superintelligence&lt;/strong&gt;: AI systems capable of managing infrastructure with increasing autonomy. These systems handle the full spectrum of infrastructure automation, from provisioning to securing to evolving and scaling entire environments.&lt;/p&gt;
&lt;p&gt;These reinforce one another. As AI infrastructure grows more complex, human teams will increasingly use AI to manage it. This affects all of us: frontier labs, technology innovators, and enterprises modernizing their products and workforces with an AI-first mindset. Infrastructure agents are simply a requirement for all of us in this new world.&lt;/p&gt;
&lt;p&gt;The flywheel accelerates.&lt;/p&gt;
&lt;p&gt;&lt;img src="flywheel.svg" alt="The Superintelligence Flywheel"&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="the-technical-reality"&gt;The Technical Reality&lt;/h2&gt;
&lt;p&gt;Frontier labs have the most extreme requirements, but everybody else is somewhere on the curve. You don&amp;rsquo;t have to be training GPT-5 to feel this pressure. If you&amp;rsquo;re deploying fine-tuned models, running inference at scale, or just trying to keep up with AI-assisted developers shipping faster&amp;mdash;you&amp;rsquo;re on the same curve, just earlier. To stay competitive and innovative in this new era, access to infrastructure needs to be democratized and inherently automation- and experimentation-friendly.&lt;/p&gt;
&lt;p&gt;This can be seen most vividly with frontier lab-scale infrastructure challenges:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Training&lt;/strong&gt; starts with data preparation. Petabytes of data turns into trillions of curated tokens across thousands of CPU cores. Pre-training runs massive GPU clusters hot for months, at a scale where hardware failures are statistical certainties. Checkpoint management, gradient synchronization, and fault-tolerant scheduling become first-order concerns. Fine-tuning and reinforcement learning add even more coordination complexity: synthetic data generation, AI judges, multiple model copies running simultaneously in tightly coupled loops, hundreds of experiment variants, infrastructure that scales elastically as experiments converge or diverge.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Inference&lt;/strong&gt; means serving models to an ever-elastic sea of users across massive GPU fleets, many clouds, and distributed globally. ChatGPT, for instance, handles over 2.5 billion queries per day with sub-second time-to-first-token expectations. Traffic patterns shift by geography, time, and viral adoption, and the software must be ready to react. The difference between good and poor GPU utilization at this scale can make or break the user experience and the bank.&lt;/p&gt;
&lt;p&gt;These examples share three properties that break traditional infrastructure approaches:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Massive scale&lt;/strong&gt;: Thousands or millions of coordinated resources with complex architectures across multiple regions and cloud providers.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Extreme dynamism&lt;/strong&gt;: Infrastructure that must spin up, reallocate, and tear down continuously based on job requirements, spot pricing, capacity availability, and failures.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Velocity beyond human capacity&lt;/strong&gt;: Infrastructure changes that occur faster than human operators can review, approve, and execute manually, often initiated by AI agents.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Of course, even smaller scale examples share these challenges. Whether you&amp;rsquo;re using AWS SageMaker or Google Vertex AI to fine-tune models for your enterprise, building out your data engineering function to train custom models, or moving your first ML workloads to production&amp;mdash;these infrastructure demands become relevant as you scale.&lt;/p&gt;
&lt;p&gt;AI-assisted software development tools are making engineers dramatically more productive. Developers are shipping more code than ever before. But unlike software engineering, legacy infrastructure practices lack inherent guardrails to enable AI-assisted infrastructure engineering: linters, static analysis, testing frameworks, canaries, staged rollouts. The tooling that worked when humans were the limiting factor won&amp;rsquo;t work when AI agents are generating and deploying infrastructure code at machine speed.&lt;/p&gt;
&lt;h3 id="infrastructure-fungibility-the-holy-grail"&gt;Infrastructure Fungibility: The Holy Grail&lt;/h3&gt;
&lt;p&gt;Instead of treating each use case as a special snowflake, the holy grail is infrastructure fungibility across many clouds. In this world, infrastructure is dynamically allocated based on availability, demand, and data locality. Inference gets served based on current user demand. Experiments get capacity when it&amp;rsquo;s available. Long-horizon training runs on whatever&amp;rsquo;s left over.&lt;/p&gt;
&lt;p&gt;This is extraordinarily difficult. But without it, the costs compound: researchers waiting for capacity, GPU-hours sitting idle between workloads, time delays that let competitors ship first. At frontier scale, even small inefficiencies translate to tens of millions of dollars.&lt;/p&gt;
&lt;p&gt;This level of dynamism can&amp;rsquo;t be managed by humans watching dashboards and approving PRs. The infrastructure itself needs to become intelligent&amp;mdash;capable of planning, executing, and adapting without waiting for human operators.&lt;/p&gt;
&lt;p&gt;The frontier labs building this have learned through direct experience. They have historically had to work around legacy infrastructure tools and slow-moving DevOps teams, taking matters into their own hands. As one infrastructure lead put it: &amp;ldquo;There are thirty people in the world that know how to do this right now.&amp;rdquo; It is time for this knowledge to spread faster, in the hands of platform teams, because everyone building with AI is running into some version of the same problem.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="towards-a-superintelligence-platform"&gt;Towards a Superintelligence Platform&lt;/h2&gt;
&lt;p&gt;There are two foundations that form a cohesive superintelligence platform:&lt;/p&gt;
&lt;h3 id="foundation-1-pulumi-as-the-infrastructure-automation-substrate"&gt;Foundation #1: Pulumi as the Infrastructure Automation Substrate&lt;/h3&gt;
&lt;p&gt;We built Pulumi on three principles that are well-suited to the unique challenges of this era:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Infrastructure as code must be actual code.&lt;/strong&gt; Domain-specific languages and static configuration formats create a ceiling. Instead, standing on the shoulders of giants with real programming languages provides type systems, conditionals, loops, abstractions, package management, testing frameworks, and more. These capabilities facilitate &lt;em&gt;scale&lt;/em&gt;. Just as importantly, your team already knows Python, TypeScript, and Go&amp;mdash;why force them to learn yet another proprietary DSL and context-switch constantly between application code and infrastructure configuration?&lt;/p&gt;
&lt;p&gt;But there&amp;rsquo;s a deeper reason this matters now. LLMs have been trained on billions of lines of Python, TypeScript, and Go, and deeply understand how to code correctly. Infrastructure in real programming languages becomes infrastructure that AI systems can reason about, generate correctly, and modify safely. We call this an &amp;ldquo;LLM-sympathetic architecture&amp;rdquo;: by projecting cloud infrastructure into code space, LLMs can manipulate infrastructure through coding, something they are already superb at which ensures it can be done repeatably and correctly.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;One substrate across all of the clouds.&lt;/strong&gt; Every cloud, every SaaS provider. Frontier labs run training jobs wherever capacity exists: AWS, Azure, Google Cloud, Oracle Cloud, CoreWeave, Lambda Labs. GPU availability is the constraint; cloud provider preference is now secondary.&lt;/p&gt;
&lt;p&gt;A single lab may prefer to train on CoreWeave, overflow to AWS when spot capacity becomes available, and tap Google Cloud when the reservations in other cloud providers are used up. Inference deployments span every region where users exist, across whichever providers offer the best latency and cost characteristics.&lt;/p&gt;
&lt;p&gt;Infrastructure platforms that aren’t inherently multi-cloud simply can&amp;rsquo;t serve these requirements, forcing teams to adopt many fragmented tools and workflows. A platform for the superintelligence era simply must treat multi-cloud as a given with unified resource management, policy enforcement, and state tracking across all providers.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Agent-ready architecture.&lt;/strong&gt; Human-in-the-loop infrastructure management doesn&amp;rsquo;t scale to the velocity of the new era. The path forward is progressive autonomy: AI agents that operate infrastructure with increasing independence, bounded by human-defined policies and guardrails.&lt;/p&gt;
&lt;p&gt;This requires platforms designed for agent interaction from the ground up, with APIs agents can invoke, state they can reason about, policies that define boundaries, audit trails that maintain accountability. The infrastructure platform becomes the substrate on which agents operate. Infrastructure as code, it turns out, is already very good at this thanks to its declarative core.&lt;/p&gt;
&lt;h3 id="foundation-2-neo-as-the-agentic-layer"&gt;Foundation #2: Neo as the Agentic Layer&lt;/h3&gt;
&lt;p&gt;If managing superintelligence scale infrastructure requires AI agents that can handle infrastructure automation, the critical question is: what should those agents look like?&lt;/p&gt;
&lt;p&gt;Neo is our answer. Neo is an AI agent that operates infrastructure like a senior platform engineer, built on top of Pulumi&amp;rsquo;s foundation. Because Pulumi already provides the guardrails that software engineering takes for granted&amp;mdash;previews, policy enforcement, state tracking&amp;mdash;Neo can handle infrastructure tasks automatically while validating changes before they hit production.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Uniquely enabled by infrastructure as code&lt;/strong&gt;. Neo operates on infrastructure code, not opaque configurations or cloud APIs directly. Even for resources not yet managed by Pulumi, Neo seamlessly imports them under code management before making changes. Every action flows through version control, policy checks, and state tracking. This ensures the underlying LLM’s coding smarts apply to infrastructure changes.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Built for progressive autonomy&lt;/strong&gt;. Organizations configure Neo&amp;rsquo;s independence by environment and task type. Dev environments might permit fully autonomous operation&amp;mdash;daily waste cleanup, weekly drift reconciliation&amp;mdash;while production changes may require human approval. When Neo encounters unexpected state or errors, it can self-diagnose or loop in a human for assistance as needed. As confidence builds, the autonomy boundary expands, towards full autonomy.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Inherently understands and respects guardrails.&lt;/strong&gt; The same velocity that creates opportunity creates risk. An agent that can provision 1,000 resources can also misconfigure 1,000 resources. Pulumi&amp;rsquo;s infrastructure as code foundation provides the safety mechanisms software engineering takes for granted: previews before deployment, policy as code enforcement, audit trails, human-in-the-loop approvals, and organizational best practices encoded in components. Just as you wouldn&amp;rsquo;t ship code without version control, you shouldn&amp;rsquo;t let AI manage infrastructure without these guardrails.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Agentically automate anything&lt;/strong&gt;: Give Neo a prompt like &amp;ldquo;Provision a PyTorch training environment for LoRA fine-tuning on GKE with 50 A100s using Nvidia&amp;rsquo;s GPU Operator and Kueue&amp;mdash;then run a smoke test.&amp;rdquo; Neo generates the project, previews changes, provisions everything, verifies it works. Days become minutes. It&amp;rsquo;s not just for new infrastructure: one customer used Neo to tackle 300,000+ policy violations&amp;mdash;work they estimated would take years is now done in weeks.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Frontier models plus infrastructure smarts&lt;/strong&gt;: Neo builds on a mixture of frontier models while incorporating nearly a decade of infrastructure expertise. Neo benefits from Pulumi’s nearly one billion deployments, hundreds of thousands of AI interactions and known-to-be-working code examples, and many petabytes of semantically-understood, anonymized infrastructure metadata. This foundation is something that no other company in the world has at their disposal.&lt;/p&gt;
&lt;h3 id="pulumi--neo-the-superintelligence-platform"&gt;Pulumi + Neo: The Superintelligence Platform&lt;/h3&gt;
&lt;p&gt;Pulumi without Neo is already a powerful infrastructure platform&amp;mdash;but one that still requires human operators for every change. Neo without Pulumi would never be production-ready, as it would lack the cloud-to-code projection and guardrails that make Neo so good. Together, humans define intent and policy, and intelligent agents handle execution with autonomy.&lt;/p&gt;
&lt;p&gt;This is the foundation for setting the superintelligence flywheel in motion.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="evidence-at-scale"&gt;Evidence at Scale&lt;/h2&gt;
&lt;p&gt;The flywheel isn’t theoretical. We&amp;rsquo;re facilitating it daily with thousands of customers:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Hyper-scale&lt;/strong&gt;: &lt;a href="https://www.pulumi.com/case-studies/wiz/"&gt;Wiz&lt;/a&gt; manages over one million cloud resources across tens of thousands of Kubernetes clusters in hundreds of data centers across every cloud provider imaginable. They do hundreds of thousands of updates daily across thousands of Kubernetes clusters, leading to 5x faster customer onboarding and entering new markets in days rather than months. They treat infrastructure provisioning as just another service in their distributed system.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Infrastructure democratization&lt;/strong&gt;: &lt;a href="https://www.pulumi.com/case-studies/supabase/"&gt;Supabase&lt;/a&gt; achieved the infrastructure velocity needed to keep up with the AI era’s demand for their own product, empowering 20x more teammates to scale infrastructure in TypeScript, the same language as their application code, rather than proprietary DSLs that nobody understood. New regions deploy in about a week, with 43,000 new databases daily and 100,000+ API calls per second. According to their platform team, now thanks to Pulumi, &amp;ldquo;the infrastructure team acts as groundkeepers, not gatekeepers.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Frontier science&lt;/strong&gt;: We manage infrastructure for organizations including NVIDIA and multiple frontier labs building the models that will define the next decade. The scale requirements for these workloads exceed any we&amp;rsquo;ve ever seen and are only getting bigger. Just as many customers democratize infrastructure for their developers, we&amp;rsquo;re seeing frontier labs use Pulumi to accelerate getting science into production with self-service infrastructure for AI researchers.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="the-superintelligence-flywheel-is-in-motion"&gt;The Superintelligence Flywheel is in Motion&lt;/h2&gt;
&lt;p&gt;AI is driving the largest infrastructure buildout in history—whether you&amp;rsquo;re training frontier models or deploying your first ML workloads to production. That complexity demands intelligent agents. Organizations that embrace this—building infrastructure for AI while using AI for infrastructure—will define the next era of computing.&lt;/p&gt;
&lt;p&gt;The superintelligence flywheel is spinning fast, and it’s only going to get faster from here.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Pulumi provides the infrastructure platform for the superintelligence era: infrastructure as code in general-purpose languages, unified multi-cloud management, and Neo for progressive infrastructure autonomy.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/product/neo"&gt;&lt;em&gt;Pulumi Neo&lt;/em&gt;&lt;/a&gt; ・ &lt;a href="https://www.pulumi.com/product/superintelligence-infrastructure/"&gt;&lt;em&gt;Superintelligence Infrastructure&lt;/em&gt;&lt;/a&gt; ・ &lt;a href="https://www.pulumi.com/case-studies"&gt;&lt;em&gt;Case Studies&lt;/em&gt;&lt;/a&gt; ・ &lt;a href="https://www.pulumi.com/contact"&gt;&lt;em&gt;Contact&lt;/em&gt;&lt;/a&gt;&lt;/p&gt;</description><author>Joe Duffy</author><category>superintelligence</category><category>pulumi-neo</category><category>infrastructure-as-code</category></item><item><title>AI Predictions for 2026: A DevOps Engineer's Guide</title><link>https://www.pulumi.com/blog/ai-predictions-2026-devops-guide/</link><pubDate>Thu, 11 Dec 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/ai-predictions-2026-devops-guide/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/ai-predictions-2026-devops-guide/index.png" /&gt;
&lt;p&gt;The IDE is dying, and so is tool calling. OpenAI is not going to win. And next year, you&amp;rsquo;re going to be shipping code that you&amp;rsquo;ve never reviewed before, even as an experienced engineer.&lt;/p&gt;
&lt;p&gt;These are bold claims, but the way we use AI in 2026 for coding and agents is going to look completely different. In this post, I want to cover my predictions and why they matter right now for DevOps engineers. Some of these are definitely hot takes, but that&amp;rsquo;s what makes this conversation worth having.&lt;/p&gt;
&lt;h2 id="ides-are-dead-at-least-as-we-know-them"&gt;IDEs are dead (at least as we know them)&lt;/h2&gt;
&lt;p&gt;Traditional IDEs where the code is the focus of the interface are simply going to become irrelevant. We&amp;rsquo;re moving toward agent manager interfaces where we can kick off agents in parallel to work on different features in a codebase or even work on different projects at the exact same time.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;re already seeing this transition. &lt;a href="https://developers.googleblog.com/en/build-with-google-antigravity-our-new-agentic-development-platform/"&gt;Google Antigravity&lt;/a&gt; combines a familiar AI-powered coding experience with a new agent-first interface. You can deploy agents that autonomously plan, execute, and verify complex tasks across your editor, terminal, and browser. &lt;a href="https://cursor.com/changelog/2-0"&gt;Cursor 2.0&lt;/a&gt; lets you run up to eight agents in parallel on a single prompt, using git worktrees or remote machines to prevent file conflicts. Each agent operates in its own isolated copy of your codebase.&lt;/p&gt;
&lt;p&gt;AWS validated this direction at &lt;a href="https://www.pulumi.com/blog/aws-reinvent-2025-roundup/"&gt;re:Invent 2025&lt;/a&gt; by announcing &amp;ldquo;frontier agents&amp;rdquo; including Kiro for autonomous coding, along with dedicated security and DevOps agents. These agents maintain state, log actions, operate with policy guardrails, and integrate directly with CI/CD pipelines.&lt;/p&gt;
&lt;p&gt;For infrastructure specifically, &lt;a href="https://www.pulumi.com/docs/ai/get-started/"&gt;Pulumi Neo&lt;/a&gt; represents this same shift. Instead of writing code or running CLI commands for every operation, you describe what you need in natural language and Neo handles the implementation. It works across your entire infrastructure, understanding dependencies and creating execution plans that go through pull requests for review.&lt;/p&gt;
&lt;p&gt;For DevOps engineers, this means your pipelines need to accommodate AI-generated code at scale. Multiple agents working simultaneously need isolated, reproducible environments. More generated code means more artifacts to track, version, and deploy.&lt;/p&gt;
&lt;h2 id="the-different-paths-to-ai-dominance"&gt;The different paths to AI dominance&lt;/h2&gt;
&lt;p&gt;A lot of people think that in the future, a single large language model will have a monopoly and be the best at absolutely everything. But what&amp;rsquo;s really going to happen is different providers will specialize and focus on being the best at different things.&lt;/p&gt;
&lt;p&gt;Google is going down the generalist route with Gemini, aiming to be the jack-of-all-trades. Anthropic is focusing on being the best for coding. You can see this in the benchmarks: when Opus 4.5 came out, the first benchmark they highlighted was for software engineering, because that&amp;rsquo;s what Anthropic is focusing on.&lt;/p&gt;
&lt;p&gt;Amazon is carving out its own niche with the &lt;a href="https://www.aboutamazon.com/news/aws/aws-agentic-ai-amazon-bedrock-nova-models"&gt;Nova model family&lt;/a&gt;, announced at re:Invent 2025. The Nova 2 lineup includes specialized models: Pro for complex reasoning, Sonic for real-time voice conversations, and Omni for simultaneous text, audio, and video processing. With &lt;a href="https://www.pulumi.com/blog/aws-reinvent-2025-roundup/#rent-the-lab-nova-forge"&gt;Nova Forge&lt;/a&gt;, organizations can build custom frontier models by combining their proprietary data with AWS open weight models. The re:Invent message was clear: leveraging your first-party data is now fundamental to going beyond generic AI. We&amp;rsquo;re talking about 30-40% increases in accuracy when you bring your own data into the equation.&lt;/p&gt;
&lt;p&gt;But here&amp;rsquo;s the hot take: I don&amp;rsquo;t think OpenAI is going to come out on top with any kind of specialization. They&amp;rsquo;ve &lt;a href="https://garymarcus.substack.com/p/gpt-5-overdue-overhyped-and-underwhelming"&gt;disappointed time and time again&lt;/a&gt; with GPT-5 and GPT-4.5. With 4.5, they seemed to try to be the creative specialist, but it just didn&amp;rsquo;t work. The &lt;a href="https://www.axios.com/2025/08/12/gpt-5-bumpy-launch-openai"&gt;GPT-5 launch in August 2025&lt;/a&gt; was described as &amp;ldquo;barely better than last month&amp;rsquo;s flavor of the month&amp;rdquo; and on some metrics it&amp;rsquo;s actually worse than earlier models.&lt;/p&gt;
&lt;p&gt;For DevOps teams, this specialization means you&amp;rsquo;ll need infrastructure that&amp;rsquo;s model-agnostic and supports multiple AI backends. Plan for secrets management across multiple LLM providers and design your systems to swap models based on the task at hand.&lt;/p&gt;
&lt;h2 id="the-local-ai-breakthrough"&gt;The local AI breakthrough&lt;/h2&gt;
&lt;p&gt;2026 will be the year of local AI. We didn&amp;rsquo;t see that much this year besides DeepSeek at the start of 2025, which was a big deal. We had a couple of new models like Qwen 3, but nothing that fundamentally changed the game. Now we&amp;rsquo;re starting to see new hardware that makes it obvious we&amp;rsquo;re going to be able to run very large models on smaller devices.&lt;/p&gt;
&lt;p&gt;There&amp;rsquo;s new AI chips that can run upwards of 120 billion parameter large language models on the edge, which would be a complete game-changer. Right now, hardware requirements are one of the biggest challenges for scaling local AI. If we can solve the hardware problem, we get 100% data privacy and zero-millisecond latency for our agents.&lt;/p&gt;
&lt;p&gt;AWS is addressing this with &lt;a href="https://techcrunch.com/2025/12/02/amazon-releases-an-impressive-new-ai-chip-and-teases-a-nvidia-friendly-roadmap/"&gt;Trainium3 UltraServers&lt;/a&gt;, their 3nm AI chips delivering 4.4x more compute than the previous generation. More significantly, &lt;a href="https://www.geekwire.com/2025/amazon-unveils-frontier-agents-new-chips-and-private-ai-factories-in-aws-reinvent-rollout/"&gt;AWS AI Factories&lt;/a&gt; allow organizations to deploy racks of Trainium chips and NVIDIA GPUs directly into their own data centers, addressing data sovereignty concerns while keeping AI inference close to the data.&lt;/p&gt;
&lt;p&gt;For DevOps, this opens the door to zero-latency inference in CI/CD pipelines, complete data privacy for sensitive codebases, and reduced cloud costs for AI-heavy workloads.&lt;/p&gt;
&lt;h2 id="engineers-as-system-architects"&gt;Engineers as system architects&lt;/h2&gt;
&lt;p&gt;We&amp;rsquo;re finally going to get to the point where we&amp;rsquo;re not the coders. We delegate that entirely to our coding agents, and we become the system architects. This mirrors the evolution of other engineering disciplines. Civil engineers don&amp;rsquo;t fabricate the steel beams; they design the structure and verify the integrity.&lt;/p&gt;
&lt;p&gt;I think of this as a three-step process:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Define&lt;/strong&gt;: Set your objectives and the system that your agents will operate under&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Orchestrate&lt;/strong&gt;: Delegate the coding to your agents&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Validate&lt;/strong&gt;: Ensure the quality of the outputs and the overall system&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;We&amp;rsquo;re still in the loop. We are the final say in whatever is created, but we&amp;rsquo;re delegating the grunt work to our coding agents.&lt;/p&gt;
&lt;p&gt;This is exactly the model that &lt;a href="https://www.pulumi.com/docs/ai/tasks/"&gt;Pulumi Neo&lt;/a&gt; implements for infrastructure. When you give Neo a complex request, it creates a task plan outlining the steps it will take to accomplish your goal. This plan provides transparency into Neo&amp;rsquo;s approach and gives you the opportunity to adjust the strategy before execution begins. Neo operates in different modes: Review mode where everything requires approval, Balanced mode where only deployments need sign-off, or Auto mode for full autonomy. You define the boundaries, Neo orchestrates the work, and you validate through pull requests and previews.&lt;/p&gt;
&lt;p&gt;For DevOps engineers, this shift means building robust validation infrastructure becomes critical. When AI writes the code, you need automated testing pipelines, security scanning, and verification systems that can operate at the speed of AI-generated changes.&lt;/p&gt;
&lt;h2 id="code-execution-is-replacing-tool-calling"&gt;Code execution is replacing tool calling&lt;/h2&gt;
&lt;p&gt;Here&amp;rsquo;s a key insight that kept coming up at re:Invent: models are no longer the bottleneck. Context is. Our agents are going to change a lot next year because code execution is starting to replace tool calling. The problem with tool calling right now is that all the capabilities you give an agent take up context upfront. When you try to give a lot of different tools to an agent, you completely overwhelm it.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.anthropic.com/engineering/code-execution-with-mcp"&gt;Anthropic&amp;rsquo;s research on code execution with MCP&lt;/a&gt; addresses exactly this problem. Code execution is a massive token reduction, faster, and more flexible. You&amp;rsquo;re giving the agent the ability to generate its own capabilities at runtime by writing code to interact with APIs. A workflow that previously consumed about 150,000 tokens when tools were passed directly through the model was reimplemented with code execution and used only about 2,000 tokens. That&amp;rsquo;s a 98.7% reduction.&lt;/p&gt;
&lt;p&gt;AWS embraced this pattern with &lt;a href="https://www.aboutamazon.com/news/aws/amazon-sagemaker-ai-amazon-bedrock-aws-ai-agents"&gt;Amazon Bedrock AgentCore&lt;/a&gt;, which now includes code interpretation capabilities. AgentCore supports any agent framework (CrewAI, LangGraph, OpenAI SDK) and provides memory, browser tools, and observability features that make code execution practical at enterprise scale.&lt;/p&gt;
&lt;p&gt;For DevOps, this means you need sandboxed, secure execution environments for AI-generated code. Running agent-generated code requires appropriate isolation, resource limits, and monitoring.&lt;/p&gt;
&lt;h2 id="progressive-disclosure-and-composable-skills"&gt;Progressive disclosure and composable skills&lt;/h2&gt;
&lt;p&gt;The best part about code execution flexibility is it unlocks progressive disclosure. All I mean by that is: you have a lot of capabilities for an agent, but you don&amp;rsquo;t actually give all of them upfront. Instead, you allow the agent to discover capabilities and then leverage them in a more flexible way.&lt;/p&gt;
&lt;p&gt;For each capability, you just have a bit of metadata or description that loads upfront. When the agent decides to leverage that capability, then you load the full instructions. Now you can practically scale to infinity because all capabilities don&amp;rsquo;t have to be loaded at runtime.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.anthropic.com/engineering/equipping-agents-for-the-real-world-with-agent-skills"&gt;Claude Skills&lt;/a&gt; is a good example of this pattern. Skills are organized folders of instructions, scripts, and resources that agents can discover and load dynamically. At session start, the agent scans available skills and populates the system prompt with just a brief name and description (around 100 tokens). The full skill prompt loads only after Claude selects it, preventing context bloat while maintaining discoverability.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://kiro.dev/powers/"&gt;Kiro Powers&lt;/a&gt; addresses the same problem. Connecting five MCP servers can consume over 50,000 tokens, roughly 40% of an AI model&amp;rsquo;s context window, before you even type your first request. Powers bundle MCP servers, steering files, and hooks into units that load dynamically based on conversation context. Mention &amp;ldquo;payment&amp;rdquo; and the Stripe power activates. &lt;a href="https://venturebeat.com/ai/aws-launches-kiro-powers-with-stripe-figma-and-datadog-integrations-for-ai"&gt;Datadog, Figma, and others&lt;/a&gt; have powers available.&lt;/p&gt;
&lt;p&gt;For DevOps, this translates to modular infrastructure definitions, on-demand capability loading, and efficient resource utilization. Think about how you can apply this pattern to your own automation.&lt;/p&gt;
&lt;h2 id="agent-to-agent-protocols-are-finally-happening"&gt;Agent-to-agent protocols are finally happening&lt;/h2&gt;
&lt;p&gt;Agent-to-agent protocols are where AI agents operate in a peer network, discover each other&amp;rsquo;s capabilities in real time, and interact autonomously. When Google released their &lt;a href="https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/"&gt;A2A protocol&lt;/a&gt; earlier this year, there was a ton of buzz. A lot of people thought it was going to be the next big standard, like the next MCP. But then it kind of fell to the wayside.&lt;/p&gt;
&lt;p&gt;The big reason is the chicken-and-egg problem. For A2A to be useful, you need many people to adopt it at the same time. Otherwise, if you build an A2A-compatible agent, it has no other agents to talk to. The whole value proposition is lost unless you already have a big network to attach to.&lt;/p&gt;
&lt;p&gt;But that&amp;rsquo;s finally changing. The &lt;a href="https://www.linuxfoundation.org/press/linux-foundation-launches-the-agent2agent-protocol-project-to-enable-secure-intelligent-communication-between-ai-agents"&gt;Linux Foundation launched the A2A project&lt;/a&gt; in June 2025, and adoption is accelerating. Adobe, Microsoft, SAP, ServiceNow, and S&amp;amp;P Global are all implementing A2A. In July 2025, Google released &lt;a href="https://cloud.google.com/blog/products/ai-machine-learning/agent2agent-protocol-is-getting-an-upgrade"&gt;version 0.3 of the A2A protocol&lt;/a&gt; with a more stable interface critical to accelerating enterprise adoption.&lt;/p&gt;
&lt;h2 id="machines-paying-machines"&gt;Machines paying machines&lt;/h2&gt;
&lt;p&gt;My next big prediction is that machines paying machines is going to become a very big thing. &lt;a href="https://www.coinbase.com/developer-platform/discover/launches/x402"&gt;Coinbase released the x402 protocol&lt;/a&gt; for exactly this: building AI agents that you expose over the internet but require payment whenever someone else interacts with them.&lt;/p&gt;
&lt;p&gt;This goes really well with agent-to-agent protocols. You can create a peer network where you monetize your agents. They all leverage each other but make payments whenever they take advantage of another agent&amp;rsquo;s capabilities. Cryptocurrency is the perfect solution for this kind of machine-to-machine network because it enables micropayments to be made quickly and globally.&lt;/p&gt;
&lt;p&gt;The x402 protocol has achieved &lt;a href="https://www.coingecko.com/learn/x402-autonomous-ai-agent-payment-coinbase"&gt;156,000 weekly transactions with 492% growth&lt;/a&gt; since launching in May 2025. It&amp;rsquo;s now integrated with &lt;a href="https://docs.cdp.coinbase.com/x402/welcome"&gt;Anthropic&amp;rsquo;s MCP Protocol&lt;/a&gt;, Google Gemini, OpenAI Codex, and other platforms. Stablecoins like USDC enable charging per request, per service, or per second of usage at near-zero transaction costs, enabling payments as low as $0.001 per request.&lt;/p&gt;
&lt;h2 id="artifact-reviews-instead-of-diff-reviews"&gt;Artifact reviews instead of diff reviews&lt;/h2&gt;
&lt;p&gt;When we want to do a rigorous code review, traditionally, we look line by line at all the changes. But coding agents are getting to the point where they can prove their code works through artifacts. Instead of reviewing line by line, we can look at browser recordings, full working demos of a backend API, and other artifacts.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://developers.googleblog.com/en/build-with-google-antigravity-our-new-agentic-development-platform/"&gt;Google Antigravity&lt;/a&gt; is a perfect example. As part of its coding process, it can autonomously spin up your website, visit it, scroll through it, take screenshots, and record everything. Agents generate artifacts, including tangible deliverables like task lists, implementation plans, screenshots, and browser recordings. You can verify the agent&amp;rsquo;s logic at a glance.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://aws.amazon.com/blogs/aws/build-reliable-ai-agents-for-ui-workflow-automation-with-amazon-nova-act-now-generally-available/"&gt;Amazon Nova Act&lt;/a&gt; takes this further. It enables AI agents to automate browser-based tasks like form filling, QA testing, and workflow validation with over 90% reliability. The service includes built-in observability through live viewing, CloudTrail logging, and session replay, making it possible to review what an agent actually did rather than parsing through code changes.&lt;/p&gt;
&lt;h2 id="shipping-code-youve-never-read"&gt;Shipping code you&amp;rsquo;ve never read&lt;/h2&gt;
&lt;p&gt;For the last prediction, we&amp;rsquo;re tying everything together. We&amp;rsquo;ve talked about reviewing artifacts instead of diffs, creating systems instead of coding, and the new capabilities for agents with code execution.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;re going to get to the point very quickly where we&amp;rsquo;re shipping code that we have never read before. And I&amp;rsquo;m not talking about people who vibe code. Even experienced engineers are going to trust their systems so much that they have the ability to review the code but they&amp;rsquo;re not going to. We&amp;rsquo;re just going to ship to production after reviewing the artifacts.&lt;/p&gt;
&lt;p&gt;I presented on this exact topic at &lt;a href="https://www.meetup.com/tel-aviv-pulumi-user-group/events/310498800/"&gt;the Tel Aviv Pulumi User Group meetup at Qodo HQ&lt;/a&gt; back in October, where I demonstrated how Pulumi Neo&amp;rsquo;s autonomous decision-making capabilities can handle infrastructure tasks that we traditionally managed manually. &lt;a href="https://www.qodo.ai/"&gt;Qodo&lt;/a&gt; is doing fascinating work in this space with their agentic development tools, building systems that let you trust the output without necessarily reviewing every line.&lt;/p&gt;
&lt;p&gt;I&amp;rsquo;m not saying we&amp;rsquo;re taking the human completely out of the loop. I&amp;rsquo;m saying we&amp;rsquo;re going to have a lot of trust in our systems and a validation process that includes us, but that doesn&amp;rsquo;t necessarily have to be us actually looking at the code. Tools like Pulumi Neo create pull requests with clear documentation of changes, run previews to validate infrastructure modifications, and provide the transparency needed to ship with confidence.&lt;/p&gt;
&lt;h2 id="the-path-forward"&gt;The path forward&lt;/h2&gt;
&lt;p&gt;The predictions I&amp;rsquo;ve outlined point to a fundamental shift in how software gets built and deployed. For DevOps engineers, this isn&amp;rsquo;t a threat but an opportunity to become more strategic and less operational. We&amp;rsquo;re entering the battle of the agentic frameworks, where the winners will be those who can build faster, cheaper agentic applications through their platforms.&lt;/p&gt;
&lt;p&gt;The immediate reality is that your CI/CD pipelines need to accommodate AI-generated code at scale, your secrets management needs to handle multiple LLM providers, and your execution environments need proper sandboxing for agent-generated code. These aren&amp;rsquo;t future concerns; they&amp;rsquo;re requirements for working effectively with the AI tools available today.&lt;/p&gt;
&lt;p&gt;Looking further out, the engineers who thrive will be those who embrace the system architect role. Define clear objectives and constraints for your AI agents. Build validation frameworks that can verify outcomes without requiring line-by-line code review. Design infrastructure that&amp;rsquo;s modular enough to load capabilities on demand.&lt;/p&gt;
&lt;p&gt;The technology to make this happen already exists. Agent orchestration platforms are shipping. Code execution is replacing tool calling. Progressive disclosure patterns are proven. The question isn&amp;rsquo;t whether these changes are coming; it&amp;rsquo;s whether you&amp;rsquo;ll be ready when they arrive.&lt;/p&gt;
&lt;h2 id="start-building-for-the-ai-driven-future-today"&gt;Start building for the AI-driven future today&lt;/h2&gt;
&lt;p&gt;If you want to experience what this future looks like right now, &lt;a href="https://www.pulumi.com/product/neo/#video"&gt;Pulumi Neo&lt;/a&gt; is the place to start. Neo lets you make natural language requests for routine infrastructure tasks, analysis, and management. Instead of writing code for every operation, you describe what you need, and Neo handles the implementation, creating task plans, running previews, and opening pull requests for your review.&lt;/p&gt;
&lt;p&gt;Whether you&amp;rsquo;re looking to update outdated resources across your infrastructure, analyze your cloud spend, or automate complex multi-step workflows, Neo provides the agent-first experience that&amp;rsquo;s defining the next generation of DevOps tooling.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/ai/get-started/"&gt;&lt;strong&gt;Get started with Pulumi Neo&lt;/strong&gt;&lt;/a&gt; and see how AI-powered infrastructure automation can transform your workflow.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Project&lt;/strong&gt;: &lt;a href="https://www.pulumi.com/blog/from-works-on-my-machine-to-production-ready-ai-agents-with-amazon-bedrock-agentcore/"&gt;Build a production-ready AI agent&lt;/a&gt; by moving from local prototypes to deployed infrastructure with Amazon Bedrock AgentCore, the Strands SDK, and Pulumi.&lt;/li&gt;
&lt;/ul&gt;</description><author>Engin Diri</author><category>ai</category><category>devops</category><category>platform-engineering</category><category>automation</category><category>aws</category><category>nova-forge</category><category>bedrock-agentcore</category><category>pulumi-neo</category></item><item><title>AWS built an integrated AI Agent training pipeline and they want you to rent it</title><link>https://www.pulumi.com/blog/aws-reinvent-2025-roundup/</link><pubDate>Wed, 10 Dec 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/aws-reinvent-2025-roundup/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/aws-reinvent-2025-roundup/index.png" /&gt;
&lt;p&gt;AWS re:Invent 2025 delivered a myriad of announcements across AI, silicon, and cloud infrastructure. AWS unveiled the expanded Nova model family, introduced Nova Forge for custom model training, launched Trainium3 UltraServers, and added major production features to AgentCore. It was a lot, and taken at face value, it looks like another scattershot year of big releases.&lt;/p&gt;
&lt;p&gt;But if you look past the firehose, a pattern emerges. These announcements fit together into a single bet about how enterprise AI will be built.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;AWS built a vertically integrated agent-training pipeline; it’s expensive, ambitious, and not for everyone.&lt;/strong&gt;&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/M1OEOmqLz9s?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;The clearest place to see that pattern is in how AWS talked about the Nova models. AWS dropped four new foundation models (Lite, Pro, Sonic, Omni) spanning text, multimodal, and speech. And AWS downplayed benchmarks entirely. A hint that the models aren’t the real story.&lt;/p&gt;
&lt;p&gt;What AWS was really foregrounding wasn’t the models themselves, but the system used to shape them: Nova Forge.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Try it with Neo:&lt;/strong&gt; &lt;a href="https://app.pulumi.com/neo?prefer_signup=true&amp;amp;prompt=Show%20me%20how%20to%20use%20Pulumi%20in%20Python%20to%20set%20up%20AWS%20Bedrock%20permissions%20and%20call%20the%20Nova%202%20Pro%20model"&gt;Set up Nova 2 with Pulumi&lt;/a&gt;&lt;/p&gt;
&lt;h2 id="rent-the-lab-nova-forge"&gt;Rent the lab: Nova Forge&lt;/h2&gt;
&lt;p&gt;&lt;img src="training-stages.jpeg" alt="The LLM training pipeline: pre-training, SFT, RLHF, fine-tuning, narrowing down to prompt/context"&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://aws.amazon.com/nova/forge/"&gt;Nova Forge&lt;/a&gt; is a managed way to run continued pretraining, fine-tuning, and reward-based alignment on Amazon&amp;rsquo;s &lt;a href="https://aws.amazon.com/nova/"&gt;Nova&lt;/a&gt; models using your data and your reinforcement loops. Instead of a finished, frozen model plus a thin fine-tuning API, you feed your data into earlier training stages while AWS handles the ugly parts: large-scale training runs, cluster management, and hosting. Access is $100,000 per year&lt;sup id="fnref:1"&gt;&lt;a href="#fn:1" class="footnote-ref" role="doc-noteref"&gt;1&lt;/a&gt;&lt;/sup&gt;, plus compute costs!&lt;/p&gt;
&lt;p&gt;If you can afford that, you bring big proprietary datasets (code, tickets, logs, documents) and they keep doing next-token pretraining on a mix of their data and yours, then instruction tuning (SFT), then &amp;ldquo;RL-style&amp;rdquo; preference optimization, but with your data and your reward signals mixed in.&lt;/p&gt;
&lt;p&gt;Why does this exist? Because the kind of training this enables is usually out of reach. Training a GPT-4-class frontier model from scratch runs tens of millions to $100M+ in compute alone&lt;sup id="fnref:2"&gt;&lt;a href="#fn:2" class="footnote-ref" role="doc-noteref"&gt;2&lt;/a&gt;&lt;/sup&gt;. You don&amp;rsquo;t own the weights and you&amp;rsquo;re locked into their stack, but you get frontier-level capabilities with your data baked in, without building datacenters or staffing ML teams.&lt;/p&gt;
&lt;p&gt;Think of it as frontier-lab-as-a-service. No one else offers anything this close to a public, end-to-end training pipeline. And the only reason AWS can offer it is the next announcement.&lt;/p&gt;
&lt;h2 id="the-margin-weapon-trainium"&gt;The margin weapon: Trainium&lt;/h2&gt;
&lt;figure style="width: 40%; float: right; margin-left: 20px; margin-bottom: 10px;"&gt;
&lt;img src="trainium-flywheel.jpeg" alt="The Trainium flywheel: cheaper training leads to more custom models, more inference revenue, funding the next chip"&gt;
&lt;figcaption&gt;&lt;i&gt;The idealized Trainium flywheel: each generation should decrease training costs.&lt;/i&gt;&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;p&gt;AWS built its own AI accelerator so it doesn&amp;rsquo;t have to live entirely on NVIDIA. Trainium is that chip. You don&amp;rsquo;t buy it; you rent it as a cloud box. This year: their third-gen chip (Trainium3) and new rack-scale &lt;code&gt;Trn3 UltraServers&lt;/code&gt; are out, with 4× the performance and big energy/cost gains over the previous gen, positioned as a serious alternative to high-end GPUs for training and serving big models.&lt;/p&gt;
&lt;p&gt;I&amp;rsquo;m sure one reason for Trainium&amp;rsquo;s is that AWS wants to stop handing NVIDIA half its AI training revenue. But the real story is bigger than cost-cutting. Trainium is the quiet machinery that makes AWS&amp;rsquo;s model-factory ambitions economically viable. You can only rent a frontier training pipeline if you can afford it, and Trainium makes it cheaper (if that word applies to six-figure entry costs).&lt;/p&gt;
&lt;p&gt;Trainium is what turns Forge from a one-off experiment into an actual development pipeline. By compressing the marginal cost of each training cycle, AWS is trying to make iterative specialization economically viable. You can tune, test, and retrain until you converge on something useful.&lt;/p&gt;
&lt;p&gt;AWS is clearly positioning Trainium3 to anchor a fully vertical stack&lt;/p&gt;
&lt;div class="note note-info" style="display: block;"&gt;
&lt;p&gt;&lt;b&gt;Spinning up a Trainium instance with Pulumi (where available):&lt;/b&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_aws&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;aws&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Assumes: ami, subnet, security_group already configured&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;trn1_instance&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;aws&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ec2&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Instance&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;trn1-instance&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;instance_type&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;trn1.2xlarge&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;ami&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;ami&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;subnet_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;subnet&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;vpc_security_group_ids&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;security_group&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;associate_public_ip_address&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;tags&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;trn1-training-instance&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;a href="https://app.pulumi.com/neo?prefer_signup=true&amp;prompt=Show%20me%20how%20to%20use%20Pulumi%20in%20Python%20to%20provision%20AWS%20Trn1%20EC2%20instances%20for%20ML%20training"&gt;Try it with Neo: Provision Trainium instances&lt;/a&gt;&lt;/p&gt;
&lt;/div&gt;
&lt;h2 id="the-data-moat-play"&gt;The data moat play&lt;/h2&gt;
&lt;p&gt;For most companies, this whole stack is overkill. If your AI roadmap is “add a chatbot and maybe summarize some tickets,” you don’t need Nova Forge, and you definitely don’t need Trainium. Hosted models plus RAG and an Agentic loop will get you 90% of the way there.&lt;/p&gt;
&lt;p&gt;But this type of training is powerful, and it&amp;rsquo;s never been in reach to so many. If LLMs behave like the distributions they&amp;rsquo;re trained on, then getting your proprietary mess (logs, incident reports, claims histories, deal flows, call transcripts) into the core training loop means the model doesn&amp;rsquo;t just know your docs; it behaves like someone who&amp;rsquo;s lived inside your systems. That’s qualitatively different from “we stuffed a PDF into the context window.”&lt;/p&gt;
&lt;p&gt;Latency and cost at scale matter too. For high-volume workflows like support triage, routing, code review, and fraud checks, &amp;ldquo;generic frontier model + giant prompt + RAG + tools&amp;rdquo; is slow and expensive. A smaller model that has your world baked into the weights can run with smaller contexts, simpler prompts, and fewer tool calls. And then there is reinforcement learning, which I&amp;rsquo;ll get to shortly.&lt;/p&gt;
&lt;p&gt;But even if you get that far, a custom Nova model sitting in Bedrock is only half the story. You still need somewhere for it to act: a runtime, tools, policies, and an audit trail. That’s the gap AgentCore is meant to fill.&lt;/p&gt;
&lt;h2 id="where-the-models-work-agentcore"&gt;Where the models work: AgentCore&lt;/h2&gt;
&lt;figure style="width: 40%; float: right; margin-left: 20px; margin-bottom: 10px;"&gt;
&lt;img src="agentcore-blocks.jpeg" alt="AgentCore components as Lego blocks: Runtime, Memory, Policy, Evals"&gt;
&lt;figcaption&gt;&lt;i&gt;AgentCore: building blocks so you don't have to wire agents from scratch.&lt;/i&gt;&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;p&gt;If Nova is the brain and Trainium is the muscle to build it, AgentCore is the nervous system.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://aws.amazon.com/bedrock/agentcore/"&gt;AgentCore&lt;/a&gt; is a managed runtime for AI agents: instead of you wiring LLMs, tools, memory, auth, and logging together on Lambda or Fargate, AWS gives you a sticky per-session microVM, a standard way to call tools (Gateway), built-in long- and short-term memory, identity/permissions, and observability/evals. You package your agent, deploy it as an AgentCore runtime, and AWS handles the ugly parts: session isolation, scaling, policy guardrails, and tracing. You pay Fargate-ish per-vCPU/GB-hour pricing for the runtime plus normal Bedrock token and tool-call costs.&lt;/p&gt;
&lt;p&gt;At re:Invent 2025, &lt;a href="https://aws.amazon.com/bedrock/agentcore/"&gt;AgentCore&lt;/a&gt; picked up the missing &amp;ldquo;production&amp;rdquo; pieces: &lt;strong&gt;Policy&lt;/strong&gt;, &lt;strong&gt;Evaluations&lt;/strong&gt;, and &lt;strong&gt;episodic Memory&lt;/strong&gt;. These handle guardrails, quality checks, and per-session state, so you don&amp;rsquo;t have to build them yourself.&lt;/p&gt;
&lt;div class="note note-info" style="display: block;"&gt;
&lt;p&gt;&lt;b&gt;Deploying an AgentCore runtime with Pulumi:&lt;/b&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_aws&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;aws&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Assumes: role, ecr_repo already configured&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;agent_runtime&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;aws&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;bedrock&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;AgentcoreAgentRuntime&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;my-agent&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;agent_runtime_name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;my-agent-runtime&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;role_arn&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;role&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;arn&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;agent_runtime_artifact&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;container_configuration&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;container_uri&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;ecr_repo&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;repository_url&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;:latest&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;network_configuration&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;network_mode&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;PUBLIC&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;})&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;a href="https://app.pulumi.com/neo?prefer_signup=true&amp;prompt=Show%20me%20how%20to%20use%20Pulumi%20in%20Python%20to%20deploy%20an%20AWS%20Bedrock%20AgentCore%20runtime%20with%20IAM%20roles%20and%20ECR"&gt;Try it with Neo: Deploy an AgentCore runtime&lt;/a&gt; — &lt;i&gt;Requires a container image in ECR.&lt;/i&gt;&lt;/p&gt;
&lt;/div&gt;
&lt;p&gt;How does this come together? AWS shipped a use case.&lt;/p&gt;
&lt;h2 id="the-proof-of-concept-nova-act"&gt;The proof of concept: Nova Act&lt;/h2&gt;
&lt;figure style="width: 40%; float: left; margin-right: 20px; margin-bottom: 10px;"&gt;
&lt;img src="aws-ai-stack.jpeg" alt="The AWS AI stack as a layer cake: Trainium at the bottom, Nova Forge, Bedrock, AgentCore on top"&gt;
&lt;figcaption&gt;&lt;i&gt;The AWS AI stack: vertically integrated from silicon to agent runtime. Nova Act uses the full stack.&lt;/i&gt;&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;p&gt;Nova Act is the concrete example of this whole thing coming together. It handles browser-based UI automation: form filling, search-and-extract, QA testing. Amazon claims ~90% reliability. It deploys directly to AgentCore Runtime.&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s not &amp;ldquo;an LLM plus Playwright.&amp;rdquo; Nova Act uses a specialized Nova 2 Lite variant trained on synthetic &amp;ldquo;web gym&amp;rdquo; environments: browser simulations that mirror enterprise UIs and provide an automatic reward signal when tasks are completed correctly. Instead of judging output quality, this model was trained on an RL loop that asks: Did the workflow succeed?&lt;/p&gt;
&lt;p&gt;That specialized model is wrapped in AgentCore. The platform handles isolation, scaling, logging, and guardrails, so Nova Act behaves like a production automation system rather than a brittle demo.&lt;/p&gt;
&lt;p&gt;Seen this way, Nova Act is Amazon’s reference implementation for a certain class of enterprise agents: start with a strong general model, specialize it through domain-specific RL in a controlled environment, and run it on AgentCore with tools and policies around it. It’s the pattern AWS expects customers to adopt.&lt;/p&gt;
&lt;h2 id="one-stack-to-rule-them-all"&gt;One stack to rule them all&lt;/h2&gt;
&lt;p&gt;So Nova Forge, Trainium, AgentCore, and Nova Act connect. Trainium lowers the cost of big training runs. Nova Forge lets enterprises plug their own data and rewards into those runs. AgentCore is where the resulting models act, with tools, memory, and policy guardrails. Nova Act shows the pattern in action: a domain-specialized Nova model, trained in a controlled loop, running as a production agent.&lt;/p&gt;
&lt;p&gt;Most enterprises still won’t choose this path. They don’t have the data, the reward loops, or the operational maturity to make early-stage training worthwhile.&lt;/p&gt;
&lt;p&gt;But AWS’s bet is that &lt;a href="https://www.pulumi.com/aws/#video"&gt;enterprise AI is moving past stock foundation models and generic chatbots&lt;/a&gt;. AWS is expecting a world of &lt;strong&gt;agents shaped by proprietary data and domain feedback&lt;/strong&gt;. Most companies won&amp;rsquo;t build the infrastructure to train and operate those agents, and so AWS is offering to rent them the whole pipeline.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Try it with Neo:&lt;/strong&gt; &lt;a href="https://app.pulumi.com/neo?prefer_signup=true&amp;amp;prompt=Create%20a%20Python%20Pulumi%20program%20that%20deploys%20an%20AWS%20Lambda%20function%20calling%20Bedrock%20Nova%20Pro%20and%20exposes%20it%20via%20API%20Gateway"&gt;Deploy a Bedrock-powered API with Pulumi&lt;/a&gt;&lt;/p&gt;
&lt;div class="footnotes" role="doc-endnotes"&gt;
&lt;hr&gt;
&lt;ol&gt;
&lt;li id="fn:1"&gt;
&lt;p&gt;CNBC reporting on Nova Forge pricing. &lt;a href="https://www.cnbc.com/2025/12/02/amazon-nova-forge-lets-clients-customize-ai-models-for-100000-a-year.html"&gt;Source&lt;/a&gt;&amp;#160;&lt;a href="#fnref:1" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:2"&gt;
&lt;p&gt;Sam Altman stated GPT-4 cost &amp;ldquo;more than $100 million&amp;rdquo; to train. &lt;a href="https://news.ycombinator.com/item?id=35971363"&gt;Source&lt;/a&gt;&amp;#160;&lt;a href="#fnref:2" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt;</description><author>Adam Gordon Bell</author><category>aws</category><category>nova-forge</category><category>bedrock-agentcore</category><category>reinvent</category></item><item><title>Platform Engineering: Evolution or Rebranding?</title><link>https://www.pulumi.com/blog/platform-eng-rebrand/</link><pubDate>Mon, 12 May 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-eng-rebrand/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-eng-rebrand/index.png" /&gt;
&lt;p&gt;2 Months ago, user &lt;a href="https://old.reddit.com/r/devops/comments/1izpca1/platform_engineering_fad/"&gt;&lt;code&gt;deacon91&lt;/code&gt;&lt;/a&gt;, after years of working in the industry has declared DevOps to be a dead end on Reddit&amp;rsquo;s &lt;code&gt;r/devops&lt;/code&gt;. And I&amp;rsquo;ve been thinking about his thoughts on the industry since then.&lt;/p&gt;
&lt;img src="Picyard_1746641886795.png" alt="crossroads photo" style="width:100%;" /&gt;
&lt;p&gt;His point was that DevOps, the breaking down of silos between development and operations, had been tried. We learned the lessons of this approach and need to do something better: Platform Engineering.&lt;/p&gt;
&lt;p&gt;And platform engineering has certainly emerged as a new hot area. But is it truly an evolutionary step toward a greater way of developing and operating software? Or is it, as others in that same Reddit group declare, merely a fad and a rebranding of existing ideas?&lt;/p&gt;
&lt;p&gt;That&amp;rsquo;s what I want to explore: is platform engineering a rebrand or a genuine evolution?&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s start by summarizing the cynical case - that it&amp;rsquo;s merely a rebrand.&lt;/p&gt;
&lt;h2 id="the-rebrand-case"&gt;The Rebrand Case&lt;/h2&gt;
&lt;img src="Picyard_1746642618981.png" alt="There were fad chasers yesterday, there are fad chasers today, and there will be fad chasers tomorrow until the sun burns out" style="width:100%;" /&gt;
&lt;h3 id="title-drift"&gt;Title Drift&lt;/h3&gt;
&lt;p&gt;This title drift happens in many fields. Just as the garbage man becomes the sanitation worker so does the sysadmin becomes the DevOps engineer.&lt;/p&gt;
&lt;p&gt;This creates title inflation in our competitive industry. People who job-hop regularly update their LinkedIn profiles from &amp;ldquo;business analyst&amp;rdquo; to &amp;ldquo;product manager.&amp;rdquo; Meanwhile, the person who stays put for years might still be called a &amp;ldquo;programmer&amp;rdquo; while everyone around them becomes a &amp;ldquo;Staff-plus Senior Backend Engineer.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;That ops wizard who&amp;rsquo;s been at the same company for eight years? Still an &amp;ldquo;Operations Engineer.&amp;rdquo; Their friend who switches jobs every 18 months? Now a &amp;ldquo;Senior SRE&amp;rdquo; making 50% more money.&lt;/p&gt;
&lt;p&gt;Title drift becomes a self-reinforcing cycle. When the recruiter discovers that the best DevOps candidates now call themselves &amp;ldquo;Platform Engineers,&amp;rdquo; your company&amp;rsquo;s job postings change overnight—even if no one plans to build an actual platform.&lt;/p&gt;
&lt;p&gt;This is how you end up with people like &lt;code&gt;u/hajimenogio92&lt;/code&gt; doing the exact same sysadmin work they&amp;rsquo;ve always done, just with &amp;ldquo;Platform Engineer&amp;rdquo; on their LinkedIn profile.&lt;/p&gt;
&lt;p&gt;This is one aspect of what people mean why they say &amp;ldquo;platform engineering is just a rebrand.&amp;rdquo; The other thing they sometimes mean is that it&amp;rsquo;s a fad everyone is chasing.&lt;/p&gt;
&lt;h3 id="hype-cycle-reboot"&gt;Hype Cycle Reboot&lt;/h3&gt;
&lt;img src="Picyard_1746642250343.png" alt="There were fad chasers yesterday, there are fad chasers today, and there will be fad chasers tomorrow until the sun burns out" style="width:100%;" /&gt;
&lt;p&gt;Tech movements decay in predictable ways. Remember Extreme Programming? It began as a revolution to empower developers. Then it morphed into Agile, and in some places, into the 12 steps, 7 competencies, and many processes of SAFe.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;The Scaled Agile Framework® (SAFe®) is a set of organization and workflow patterns for implementing agile practices at enterprise scale.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Maybe SAFe makes sense for your work place, but it&amp;rsquo;s certainly a lot more complex than it&amp;rsquo;s root and this pattern is what skeptics see in platform engineering.&lt;/p&gt;
&lt;p&gt;DevOps started at grassroots conferences with a simple message: &amp;ldquo;Let&amp;rsquo;s tear down the wall between developers and operations.&amp;rdquo; But once it peaked, everyone scrambled to slap &amp;ldquo;DevOps&amp;rdquo; on whatever they were already doing. Just like companies today adding &amp;ldquo;AI&amp;rdquo; to their products.&lt;/p&gt;
&lt;p&gt;Eventually, the original movement gets so diluted that we need a fresh start. New terminology. New conferences. New keynote speakers recycling old ideas with updated slides. New vendors selling solutions to problems you didn&amp;rsquo;t know you had.&lt;/p&gt;
&lt;p&gt;In this view, platform engineering isn&amp;rsquo;t revolutionary—it&amp;rsquo;s just the next square on the buzzword bingo card. DevOps plateaued. SRE plateaued. The Kubernetes experts ran out of things to say. So the industry needed something new to hype.&lt;/p&gt;
&lt;p&gt;There&amp;rsquo;s some truth to this cynicism, but it blinds us to what platform engineering actually offers. More importantly, this view misses something crucial: where a platform approach succeeds, it reveals fundamental flaws in the original DevOps vision.&lt;/p&gt;
&lt;h2 id="the-case-for-evolution"&gt;The Case for Evolution&lt;/h2&gt;
&lt;img src="stickers.png" alt="laptop stickers" style="width:100%;" /&gt;
&lt;p&gt;The original DevOps movement introduced valuable ideas about breaking down silos and encouraging collaboration. However, its purest vision—where &amp;ldquo;everybody does everything&amp;rdquo;—faces practical limitations at scale.&lt;/p&gt;
&lt;p&gt;Totally cross-functional teams work well at small organizations but struggle when engineering teams grow beyond 20 people because:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;People naturally have different specializations and preferences&lt;/li&gt;
&lt;li&gt;Few individuals want to perform both development and operations roles&lt;/li&gt;
&lt;li&gt;Staying current on everything in your Ops and Dev stack is often unrealistic&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;But most importantly, as organizations grow, specializations natuarally emerge. Governance and corporate policies often force the issue. A platform team is one such specialization and a powerful one if done right.&lt;/p&gt;
&lt;p&gt;Instead of focusing on eliminating silos, it focuses on creating productive abstractions and interfaces between application teams and operating services. The platform functions as an abstraction layer (similar to how a database abstracts data storage), with dedicated teams treating it as a product with clear boundaries.&lt;/p&gt;
&lt;p&gt;This approach contradicts the original DevOps vision but represents a necessary evolution. Platform Engineering acknowledges inevitable organizational divisions while still enabling collaboration. It leverages skills and organizational workflows from application development and product management to build a way to operate software effectively.&lt;/p&gt;
&lt;h2 id="why-not-both"&gt;Why not both?&lt;/h2&gt;
&lt;img src="bingo.png" alt="buzzword bingo" style="width:100%;" /&gt;
&lt;p&gt;So yeah, title drift is a thing. And the hype cycle is real. But the idea of a dedicated team removing frictions by building tools and reusable abstractions is an idea that&amp;rsquo;s here to stay.&lt;/p&gt;
&lt;p&gt;In fact, it&amp;rsquo;s just a way to scale the principles inherent in the original ideas of DevOps. It may technically diverge from the literal principles of DevOps, but it is most definitely true to the spirit.&lt;/p&gt;
&lt;p&gt;At Pulumi, we see this evolution firsthand. Our most forward-looking users aren’t chasing titles—they’re building internal platforms that empower teams, reduce friction, and let developers focus on what matters most. That’s why we’re investing in &lt;a href="https://www.pulumi.com/blog/announcing-pulumi-idp/#platform-teams"&gt;platform team features&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Not because it’s trendy—but because, done well, it works. And I think that’s the insight &lt;code&gt;deacon91&lt;/code&gt; was getting at.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://info.pulumi.com/ebook/platform-engineering-iac-recommended-practices"&gt;&lt;strong&gt;Get a Free Platform Engineering Guide →&lt;/strong&gt;&lt;/a&gt;&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Your Perfect Infrastructure May Not Be So Perfect</title><link>https://www.pulumi.com/blog/your-perfect-infrastructure/</link><pubDate>Mon, 16 Dec 2024 10:43:07 +0000</pubDate><guid>https://www.pulumi.com/blog/your-perfect-infrastructure/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/your-perfect-infrastructure/index.png" /&gt;
&lt;p&gt;&lt;strong&gt;Guest Article:&lt;/strong&gt; &lt;em&gt;Simen A. W. Olsen from &lt;a href="https://bjerk.io"&gt;Bjerk&lt;/a&gt;, is here to share his lessons learned on why designing the perfect architecture for your future needs might be a mistake&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;I remember standing in front of our engineering team in 2018, proudly presenting what I believed was the future-proof architectural design for our new distributed system. The diagrams were immaculate, the technology choices were cutting-edge, and the scalability patterns were ready for any possible future scenario.&lt;/p&gt;
&lt;p&gt;I was basically the Leonardo da Vinci of system design… if Leonardo had been really into Kubernetes and had a concerning addiction to coffee. But six months later, that “future-proof” architecture had become a constraint rather than an enabler, and my masterpiece was looking more like a finger painting done by a caffeinated raccoon.&lt;/p&gt;
&lt;p&gt;This experience taught me something crucial: trying to build the perfect system that anticipates every future need is often worse than creating a system designed to change quickly. It’s like trying to predict what your kid will want to be when they grow up and pre-buying all the necessary equipment. Congrats, you now own a space suit, a stethoscope, and a dragon costume — and they decided to become a software engineer anyway.&lt;/p&gt;
&lt;h2 id="the-over-planning"&gt;The Over-Planning&lt;/h2&gt;
&lt;p&gt;Many teams fall into a common trap: they try to design systems that anticipate every possible future requirement. This happens even in agile teams, where we convince ourselves we need to “get the architecture right” before we can start iterating. You know, because nothing says “agile” like spending three months in a room drawing boxes and arrows while muttering “microservices” under your breath like it’s a magic spell.&lt;/p&gt;
&lt;p&gt;In 2008, Netflix faced a choice: build the perfect data center that could handle all their anticipated future needs, or move to the cloud with a simpler architecture that could evolve. They chose the latter, focusing on making their system easy to change rather than trying to make it perfect. Smart move — unlike those my past self made who probably would’ve insisted on building a data center capable of streaming to Mars, just in case Elon asked nicely.&lt;/p&gt;
&lt;div class="note note-tip"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-lightbulb-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;
&lt;p&gt;&lt;strong&gt;You might also like:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/p3-some-assembly-required/"&gt;
Pulumi Patterns and Practices Platform (P3): Some Assembly Required
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/pulumi-patterns-and-practices/"&gt;
Pulumi Patterns and Practices Platform (P3): A reference architecture for large-scale organizations
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/next-level-iac-briding-the-declarative-gap/"&gt;
Next-level IaC: Bridging the Declarative Gap
&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="the-core-principles-of-change-ready-architecture"&gt;The Core Principles of Change-Ready Architecture&lt;/h2&gt;
&lt;p&gt;Through both failures and successes, I’ve identified three principles that define truly adaptable architecture:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Embrace simplicity.&lt;/strong&gt; I think it makes sense to start with the simplest architecture that could possibly work for your current needs. Complexity should be earned, not presumed. If your architecture diagram looks like a plate of spaghetti that’s been hit by lightning, you might be doing it wrong.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Make change cheap.&lt;/strong&gt; Instead of trying to avoid change, make it inexpensive. This means investing in automated testing, continuous deployment, and monitoring. When change is cheap, you don’t need to fear it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Learn through action.&lt;/strong&gt; Rather than trying to predict the future, build mechanisms that help you learn quickly about real needs. It includes feature toggles (Protip: Try &lt;a href="https://www.getunleash.io/"&gt;Unleash&lt;/a&gt;.), A/B testing, and robust monitoring of how your system is actually being used. You know, actual data, not just what that one loud guy in planning insists will definitely happen.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The rise of AI and machine learning systems has made one thing clear: we can’t predict how our systems will need to evolve. The most successful teams aren’t those that try to build the perfect AI architecture upfront, but those that can rapidly experiment and adapt their systems based on real-world feedback.&lt;/p&gt;
&lt;p&gt;The biggest pushback I hear is, “But what if we need to scale?” or “What about future requirements?” These fears often drive teams to over-architect their solutions. But here’s the reality: the cost of changing a simple system is usually lower than the cost of maintaining an over-engineered one. The key is understanding that good architecture isn’t about predicting the future — it’s about making future changes as painless as possible.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;That over-engineered system I was so proud of in 2018? Its most significant flaw wasn’t in what it got wrong about the future — it was that it tried too hard to be right about the future in the first place. It’s like bringing a fully packed suitcase to a first date. Today, I know that the best architecture isn’t one that anticipates every need, but one that makes it easy to respond to needs as they emerge.&lt;/p&gt;
&lt;p&gt;The next time you’re tempted to design for every possible future scenario, remember: the goal isn’t to build a perfect system, but to build one that’s perfectly easy to change. And if someone tells you they’ve designed the perfect future-proof architecture, they’re either lying, or they’ve discovered time travel — and in that case, they should be sharing lottery numbers, not system designs.&lt;/p&gt;
&lt;div class="note note-tip"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-lightbulb-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;
&lt;p&gt;&lt;strong&gt;You might also like:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/p3-some-assembly-required/"&gt;
Pulumi Patterns and Practices Platform (P3): Some Assembly Required
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/pulumi-patterns-and-practices/"&gt;
Pulumi Patterns and Practices Platform (P3): A reference architecture for large-scale organizations
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/next-level-iac-briding-the-declarative-gap/"&gt;
Next-level IaC: Bridging the Declarative Gap
&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;</description><author>Simen A. W. Olsen</author><category>architecture</category><category>developer-first-infrastructure</category><category>best-practices</category><category>cloud-engineering</category><category>cloud-deployment</category><category>developer-experience</category><category>people-ops</category><category>application-scalability</category></item><item><title>105 Ways to Run Containers: The Cloud Container Iceberg</title><link>https://www.pulumi.com/blog/cursed-container-iceberg/</link><pubDate>Tue, 03 Dec 2024 10:29:54 -0500</pubDate><guid>https://www.pulumi.com/blog/cursed-container-iceberg/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/cursed-container-iceberg/index.png" /&gt;
&lt;p&gt;If a computer can be connected to the internet, someone has tried to run a &lt;a href="https://www.pulumi.com/containers"&gt;container&lt;/a&gt; on it. From quantum computers to smart toasters, from phones in AWS racks to CI pipelines, there&amp;rsquo;s many ways to deploy containers. While most people only know about the mainstream cloud providers at the surface, there&amp;rsquo;s actually a vast world of increasingly unusual and specialized options beneath.&lt;/p&gt;
&lt;p&gt;This guide serves two purposes: to showcase the surprising breadth of container options available today, and to help you understand the full spectrum of choices – from practical to very experimental. Whether you&amp;rsquo;re looking for production-ready solutions or just curious about what&amp;rsquo;s out there in the dark depths, you&amp;rsquo;ll find something interesting here.&lt;/p&gt;
&lt;h2 id="constraints"&gt;Constraints&lt;/h2&gt;
&lt;p&gt;But first, we need ground rules for our container adventures. All listed items should:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Technically possible:&lt;/strong&gt; Must work today with existing tech, even if the setup makes you question your life choices.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Runs real containers:&lt;/strong&gt; OCI containers only. No JavaScript &amp;ldquo;containers&amp;rdquo; pretending to be the real thing.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Actually doable:&lt;/strong&gt; You can set this up right now with a laptop and a credit card. No theoretical schemes allowed.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="iceberg.jpg" alt="Visual iceberg diagram titled &amp;ldquo;The Cloud Container Iceberg,&amp;rdquo; categorizing over 100 container platforms from mainstream options like EKS and GKE at the top to obscure and experimental environments like AWS Device Farm and Azure Quantum at the bottom."&gt;&lt;/p&gt;
&lt;h2 id="above-the-iceberg--the-usual-suspects"&gt;Above the iceberg – The usual suspects&lt;/h2&gt;
&lt;p&gt;These are the familiar faces of container orchestration—the ones you&amp;rsquo;d introduce to your parents. Reliable, well-documented, and about as exciting as watching paint dry.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Amazon Elastic Kubernetes Service (EKS)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon Elastic Container Service (ECS)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Fargate&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Kubernetes Service (AKS)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Kubernetes Engine (GKE)&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud Run&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon EC2&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS App Runner&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure App Service for Containers&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Compute Engine with Containers&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="on-the-iceberg--the-slightly-less-obvious"&gt;On the iceberg – The slightly less obvious&lt;/h2&gt;
&lt;p&gt;As we dip just below the surface, we find services like a rare B-side acoustic release from a big band. It&amp;rsquo;s not as mainstream but still a respectable choice for running your containers.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS Elastic Beanstalk&lt;/strong&gt; – Deploy containers, debug YAML&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon Lightsail Containers&lt;/strong&gt; – AWS with the guard rails on&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Container Apps&lt;/strong&gt; – Serverless, but complicated&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google App Engine Flexible Environment&lt;/strong&gt; – PaaS for Containerized Apps&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Container Instances (ACI)&lt;/strong&gt; – Kubernetes without the chaos&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="the-kubernetes-multiverse--because-one-universe-of-k8s-wasnt-enough"&gt;The kubernetes multiverse – Because one Universe of k8s wasn&amp;rsquo;t enough&lt;/h2&gt;
&lt;p&gt;Diving deeper, we discover there&amp;rsquo;s an entire multiverse of regional and specialty K8s providers, helpfully cataloged &lt;a href="https://landscape.cncf.io/guide#platform--certified-kubernetes-hosted"&gt;by the CNCF&lt;/a&gt;. Think parallel universes, but instead of evil twins, you get slightly different container runtime implementations.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The Global Titans&lt;/strong&gt; – The international tech giants couldn&amp;rsquo;t resist joining the K8s party: Huawei Cloud Container Engine, Tencent, and Baidu bring their own flavor of cloud-native orchestration to the mix. Add in Samsung, China Mobile KCS, JD Cloud, Inspur, and QingCloud, and you have enough options to start a diplomatic incident.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The European Union of Containers&lt;/strong&gt; – Europeans take their container privacy seriously: IONOS and plusserver bring German engineering to K8s, OVH adds French flair, Exoscale offers Swiss precision, and STACKIT, SysEleven, WIIT, Gcore, and Previder ensure your containers comply with every possible EU regulation. Conoa Proact throws in some Swedish design principles for good measure.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The Asia-Pacific Pod Party&lt;/strong&gt; – The APAC region isn&amp;rsquo;t missing out: NHN brings Korean optimization to your clusters, while ARDC Nectar and Catalyst let you run containers upside down in Australia and New Zealand. TKS Cloud Service ensures your containers can run anywhere from Tokyo to Tasmania.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The Specialists&amp;rsquo; Society&lt;/strong&gt; – For when regular K8s isn&amp;rsquo;t quirky enough: OKESTRO VIOLA orchestrates your containers with musical flair, while Petasus, De Novo, Aruba, and Taikun provide enough specialty K8s options to ensure every cluster is a unique snowflake.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="below-the-water--kubernetes-everywhere--let-a-thousand-k8s-bloom"&gt;Below the water – Kubernetes everywhere – Let a thousand K8s bloom&lt;/h2&gt;
&lt;p&gt;Let&amp;rsquo;s plunge deeper. Because one Kubernetes cluster is never enough, why not sprinkle them everywhere? On-premises, in the cloud, under your desk—there&amp;rsquo;s a K8s solution for all that.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Amazon EKS Anywhere&lt;/strong&gt; – AWS container but in your own data center&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Amazon ECS Anywhere&lt;/strong&gt; – Like EKS Anywhere but ECS&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Arc&lt;/strong&gt; – Hybrid cloud for masochists&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Anthos&lt;/strong&gt; – Hybrid cloud something something&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Outposts&lt;/strong&gt; – AWS, now with hardware shipping delays&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Red Hat OpenShift&lt;/strong&gt; – Azure but with a fedora&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;VMware Tanzu&lt;/strong&gt; – Because VMware heard you like Kubernetes&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Red Hat OpenShift&lt;/strong&gt; – Fedoras on AWS&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IBM Cloud Kubernetes Service&lt;/strong&gt; – Kubernetes with a touch of enterprise nostalgia&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Oracle Container Engine for Kubernetes (OKE)&lt;/strong&gt; – For the brave souls trusting Oracle&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Alibaba Cloud Elastic Container Service (ACK)&lt;/strong&gt; – K8s with Chinese characteristics&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DigitalOcean Kubernetes (DOKS)&lt;/strong&gt; – K8s in the ocean, hopefully no sharks&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Linode Kubernetes Engine (LKE)&lt;/strong&gt; – Lightweight K8s for the minimalist&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Vultr Kubernetes Engine (VKE)&lt;/strong&gt; – Yet another place to run your pods&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scaleway Kapsule&lt;/strong&gt; – French elegance meets Kubernetes&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hetzner Cloud Managed Kubernetes&lt;/strong&gt; – German engineering for your clusters&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Nutanix Karbon&lt;/strong&gt; - Because regular Kubernetes wasn&amp;rsquo;t converged enough&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Metal Stack Cloud Kubernetes&lt;/strong&gt; - For when virtual machines are too virtual&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-tip"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-lightbulb-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;
&lt;p&gt;&lt;strong&gt;You might also like:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/unified-programmatic-approach-infrastructure-management-bmw-using-pulumi/"&gt;
Unified and Programmatic Approach to Infrastructure Management at BMW Using Pulumi
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/docker-build/"&gt;
Introducing The New Docker Build Provider
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/ecs-anywhere-launch/"&gt;
How to Use ECS Anywhere with Pulumi [Step-by-Step Guide]
&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="middle-of-the-iceberg--serverless-and-function-containers--now-you-see-me-now-you-dont"&gt;Middle of the iceberg – Serverless and function containers – Now you see me, now you don&amp;rsquo;t&lt;/h2&gt;
&lt;p&gt;As we descend to the depths, we find containers with commitment issues. They appear, do their job, and disappear.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS Batch&lt;/strong&gt; – Containers that only work the night shift&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Lambda&lt;/strong&gt; – Lambda&amp;rsquo;s containers for when a 250 MB zip file wasn&amp;rsquo;t enough baggage.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Functions&lt;/strong&gt; – Roll your own functions in containers and hope for the best.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud Functions&lt;/strong&gt; – Containers pretending to be functions, but now on Google Cloud.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Alibaba Function Compute&lt;/strong&gt; – You get the idea.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="bottom-of-the-iceberg--specialized-and-hybrid-platforms--the-swiss-army-knife-of-container-hosting"&gt;Bottom of the iceberg – Specialized and hybrid platforms – The swiss army knife of container hosting&lt;/h2&gt;
&lt;p&gt;Down here, containers run in ways that make people question your life choices. These platforms let you host containers in environments many fear to tread.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS Proton&lt;/strong&gt; – Automate your deployments and run a container&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Virtual Machines with Docker&lt;/strong&gt; – When you miss managing servers but love containers&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IBM Cloud Code Engine&lt;/strong&gt; – Run anything, anywhere, if you can figure it out&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Alibaba Elastic Container Instance (ECI)&lt;/strong&gt; – Containers that disappear faster than you can say &amp;ldquo;Jack Ma&amp;rdquo;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="below-the-iceberg--containers-on-the-edge-of-reason"&gt;Below the iceberg – Containers on the edge of reason&lt;/h2&gt;
&lt;p&gt;In these lightless depths, you want your containers to live life on the edge—literally. Because nothing says &amp;ldquo;enterprise-ready&amp;rdquo; like running production workloads on a smart toaster.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AWS IoT Greengrass&lt;/strong&gt; – Run AWS Lambda and Docker containers on everything from factory equipment to smart fridges. Nothing says &amp;ldquo;digital transformation&amp;rdquo; like your smart fridge running machine learning models.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure IoT Edge&lt;/strong&gt; – Like Greengrass, but only when your toaster prefers Windows updates.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Snowball Edge&lt;/strong&gt; – For when &amp;lsquo;cloud migration&amp;rsquo; means paying FedEx to move your containers. Yes, it&amp;rsquo;s literally a box they mail you that can run containers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Snowcone&lt;/strong&gt; – An even smaller box that runs just enough containers to make you appreciate your data center. Perfect for when you need AWS in places where AWS doesn&amp;rsquo;t want to build a region.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;BalenaCloud IoT Device Management&lt;/strong&gt; – A platform that lets you remotely deploy and manage containers on fleets of Raspberry Pis. Because nothing says &amp;ldquo;enterprise IoT&amp;rdquo; like running your production stack on $35 computers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fly.io&lt;/strong&gt; – Global Edge Container Deployment, because apparently just picking one region was too simple.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Edge Node Service (Tencent Cloud)&lt;/strong&gt; – Edge deployment behind great firewall.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;StackPath Edge Computing&lt;/strong&gt; – More edge containers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Koyeb&lt;/strong&gt; – Serverless Edge containers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Platform.sh&lt;/strong&gt; – Multi-Cloud Edge containers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;StarlingX&lt;/strong&gt; - Edge computing platform for when 5G and IoT buzzwords aren&amp;rsquo;t enough&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ZStack Edge&lt;/strong&gt; - Edge computing with Chinese characteristics, now at the edge of the network, too&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="the-abyss--where-containers-fear-to-tread"&gt;The abyss – Where containers fear to tread&lt;/h2&gt;
&lt;p&gt;And now we reach the darkest depths. For the bravest souls who look at conventional container platforms and think, &amp;ldquo;Not edgy enough.&amp;rdquo; Here lie the most unusual ways to run containers in production.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Amazon GameLift&lt;/strong&gt; – Run your containerized services disguised as game servers. High scores may apply.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS Device Farm&lt;/strong&gt; – Deploy containers on hundreds of actual phones in AWS racks. Perfect for when &amp;ldquo;mobile-first&amp;rdquo; goes too far.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AWS AppStream 2.0&lt;/strong&gt; – Stream Windows to run Docker to stream containers. It&amp;rsquo;s virtualization all the way down.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud Dataflow&lt;/strong&gt; – Hide containerized services in pipeline steps named &amp;ldquo;daily_data_normalize_37&amp;rdquo;. Hope your SRE enjoys debugging ETL.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Cloud Composer&lt;/strong&gt; – Your containerized microservice masquerades as an Airflow DAG. Because nothing says reliability like cron.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Google Colab &amp;amp; Jupyter Notebooks&lt;/strong&gt; – Run containers in &lt;code&gt;data_preprocessing_step.ipynb&lt;/code&gt;. Watch ML teams debug production.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Quantum&lt;/strong&gt; – Package quantum containers with &lt;code&gt;az quantum job submit&lt;/code&gt;. Now, your uptime is truly uncertain.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure Cognitive Services in Containers&lt;/strong&gt; – Offline AI containers that promise not to become self-aware. Terms and conditions may apply.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Azure DevTest Labs&lt;/strong&gt; – Run containerized test environments that self-destruct like Mission Impossible tapes. Perfect for when temporary becomes permanent.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="beyond-the-abyss"&gt;Beyond the abyss&lt;/h2&gt;
&lt;p&gt;There you have it, the container iceberg. And I didn&amp;rsquo;t even have room to add the extra cursed ways you can run containers. Here is some of what didn&amp;rsquo;t make it:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Cloud IDEs and Workspaces&lt;/strong&gt; – Want to turn your development environment into a sneaky container platform? Take your pick: GitHub Codespaces, GitPod for the GitLab enthusiasts, or Eclipse Che for the masochists who miss Eclipse crashing locally. JetBrains Space or Replit? All this lets you run a container until you close your browser tab.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;GitHub Actions et al.&lt;/strong&gt; – Ever wanted to run a production service disguised as a CI job? Just label your production API start-up script as &amp;ldquo;integration_test_step_42&amp;rdquo;, add a &lt;code&gt;sleep 21600&lt;/code&gt; and a call to retrigger itself, and hope nobody notices your &amp;ldquo;test&amp;rdquo; has been running for months. Apply this same trick to AWS CodeBuild, GitLab CI/CD, CircleCI, Azure Pipelines, Travis CI, Bitbucket Pipelines, Drone CI, Jenkins Cloud, TeamCity Cloud, and Google Cloud Build for Bonus points.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="managing-your-container-zoo-with-pulumi"&gt;Managing your container zoo with pulumi&lt;/h2&gt;
&lt;p&gt;Whether you&amp;rsquo;re deploying containers to mainstream cloud providers or attempting to run them on quantum computers (really, please let us know how that goes), Pulumi helps you manage it all with real code instead of config file soup. Our &lt;a href="https://www.pulumi.com/registry/packages/kubernetes/"&gt;Kubernetes support&lt;/a&gt; means you can wrangle your containers wherever they might roam – from AWS to Azure, GCP to Kubernetes, or even that smart toaster you&amp;rsquo;re eyeing for production deployment.&lt;/p&gt;
&lt;p&gt;With Pulumi, you get:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/registry/"&gt;Cloud-native container orchestration&lt;/a&gt; across all major platforms and Kubernetes distributions&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/concepts/testing/"&gt;Infrastructure testing&lt;/a&gt; to ensure your containers deploy correctly (even in the weird places)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-go-boilerplate-v2/"&gt;Provider templates&lt;/a&gt; for when you invent yet another way to run containers&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/concepts/stack/#stackreferences"&gt;Stack references&lt;/a&gt; for managing multiple environments without losing your mind&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/automation-api/"&gt;Automation API&lt;/a&gt; for programmatically herding your container fleets&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Ready to bring some sanity to your container deployment strategy? Get started with Pulumi:&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/docs/get-started/"
class="btn btn-outline"
&gt;
Try Pulumi for Free
&lt;/a&gt;
&lt;h2 id="the-final-word"&gt;The final word&lt;/h2&gt;
&lt;p&gt;At this point, &lt;strong&gt;105&lt;/strong&gt; options in, you might wonder: &amp;ldquo;Has cloud container hosting gone too far?&amp;rdquo; Well, I&amp;rsquo;ve a solution to propose:&lt;/p&gt;
&lt;p&gt;At Pulumi, we&amp;rsquo;ve got providers for &lt;a href="https://www.pulumi.com/registry/packages/aws/api-docs/provider/"&gt;all&lt;/a&gt; &lt;a href="https://www.pulumi.com/registry/packages/azure-native/"&gt;the&lt;/a&gt; &lt;a href="https://www.pulumi.com/registry/packages/gcp/"&gt;usual&lt;/a&gt; &lt;a href="https://www.pulumi.com/registry/packages/kubernetes/"&gt;suspects&lt;/a&gt; and, surprisingly, many more in this container circus. And if you&amp;rsquo;ve figured out how to run containers on a quantum computer inside a data pipeline in New Zealand, you can write &lt;a href="https://github.com/pulumi/pulumi-provider-boilerplate/"&gt;a provider&lt;/a&gt; for that, too.&lt;/p&gt;
&lt;p&gt;So, use Pulumi and we will figure out how &lt;em&gt;RedHat-Tanzu-Greengrass-Icecore-Device-Farm&lt;/em&gt; works and provide you a sane interface to it. You&amp;rsquo;ve got other things to worry about.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>kubernetes</category><category>containers</category><category>cloud-native</category><category>docker</category></item><item><title>Fargate vs EC2</title><link>https://www.pulumi.com/blog/fargate-vs-ec2/</link><pubDate>Mon, 18 Nov 2024 08:42:34 -0500</pubDate><guid>https://www.pulumi.com/blog/fargate-vs-ec2/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/fargate-vs-ec2/index.png" /&gt;
&lt;p&gt;Building an EKS cluster requires choosing how your containers will actually run - either on EC2 instances you manage or through AWS Fargate&amp;rsquo;s pod-by-pod approach. The differences can be pretty dramatic in practice. I&amp;rsquo;m setting up a demo cluster right now using Pulumi, so let me show you what I mean.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#bin-packing"&gt;Bin Packing&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#pros-and-cons"&gt;Pros and Cons&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#workload-example-static-analysis"&gt;Workload Example: Static Analysis&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#example-go-services-for-e-commerce"&gt;Example: Go Services for E-commerce&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#fargate-vs-ec2-pricing"&gt;Fargate vs EC2 Pricing&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#misconceptions-about-fargate"&gt;Misconceptions About Fargate&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#managing-container-orchestration-with-pulumi"&gt;Managing Container Orchestration with Pulumi&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/fargate-vs-ec2/#why-not-both"&gt;Why Not Both&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Here is my Fargate cluster:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_awsx&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;awsx&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_eks&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;eks&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;pulumi_kubernetes&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="nn"&gt;k8s&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Create VPC with default CIDR&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;eks_vpc&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;awsx&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ec2&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Vpc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;eks-vpc&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;enable_dns_hostnames&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Create minimal EKS cluster&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;eks_cluster&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;eks&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Cluster&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;eks-cluster&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;vpc_id&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;eks_vpc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;vpc_id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;private_subnet_ids&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;eks_vpc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;private_subnet_ids&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;fargate&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="kc"&gt;True&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;pulumi&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;export&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;kubeconfig&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;eks_cluster&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kubeconfig&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;And when I look in k9s I see this:&lt;/p&gt;
&lt;p&gt;&lt;img src="k9s-fargate.gif" alt="k9s fargate demo"&gt;&lt;/p&gt;
&lt;p&gt;You can see that each pod is on its own node. Even the core-dns pods in the system namespace are each on their own nodes. That is a lot of nodes, and it&amp;rsquo;s going to keep growing with my cluster.&lt;/p&gt;
&lt;p&gt;If I change my cluster to be backed by EC2 nodes, I get something different.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-diff" data-lang="diff"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;eks_cluster = eks.Cluster(&amp;#34;eks-cluster&amp;#34;,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; vpc_id=eks_vpc.vpc_id,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; private_subnet_ids=eks_vpc.private_subnet_ids,
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gd"&gt;- fargate=True,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gi"&gt;+ instance_type=&amp;#34;t3.medium&amp;#34;,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gi"&gt;+ desired_capacity=2,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gi"&gt;+ min_size=1,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="gi"&gt;+ max_size=2,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Now, there are only two nodes, with the pods distributed among them. Those are my two &lt;code&gt;t3.medium&lt;/code&gt;s.&lt;/p&gt;
&lt;p&gt;&lt;img src="k9s-eks.gif" alt="k9s eks demo"&gt;&lt;/p&gt;
&lt;p&gt;So when should you use Fargate, and when EC2 for EKS? Well, it really all relates to what we are seeing here with the number and size of nodes.&lt;/p&gt;
&lt;p&gt;Let me explain.&lt;/p&gt;
&lt;h2 id="bin-packing"&gt;Bin Packing&lt;/h2&gt;
&lt;p&gt;Normally, the Kubernetes scheduler has to solve a bin-packing problem—fitting M pods across N nodes based on available resources. This is a straight-up resource optimization problem of balancing CPU, memory, and other resource demands across the cluster.&lt;/p&gt;
&lt;p&gt;This can be surprisingly complex in practice. Teams must balance selecting the right instance types for different workload needs while managing multiple node groups. Adding to this complexity are scheduling rules and resource quotas that need careful configuration. Perhaps most challenging is striking the right balance between high resource utilization and maintaining enough headroom for spikes in demand.&lt;/p&gt;
&lt;p&gt;&lt;img src="ec2-pods.png" alt="Diagram showing multiple Kubernetes pods running on shared EC2 nodes labeled Node1 and Node2."&gt;&lt;/p&gt;
&lt;p&gt;With Fargate, AWS sidesteps this challenge by providing a correctly sized bin for each pod. Each Fargate pod runs on its own dynamically provisioned, right-sized mini-environment, where the &amp;ldquo;bin&amp;rdquo; (the Fargate instance) is sized to match the pod&amp;rsquo;s requested resources. This means there&amp;rsquo;s no need for Kubernetes to optimize resource usage across a pool of shared nodes, as each pod effectively has its own &amp;ldquo;container&amp;rdquo; provided by Fargate that fits it&amp;rsquo;s needs precisely.&lt;/p&gt;
&lt;p&gt;In other words, AWS effectively pushes this bin-packing responsibility to itself, so you don&amp;rsquo;t have to worry ( as much ) about it.&lt;/p&gt;
&lt;p&gt;&lt;img src="faregate-pods.png" alt="Diagram showing AWS Fargate with one Kubernetes pod per isolated node, illustrating 1:1 pod-to-node mapping."&gt;&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;While Fargate abstracts away node management, it&amp;rsquo;s important to understand that Fargate pods &lt;a href="https://justingarrison.com/blog/2024-02-08-fargate-is-not-firecracker/"&gt;still run on EC2 instances&lt;/a&gt; behind the scenes. And each Fargate pod gets its own ENI (Elastic Network Interface) that can sometimes limit your scaling because pods aren&amp;rsquo;t sharing a network namespace.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="pros-and-cons"&gt;Pros and Cons&lt;/h2&gt;
&lt;p&gt;So yeah, Fargate abstracts away the complexity of managing nodes and scaling clusters by shifting bin-packing to AWS. With its extensive infrastructure, AWS is arguably better positioned to optimize placements at scale. They can monitor their entire cloud landscape, placing Fargate instances dynamically across available resources. This allows them to potentially leverage underutilized resources in ways that would be challenging or impractical at an individual account&amp;rsquo;s scale.&lt;/p&gt;
&lt;div&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Responsibility&lt;/th&gt;
&lt;th&gt;EC2&lt;/th&gt;
&lt;th&gt;Fargate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Instance Types&lt;/td&gt;
&lt;td&gt;You pick size and provision nodes&lt;/td&gt;
&lt;td&gt;AWS provisions per pod request&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pod Isolation&lt;/td&gt;
&lt;td&gt;You prevent noisy neighbors&lt;/td&gt;
&lt;td&gt;AWS isolates each pod&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Resource Allocation&lt;/td&gt;
&lt;td&gt;You find space on nodes&lt;/td&gt;
&lt;td&gt;AWS creates dedicated space&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;span style="text-align:center"&gt;
&lt;figcaption&gt;
&lt;i&gt;Customer vs AWS Responsibility EC2 vs Fargate&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/div&gt;
&lt;p&gt;Ideally, this frees you to focus on the services rather than on the underlying infrastructure, but in practice, it&amp;rsquo;s a bit more complex.&lt;/p&gt;
&lt;p&gt;Since each pod is treated as a standalone instance, you lose out on the cost efficiencies of co-locating multiple pods on a single node. Even though AWS is &amp;ldquo;solving&amp;rdquo; the bin-packing problem globally, to do so, they need to introduce hard barriers, and while noisy neighbors, therefore, aren&amp;rsquo;t a problem, sharing resources is now impossible. In a way, you are throwing away the run time benefit of containers, the shared kernel virtualization, for something more like VMs. And just like VMs, Fargate pods take longer to start than pods on existing EC2 nodes (typically 30-60 seconds vs near-immediate starts).&lt;/p&gt;
&lt;h3 id="a-note-on-scaling"&gt;A Note on Scaling&lt;/h3&gt;
&lt;p&gt;Both EC2 and Fargate work with Kubernetes&amp;rsquo; Horizontal Pod Autoscaling (HPA), which adds or removes pods based on metrics like CPU usage. The difference? With EC2, you need enough nodes available to handle new pods. With Fargate, AWS automatically provisions resources for each new pod - though you&amp;rsquo;ll face that 30-60 second startup delay and potential VPC limits since each pod needs its own network interface.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Feature&lt;/th&gt;
&lt;th&gt;Fargate&lt;/th&gt;
&lt;th&gt;EC2&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Cost&lt;/td&gt;
&lt;td&gt;Higher per pod&lt;/td&gt;
&lt;td&gt;Lower cost per pod&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Scalability&lt;/td&gt;
&lt;td&gt;Scales on-demand, isolated resources&lt;/td&gt;
&lt;td&gt;Requires manual node scaling&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Resource Sharing&lt;/td&gt;
&lt;td&gt;Not possible&lt;/td&gt;
&lt;td&gt;Efficient resource sharing among pods&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Startup Time&lt;/td&gt;
&lt;td&gt;30-60 seconds&lt;/td&gt;
&lt;td&gt;Near instant on existing nodes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Use Cases&lt;/td&gt;
&lt;td&gt;Burst workloads, isolated pods&lt;/td&gt;
&lt;td&gt;Cost-sensitive workloads, Resource sharing workloads&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Maybe this will make more sense with an example.&lt;/p&gt;
&lt;h2 id="workload-example-static-analysis"&gt;Workload Example: Static Analysis&lt;/h2&gt;
&lt;img src="noisy.webp" alt="sketch of sleeping while noisy neighbor" style="width: 50%; float: left; margin-right: 10px;"&gt;
&lt;p&gt;Have you ever had to run CPU-intensive batch jobs alongside lighter web services?&lt;/p&gt;
&lt;p&gt;In a previous role, when my team and I were tasked with putting our static container image analyzer into production, we went the typical Kubernetes route, throwing it into an EC2-backed K8s cluster. The analyzer was built in Scala, running on the JVM, and was designed to take in work from a Kafka topic. Each analysis ultimately led to the results being sent to a database. We also had scheduled daily rescans of existing images whenever vulnerability lists were updated.&lt;/p&gt;
&lt;p&gt;Then, a web app connected to this database and showed all your results. It was stateless and did far less work per request, mainly just answering an HTTP request by talking to a database.&lt;/p&gt;
&lt;p&gt;The hard part though is that each analysis job involved uncompressing and analyzing Docker layers from S3 and could use a lot of CPU. Memory needs were around 2 GB per instance, which kept the JVM happy, but long sustained bursts in CPU usage were common, especially during intensive parts of the analysis.&lt;/p&gt;
&lt;p&gt;In our K8s setup, the biggest pain point was handling this analysis workload&amp;rsquo;s burstiness and keeping a bunch of stateless web apps up and answering requests. We ran multiple instances of the static analyzer. Still, the analyzer was the worst type of noisy neighbor to other services in the cluster, so we&amp;rsquo;d end up over-provisioning to ensure we had enough headroom, which led to wasted resources and extra cost. The setup worked, but was not great.&lt;/p&gt;
&lt;p&gt;Thinking back, I can see how Fargate could&amp;rsquo;ve streamlined things here. With Fargate, each static analyzer instance would run in its own isolated environment, so there&amp;rsquo;d be no resource contention or need for pre-provisioned node capacity. Each pod would be fully provisioned with the exact CPU and memory needed, and we could do some sort of on-demand scaling to deal with backlogs of analysis work in the Kafka topic.&lt;/p&gt;
&lt;p&gt;Fargate on EKS could be a great solution for this type of chunky, resource-heavy macro-services. There are probably other ways to handle this situation, and we worked on decomposing the analysis into smaller chunks, but Fargate might have been a good solution.&lt;/p&gt;
&lt;p&gt;But there are lots of situations where Fargate is less of a fit.&lt;/p&gt;
&lt;div class="note note-tip"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-lightbulb-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;
&lt;p&gt;&lt;strong&gt;You might also like:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/pulumi-for-aws-automate-secure-manage/"&gt;
Pulumi for AWS: Automate, Secure, and Manage Your Cloud
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/easy-ai-apps-with-langserve-and-pulumi/"&gt;
Deploy LangServe Apps with Pulumi on AWS (RAG &amp;amp; Chatbot)
&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pulumi.com/blog/advanced-aws-networking-part-2/"&gt;
Advanced AWS Networking: Part 2
&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="example-go-services-for-e-commerce"&gt;Example: Go Services for E-commerce&lt;/h2&gt;
&lt;img src="cash-register.webp" alt="sketch of fog clearing" style="width: 30%; float: right; margin-left: 10px;"&gt;
&lt;p&gt;Ok, another workload that comes to mind is this one from a friend - He worked on an e-commerce backend with many lightweight Go services, each handling specific tasks—user profiles, catalog browsing, order processing, and notifications. These services were network-heavy, handling gRPC calls and database requests, but they didn&amp;rsquo;t need much CPU or memory per instance.&lt;/p&gt;
&lt;p&gt;Fargate wouldn&amp;rsquo;t have made sense here—it would have isolated each pod, preventing resource sharing and driving up costs without real benefit. For lightweight services like these, EC2-backed Kubernetes is perfect, keeping costs low and maximizing resources by sharing nodes across small, efficient services.&lt;/p&gt;
&lt;p&gt;So, for lightweight micro-services that can share resources, EC2 nodes with many pods each are probably the way to go.&lt;/p&gt;
&lt;h3 id="other-fargate-cases"&gt;Other Fargate Cases&lt;/h3&gt;
&lt;p&gt;Fargate can excel with long-running event-driven and bursty workloads, where you need compute resources briefly or unpredictably. Think file processing jobs that trigger on uploads, or batch processing that runs sporadically. When jobs are intermittent, Fargate&amp;rsquo;s ability to scale from zero and its isolated resources can outweigh its higher per-pod cost and startup delay. Just ensure your workload can tolerate the 30-60 second cold start.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;p&gt;Fargate has some hard limitations that might rule it out for your use case:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;No DaemonSets&lt;/li&gt;
&lt;li&gt;Maximum of 4 vCPU and 30GB memory per pod&lt;/li&gt;
&lt;li&gt;Storage limitations: Only ephemeral storage up to 20GB per pod, no persistent volumes&lt;/li&gt;
&lt;li&gt;No GPU support&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="fargate-vs-ec2-pricing"&gt;Fargate vs EC2 Pricing&lt;/h2&gt;
&lt;p&gt;Ok, EC2 costs less than Fargate on a pure cost-of-compute basis. If my t3.medium ($0.0416/hr) can typically run 6-8 pods reliably, and this works out to under $0.01/hr per pod. Comparable Fargate pods (0.5 vCPU/1GB) cost about $0.025/hr each, so 2.5x.&lt;/p&gt;
&lt;p&gt;These calculations can change based on how much headroom you need on EC2 and how many containers you can run on a given EC2 instance. Still, Fargate is just more expensive unless all your containers fit the exact computing sizes offered by Fargate. And don&amp;rsquo;t forget, AWS is likely incurring costs maintaining the warm compute capacity for launching Fargate pods, so it shouldn&amp;rsquo;t be surprising that Fargate is more expensive.&lt;/p&gt;
&lt;p&gt;But really, pure compute cost calculations are an insufficient metric for making this decision - you need to factor in your team&amp;rsquo;s operational capacity, scaling patterns, and isolation requirements.&lt;/p&gt;
&lt;p&gt;( Also, if Fargate makes sense because of your workload but the cost is a concern, then look into Fargate Spot instances, which can be up to 70% cheaper, but be aware that AWS can terminate them at any point to reclaim capacity. )&lt;/p&gt;
&lt;h2 id="misconceptions-about-fargate"&gt;Misconceptions About Fargate&lt;/h2&gt;
&lt;img src="insight.webp" alt="sketch of fog clearing" style="width: 50%; float: right; margin-left: 10px;"&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Fargate saves you from managing servers&lt;/strong&gt;
With containerized workloads and immutable infrastructure, your EC2 nodes are minimal, standardized, and automatically replaced. You&amp;rsquo;re not logging in, installing packages, or managing configuration - everything runs in containers. When a node needs updates, you replace it entirely.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fargate handles all scaling challenges&lt;/strong&gt;
While it handles node scaling, you still face ENI limits, longer pod startup times (30-60s), and potential networking bottlenecks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;It&amp;rsquo;s simpler and more reliable&lt;/strong&gt;
It may be, but it may not be. The complexity shifts to networking, pod configuration, and working within Fargate&amp;rsquo;s constraints. You trade node management for new operational challenges like slower startups and possible networking complexity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="managing-container-orchestration-with-pulumi"&gt;Managing Container Orchestration with Pulumi&lt;/h2&gt;
&lt;p&gt;Whether you choose EC2 or Fargate, Pulumi makes it easy to manage in your favorite programming languages. With its rich AWS support and infrastructure as code capabilities, you can define, deploy, and manage your entire Kubernetes infrastructure using familiar tools and practices. Pulumi&amp;rsquo;s &lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/"&gt;AWS provider&lt;/a&gt; helps you implement the right solution for your needs.&lt;/p&gt;
&lt;p&gt;With Pulumi, you get:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/guides/eks/"&gt;Complete control over EKS cluster configuration&lt;/a&gt;, including node types, scaling policies, and networking setup&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/clouds/kubernetes/guides/worker-nodes/"&gt;Built-in support for both EC2 node groups and Fargate profiles&lt;/a&gt; within the same cluster&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/concepts/testing/"&gt;Infrastructure testing capabilities&lt;/a&gt; to validate your cluster configuration before deployment&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/automation-api/"&gt;Automation APIs&lt;/a&gt; for programmatic infrastructure management and custom tooling&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Ready to streamline your EKS infrastructure management?&lt;/p&gt;
&lt;a
href="https://www.pulumi.com/docs/get-started/"
class="btn btn-outline"
&gt;
Try Pulumi for Free
&lt;/a&gt;
&lt;h2 id="why-not-both"&gt;Why Not Both&lt;/h2&gt;
&lt;p&gt;I hope my examples point to a pragmatic approach: use EC2 as your foundation for efficient microservices that can share resources, like our Go e-commerce setup. Add Fargate when you need isolation or flexible scaling - like for the static analysis workload. Better yet, combine both approaches in the same cluster, for cost-efficiency and isolation where needed.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re interested in using Pulumi to manage EKS infra, here&amp;rsquo;s a &lt;a href="https://www.pulumi.com/docs/iac/clouds/aws/guides/eks/"&gt;practical EKS setup guide&lt;/a&gt; guide to get your started.&lt;/p&gt;
&lt;p&gt;Now, back to getting this demo cluster up and working!&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>aws</category><category>eks</category><category>ec2</category><category>kubernetes</category></item><item><title>The Present and (Near) Future of AI and Infrastructure as Code</title><link>https://www.pulumi.com/blog/the-present-and-future-of-ai-and-iac/</link><pubDate>Wed, 14 Feb 2024 07:00:00 -0800</pubDate><guid>https://www.pulumi.com/blog/the-present-and-future-of-ai-and-iac/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/the-present-and-future-of-ai-and-iac/index.png" /&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Note: This post discusses Pulumi Copilot, which Pulumi Neo has replaced. &lt;a href="https://www.pulumi.com/docs/ai/"&gt;Learn about Neo →&lt;/a&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;AI is impacting almost every industry today, and for good reason - we are seeing fundamentally new experiences being made possible across a wide variety of products, and a set of new AI capabilities that promise even more incredible change in the near future.&lt;/p&gt;
&lt;p&gt;Software development is among the earliest and most prominent fields to realize the benefits of AI, evidenced by the rapid adoption of tools like Github Copilot which is now one of the most heavily adopted developer tools of all time. Developers are benefiting from an incredible increase in their productivity with better scale and faster time to market.&lt;/p&gt;
&lt;p&gt;We’re seeing the impacts of AI in the cloud Infrastructure development space in two impactful and complimentary directions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;🤖➜☁️: AI is transforming how we author, build and manage cloud infrastructure&lt;/li&gt;
&lt;li&gt;☁️➜🤖: Cloud infrastructure tooling is changing how we build and deliver AI-based applications&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;At Pulumi, we’ve already seen profound impacts from AI in both of these directions.&lt;/p&gt;
&lt;p&gt;Infrastructure engineers are using &lt;a href="https://www.pulumi.com/ai/"&gt;Pulumi AI&lt;/a&gt; to discover solutions for cloud infrastructure needs, leading to a dynamic experience where you can generate solutions in seconds with a few simple prompts, and using tools like GitHub Copilot to quickly iterate on and test their infrastructure.&lt;/p&gt;
&lt;p&gt;At the same time, thousands of organizations are using Pulumi and Pulumi Cloud to manage the fundamentally cloud-native infrastructure and services available to build and scale AI-based applications - managed vector databases, elastic compute services, model serving, streaming API management services, and workflow management - all evolving at the rapid pace of the AI space, and scaling with the demand that organizations are seeing for AI.&lt;/p&gt;
&lt;p&gt;In this article, we&amp;rsquo;ll dig into both of these trends and the impacts that they are already having today, as well as the trends we are expecting to see (and build) for the near future.&lt;/p&gt;
&lt;h2 id="ai-transforming-infrastructure-as-code"&gt;AI transforming Infrastructure as Code&lt;/h2&gt;
&lt;h3 id="today"&gt;Today&lt;/h3&gt;
&lt;p&gt;The scale of the cloud is truly incredible, and the sheer size of the AWS API is huge relative to almost any other computing platform, while AWS is just one of over 135 cloud providers for which Pulumi supports building and managing infrastructure. The result is more than 50,000 infrastructure resource types that can be managed, and over 1,000,000 configurable input properties on those resources. In practice, cloud engineers face a daunting task as they figure out how to combine these resources and properties to solve their unique problems. Finding an example or guidance for how to combine these together, given the enormous variety of possible ways, can be hard or impossible.&lt;/p&gt;
&lt;p&gt;As a result, one of the most fundamental challenges in enabling developers to use the cloud is helping them discover how to solve their problems using the enormous collection of available cloud infrastructure building blocks. For example, two years ago, I tried looking up how to &lt;strong&gt;“deploy Metabase on Azure using managed PostreSQL and containers”&lt;/strong&gt; to solve a problem I was working on. I couldn’t find any content on the internet that directly answered this. Not just for Pulumi, there was no answer using any other IaC or deployment technology.&lt;/p&gt;
&lt;p&gt;AI is perfectly suited for this challenge. With &lt;a href="https://www.pulumi.com/ai/"&gt;Pulumi AI&lt;/a&gt;, I can ask a question and get back an answer to the exact things I’m looking for - even if that specific use case has never been answered before. Pulumi AI doesn’t always get it completely right on the first try, but it typically gets very close, and points me in the direction I’m looking for. When I try its suggestion and get errors, I can ask it to fix them to iterate to a working solution.&lt;/p&gt;
&lt;p&gt;&lt;img src="run-metabase-in-azure.png" alt="run Metabase in Azure"&gt;&lt;/p&gt;
&lt;p&gt;The adoption of Pulumi AI since its release less than a year ago has been incredible, with tens of thousands of users submitting hundreds of thousands of prompts. And, perhaps surprisingly, usage hasn’t been driven only by or primarily by new Pulumi users. We’ve seen many of the most advanced Pulumi users with the deepest cloud knowledge leverage Pulumi AI the most heavily, helping them accelerate the development of new infrastructure solutions and discover more effective approaches to solving their infrastructure needs using the best of their cloud platforms.&lt;/p&gt;
&lt;!-- ![adoption of Pulumi AI](TODO) --&gt;
&lt;p&gt;On top of providing individual users a way to answer their unique questions, it is also helpful to get answers for the most common questions available on the internet, avoiding the need to generate new answers when solutions are needed. With Pulumi AI Answers, we’ve made answers to many of the most asked questions about cloud infrastructure available directly on the internet, making it even easier to find solutions to cloud infrastructure problems and IaC code to solve for them.&lt;/p&gt;
&lt;p&gt;As Infrastructure as Code tooling and cloud development generally embraces traditional programming languages like in Pulumi or CDK, we see the breadth of amazing tools and tooling ecosystems available in the Node.js, Python, Go, .NET and Java ecosystems all come to bear to support scalable cloud infrastructure management. AI-based tooling is no exception, with tools like GitHub Copilot, Amazon CodeWhisperer and SourceGraph Cody changing how developers write, iterate on and test their code, including their infrastructure code in popular languages that have huge training data sets. These tools are simply incredible at understanding and working with these popular languages, and modern IaC users are benefiting from these tools for productivity and discoverability.&lt;/p&gt;
&lt;p&gt;Of course, it’s not enough just to have the code you need; you actually have to deploy that code to create and manage your cloud infrastructure. This means getting the code into source control, setting up continuous delivery, and connecting to the configuration and secrets needed for the environment you are deploying to. Recently, we added “Deploy with Pulumi” support to each Pulumi AI answer, along with &lt;code&gt;pulumi new&lt;/code&gt; support in the Pulumi CLI, enabling you can go from a few simple text prompts to a working solution fully integrated with source control, CI/CD and Pulumi ESC in &lt;a href="https://www.pulumi.com/blog/pulumi-ai-new/"&gt;less than 30 seconds&lt;/a&gt;.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Deploy with Pulumi button in Pulumi AI"
autoplay muted playsinline
loop &gt;
&lt;source src="https://www.pulumi.com/uploads/dwp.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h3 id="near-future"&gt;Near Future&lt;/h3&gt;
&lt;p&gt;Even with the rapid progress over the last year, we’re clearly still just getting started in realizing the impact of AI on cloud infrastructure management.&lt;/p&gt;
&lt;p&gt;Tightening the feedback loop for tools like Pulumi AI will continue to enable AI to iterate and solve more complex cloud infrastructure challenges, and arrive at correct working solutions. And instead of asking questions and getting back code, these tools will soon be able to actually do the deployments and verify that they work. The result is a natural language interface, which can build and evolve cloud infrastructure. Even as the interface becomes natural language, Infrastructure as Code is a uniquely good &amp;ldquo;code-behind&amp;rdquo; for this because it maintains a desired state configuration for the infrastructure, which AI tools can easily iterate on and manage. The incredible pace of improvement in AI model skill and performance for writing code in particular will accrue directly into improvements here.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th style="text-align: center"&gt;&lt;img src="https://www.pulumi.com/uploads/content/blog/pulumi-ai/pulumi-ai.gif" alt="pulumi-ai CLI in action"&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td style="text-align: center"&gt;&lt;em&gt;An early prototype of interactive AI infrastructure development&lt;/em&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;AI-based tooling will also extend well beyond just creating and managing infrastructure, most importantly to the operational tooling used to understand, support, and diagnose that infrastructure, including policy enforcement across cost, compliance, and security. Giving AI-based tools and agents the ability to access things like cloud &lt;a href="https://www.pulumi.com/blog/resource-search/"&gt;resource search&lt;/a&gt;, the ability to run operational CLI commands inside target &lt;a href="https://www.pulumi.com/blog/environments-secrets-configurations-management/"&gt;environments&lt;/a&gt;, &lt;a href="https://www.pulumi.com/crossguard/"&gt;policy definition&lt;/a&gt;, and the opportunity to trigger &lt;a href="https://www.pulumi.com/blog/pulumi-deployments/"&gt;deployment workflows&lt;/a&gt; will empower these tools to support and ultimately automated broad classes of cloud infrastructure management tasks.&lt;/p&gt;
&lt;h2 id="infrastructure-as-code-transforming-ai"&gt;Infrastructure as Code transforming AI&lt;/h2&gt;
&lt;h3 id="today-1"&gt;Today&lt;/h3&gt;
&lt;p&gt;One of the biggest imperatives in almost every development organization today is to identify and invest in ways to leverage AI to improve software-based products, tools and processes. This has led, in turn, to massive growth in the need for cloud infrastructure to support and enable building and delivering these applications.&lt;/p&gt;
&lt;p&gt;One of the most striking things about modern AI-based applications is that they are significantly more cloud-native than previous generations of application architectures. This is true for several reasons:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Modern AI technology and services have been built around cloud-native assumptions&lt;/li&gt;
&lt;li&gt;AI-based applications frequently have especially bursty compute needs&lt;/li&gt;
&lt;li&gt;AI applications and the space overall is scaling rapidly, requiring elasticity and low operational overhead&lt;/li&gt;
&lt;li&gt;New managed services, like vector datastores, managed model serving APIs, managed data and training pipelines&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This cloud-native quality of AI-based applications makes Infrastructure as Code even more important and valuable for AI applications than in other, more traditional applications.&lt;/p&gt;
&lt;p&gt;The services to support building AI applications have all been built over the last two years around the assumption of the cloud. GPUs are dominantly accessed through cloud services. LLMs are invoked via managed services from OpenAI or via managed hosting of open-source models via SageMaker, Huggingface, or others. Retrieval Augmented Generation (RAG) is powered by dozens of managed database offerings, from dedicated vector databases like Pinecone, to vector extensions in Amazon Aurora PostgreSQL and more. Developers coming to AI assume they will stitch these services into rich application offerings.&lt;/p&gt;
&lt;p&gt;At Pulumi, we&amp;rsquo;ve seen &lt;a href="https://www.pulumi.com/solutions/ai/"&gt;dozens of AI-focused companies&lt;/a&gt; adopting and using Pulumi to manage their infrastructure, motivated by a combination of these AI-oriented infrastructure needs, along with the ease of using Python (already heavily used within the AI space), and TypeScript (popular due to a wide variety of AI-oriented front end frameworks). Pulumi also exposes the ability to manage many of these services directly, provisioning and managing the lifecycle of AI services across your infrastructure through support for things like &lt;a href="https://www.pulumi.com/registry/packages/azure-native/api-docs/cognitiveservices/deployment/"&gt;Azure OpenAI Service&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/pinecone/"&gt;Pinecone Indexes&lt;/a&gt;, &lt;a href="https://www.pulumi.com/registry/packages/aws/api-docs/sagemaker/endpoint/"&gt;Amazon SageMaker Endpoints&lt;/a&gt;, and much more.&lt;/p&gt;
&lt;p&gt;As these applications move from prototypes to production, the need for robust and scalable infrastructure to deploy these applications in the major cloud platforms is essential, and IaC offers the best way to manage this at scale. For example, deploying a &lt;a href="https://www.pulumi.com/blog/easy-ai-apps-with-langserve-and-pulumi/"&gt;LangChain application in production&lt;/a&gt;, or deploying the production-grade infrastructure for &lt;a href="https://www.pulumi.com/blog/pinecone-serverless/"&gt;deploying AI applications leveraging Pinecone’s vector database at scale&lt;/a&gt;. Both of these highlight ready-to-deploy cloud architectures for running an AI application in a production environment.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/images/solutions/ai-arch/pinecone-refarch-diagram.png" alt="Pinecone reference architecture image"&gt;&lt;/p&gt;
&lt;p&gt;The cloud-native foundations of the modern AI application wave also lead to a lot of adoption and usage of Kubernetes as an orchestration platform. Infrastructure as code with Pulumi helps teams manage the Kubernetes cluster, the workloads, and the external AI service dependencies all in a consistent way, using a unified programming model and tools, and ensuring consistent delivery of changes, the ability to easily spin up test and development environments, and consistent application of policy and insights.&lt;/p&gt;
&lt;p&gt;One particular trend in the rapid growth of IaC is in fast-growing companies building the new managed AI infrastructure services themselves - from data services (e.g. &lt;a href="https://www.pinecone.io/"&gt;Pinecone&lt;/a&gt;) to compute (e.g. &lt;a href="https://modal.com/"&gt;Modal&lt;/a&gt;). These products face the need to manage complex cloud infrastructure as part of both multi-tenant and single-tenant solutions in order to offer simple abstracted data and compute services for their AI-application developer customers. Automation of infrastructure provisioning and changes via tools like Pulumi Automation API and Pulumi Deployments has seen rapid adoption and scaling among these customers. The ability to deploy across many cloud providers to offer low latency data and compute services to customers, data sovereignty, and access scarce GPU and accelerated computing resources across all cloud providers with a single consistent programming model and deployment strategy proves more important than ever.&lt;/p&gt;
&lt;h3 id="near-future-1"&gt;Near Future&lt;/h3&gt;
&lt;p&gt;The growth in the development of AI-based applications is still in its early days, and all the trends we’re seeing will only accelerate over the coming year.&lt;/p&gt;
&lt;p&gt;As these AI applications transition from prototypes to production deployment, their infrastructure needs are growing and maturing. Simple prototyping environments like Jupyter notebooks or Vercel deployments will transition into AWS/Azure/Google Cloud for the security, cost, compliance and management benefits. Larger development teams and faster customer-facing iteration will require standing up testing and ephemeral development environments, and some of the managed service dependencies will be brought in-house into self-managed open source model-service, training infrastructure and data pipelines.&lt;/p&gt;
&lt;p&gt;As patterns continue to solidify around common architectures, higher-level infrastructure components will abstract away some of this production infrastructure complexity, initially within organizations, and then in public components shared in the Pulumi Registry and elsewhere.&lt;/p&gt;
&lt;p&gt;And of course, the set of managed cloud services to support the AI ecosystem will continue to grow, expand and mature. Whether delivered as part of a major cloud platform or via a fast-growing startup, it will all be available to use productively at scale via infrastructure as code in Pulumi.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;At Pulumi we often say that All Software is Cloud Software, and that All Developers are Cloud Developers. This has been truer than ever as AI has risen to the forefront of every organization’s software development priorities over the last 15 months. AI is transforming every aspect of software development, including cloud infrastructure development. Cloud infrastructure supports, enables, and accelerates how AI applications are built and scaled in production. We’ve already seen incredible impacts of both of these trends, yet there is so much more ahead on these arcs.&lt;/p&gt;
&lt;p&gt;We’re hard at work on all of these at Pulumi, and excited to see all of the innovation across the industry to build the future of AI-enabled cloud infrastructure management. Check out &lt;a href="https://www.pulumi.com/ai/"&gt;Pulumi AI&lt;/a&gt; and the &lt;a href="https://www.pulumi.com/solutions/ai/"&gt;AI with Pulumi&lt;/a&gt; page to get started experiencing the future of AI for Infrastructure as Code today!&lt;/p&gt;</description><author>Luke Hoban</author><category>ai</category><category>llm</category><category>infrastructure-as-code</category></item><item><title>Infrastructure as Code in Any Programming Language</title><link>https://www.pulumi.com/blog/infrastructure-as-code-in-any-programming-language/</link><pubDate>Tue, 31 Oct 2023 22:36:29 +0000</pubDate><guid>https://www.pulumi.com/blog/infrastructure-as-code-in-any-programming-language/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/infrastructure-as-code-in-any-programming-language/index.png" /&gt;
&lt;p&gt;&lt;em&gt;This is the first of a three-part series originally published on The New Stack.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/what-is/what-is-infrastructure-as-code/"&gt;Infrastructure as Code&lt;/a&gt; is a technology for automating the infrastructure for your cloud applications. If you’re an engineer, whether that’s developing a backend service or within a central platform team, it’s not just about writing application code. You’ll need to provision, update and perform other tasks associated with its supporting infrastructure, and that’s where Infrastructure as Code can help. Instead of manually pointing-and-clicking in the cloud console, which is unrepeatable and error-prone, or writing ad-hoc scripts, which can be tedious and hard to scale, Infrastructure as Code lets us, as engineers, use familiar techniques by just writing code.&lt;/p&gt;
&lt;p&gt;Not every engineer has a deep infrastructure background and yet needs to get more hands-on with infrastructure these days, which is OK: This three-part series was written from an engineer’s point of view. In it, we will demystify Infrastructure as Code — the why, what, and how — through the lens of Pulumi, a popular Infrastructure as Code tool among engineers.&lt;/p&gt;
&lt;h2 id="why-we-need-infrastructure-as-code"&gt;Why We Need Infrastructure as Code&lt;/h2&gt;
&lt;p&gt;Modern applications need cloud infrastructure to run. That is equally true for simple monolithic applications running on virtual machines as it is for exotic distributed serverless applications that are fully elastic in scale. The applications themselves need infrastructure that they directly use, like whatever they run within (such as virtual machine, containerized service, serverless function, static website) in addition to any other resources they consume (databases, pub/sub topics, queues, AI/ML services, observability metrics and dashboards), but also depend on more primitive infrastructure to run atop (Kubernetes clusters, security roles and permissions, private networks, load balancers, encryption keys and more).&lt;/p&gt;
&lt;p&gt;The phrase “cloud infrastructure” is also broader than it may seem. This phrase evokes immediate thoughts of popular clouds like Amazon Web Services (AWS) , Microsoft Azure, and Google Cloud, as well as more specialized or regional ones like Alibaba Cloud, DigitalOcean and Oracle Cloud. It also quickly leads to cloud native infrastructure like Docker, Kubernetes and Helm. But this phrase also perhaps not obviously applies to modern software-as-a-service (SaaS) infrastructure companies who increasingly are supplying critical pieces of cloud infrastructure, including Confluent, Cloudflare, Databricks, DataDog, Elastic, MongoDB, New Relic and Snowflake.&lt;/p&gt;
&lt;p&gt;These companies are essentially specialized clouds providing more specialized services but are increasingly expanding to become clouds of their own. It also applies to private cloud technologies like F5, VMware vSphere and related technologies. Finally, also not obviously, there are SaaS tools that have configurable state that we use every day and may want repeatable management of just like our other cloud assets, including Auth0, GitHub, GitLab and PagerDuty.&lt;/p&gt;
&lt;p&gt;Cloud infrastructure’s reach is far and wide! But it also means that there are many complex moving pieces to manage and tame. And with so much innovation happening in cloud capabilities, that complexity is just growing with time. This begs questions like the following:&lt;/p&gt;
&lt;p&gt;Where does the infrastructure come from? How do we change it as our requirements evolve? How do we scale it as our needs grow, whether that’s increasing the compute and memory available to our workloads, scaling to many new instances, increasing our availability and reducing latency by deploying to new regions and environments worldwide… or, as is usually the case, a combination of all of these?&lt;/p&gt;
&lt;p&gt;How do we ensure our infrastructure practices are repeatable in the event something fails or a mistake is made? How do we capture and reuse best practices? Do the answers to these questions differ across clouds? How do we ensure collaboration can take place safely and our deployments aren’t flaky and prone to colliding? And how do we secure all of it and ensure best practices and policies are enforced at all times?&lt;/p&gt;
&lt;p&gt;These are all things that Infrastructure as Code solves, and it starts with code.&lt;/p&gt;
&lt;h2 id="benefits-of-infrastructure-as-code"&gt;Benefits of Infrastructure as Code&lt;/h2&gt;
&lt;p&gt;The Infrastructure as Code approach provides many benefits, but they fall into two primary categories:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Using code to declare infrastructure&lt;/li&gt;
&lt;li&gt;Using a declarative engine to orchestrate infrastructure changes&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;It is the combination of these two things that leads to the magic of “Infrastructure as Code.”&lt;/p&gt;
&lt;h2 id="the-benefits-of-code"&gt;The Benefits of Code&lt;/h2&gt;
&lt;p&gt;Encoding your cloud application infrastructure in code results in a durable artifact representing your desired architecture. This can be code-reviewed, committed to source control and versioned in the usual ways. Infrastructure as Code tools not only know how to stand up the initial version of your infrastructure, but can replicate it across many environments (like dev, staging, prod and multiple regions), in addition to upgrading individual environments as your requirements evolve.&lt;/p&gt;
&lt;p&gt;In terms of the “code” aspect, the expression of your code varies across the Infrastructure as Code landscape. Some tools support markup languages like JSON or YAML, while others support domain-specific languages (DSLs) that are specific to that tool. In this article, we will use Pulumi, which takes a unique approach to Infrastructure as Code that is well-suited for engineers: namely you use industry-standard general-purpose languages, including C#, Go, Java, JavaScript, Python or TypeScript, to express your code. This approach is great for engineers because it makes infrastructure more accessible and lets you use standard engineering tools and practices that you’re already using to build other software in your team.&lt;/p&gt;
&lt;p&gt;Examples of these benefits include having rich constructs like simple if-statements and for-loops, which help avoid repetition and model complex infrastructure needs. Since all of these languages are broadly supported throughout the industry, virtually any editor you pick up will have great support, such as Visual Studio Code, PyCharm, Sublime Text, IntelliJ or even vim or emacs. That means you’ll get interactive statement completion, red squiggles if you make a typo or have a type-checking error, documentation as you hover, right-click to go to definition or refactor, and so much more. It’s easy to take these things for granted, but they are essential for software engineering productivity.&lt;/p&gt;
&lt;p&gt;There are other benefits still such as linters, testing tools, the ability to share and reuse with package managers rather than copy-and-pasting and more. Lastly, each of these languages has enormous communities that add up to more than 20 million engineers, which means there’s a wealth of knowledge and support available.&lt;/p&gt;
&lt;p&gt;It turns out &lt;a href="https://www.pulumi.com/blog/pulumi-yaml/"&gt;Pulumi supports YAML&lt;/a&gt; too — the L in YAML stands for language, after all — which is a fine choice for simple scenarios, those where you want to machine-generate your Infrastructure as Code, or when engineers want to enable their sysadmins to do Infrastructure as Code too.&lt;/p&gt;
&lt;h2 id="the-benefits-of-declarative"&gt;The Benefits of Declarative&lt;/h2&gt;
&lt;p&gt;Code is one major benefit. But in addition to the benefits of code, Infrastructure as Code has another significant advantage: It is “declarative,” even if you’ve chosen an imperative language like Go to express your code.&lt;/p&gt;
&lt;p&gt;Infrastructure as Code tools generally work using a concept called “desired state.” The code, when run, produces a picture of the infrastructure your application requires. The Infrastructure as Code tool then understands how to compare the desired state with reality, and plan a course of action based on that information.&lt;/p&gt;
&lt;p&gt;If it’s your first time creating a certain environment, something Pulumi calls a stack, then of course all the declared infrastructure will need to be created from scratch. Upon subsequent evaluations, however, that same infrastructure may need to be updated, deleted or even re-created, in addition to new infrastructure that may get spun up when it’s the first time it has been declared. This plan is presented ahead of performing any actions, so you and your team can review it, and if the course of action is wrong, you can correct it first.&lt;/p&gt;
&lt;p&gt;One example of this process would be to first create a microservice environment that includes a Layer 4 network load balancer, a containerized cluster and a replicated, containerized service. You could subsequently add a private container registry, switch to a Layer 7 application load balancer, and scale up the service from one to three replicas.&lt;/p&gt;
&lt;p&gt;This declarative approach ensures we can preview changes before they are made so we don’t have any unpleasant deployment surprises, gives us a full audit history of exactly what has changed in our actual infrastructure and when, similar to what source control does for our code artifacts, allows us to gate deployments on verification checks such as testing and policy enforcement, and makes it easier to integrate with various automation workflows.&lt;/p&gt;
&lt;p&gt;It’s the codification of infrastructure and repeatability of the declarative approach that lets us use Infrastructure as Code in many kinds of automated workflows. That includes running a command-line interface (CLI) manually or as part of a script. Although “manual” may sound bad, the actual deployment is done with all of the above safeguards, so it’s fairly common for an Infrastructure as Code tool to be run this way.&lt;/p&gt;
&lt;p&gt;However, most teams will adopt a CI/CD model for their most important environments, like production, which will trigger the actual deployment of code changes off a code commit. This ensures that all changes have been reviewed in the usual ways and go through a standard CI/CD pipeline. That pipeline may also include continuous verification (CV) such as running tests.&lt;/p&gt;
&lt;p&gt;Some Infrastructure as Code tools support just one cloud, but our chosen tool, Pulumi, supports many, &lt;a href="https://www.pulumi.com/registry"&gt;including all of those mentioned above&lt;/a&gt;, so all of these workflows can be standardized across all of the clouds and service providers. It can even track dependencies between cloud services — for example, it would not be strange to provision an Elastic Kubernetes Service cluster in AWS, install Datadog agents on its nodes, deploy some Kubernetes workloads, and place a Cloudflare content delivery network in front of that application, all using a single Infrastructure as Code program.&lt;/p&gt;
&lt;p&gt;Pulumi’s unique approach unlocks an even more sophisticated workflow for running your code, using its so-called “&lt;a href="https://www.pulumi.com/automation/"&gt;Automation API&lt;/a&gt;.” This approach embeds Infrastructure as Code workflows right into larger pieces of software so that it can be programmed for highly dynamic scenarios.&lt;/p&gt;
&lt;p&gt;This unlocks scenarios like building custom tools and libraries that build on top of and extend Infrastructure as Code, &lt;a href="https://www.pulumi.com/product/internal-developer-platforms/"&gt;internal infrastructure provisioning portals&lt;/a&gt; and even entire SaaS products that need to provision or manage infrastructure as part of delivering their capabilities to their own end users.&lt;/p&gt;
&lt;p&gt;In Part 2 of our series, we will take you through the steps needed to set up Infrastructure as Code. In doing so, we will be using Pulumi’s free and open source SDK, which is available &lt;a href="https://www.pulumi.com/docs/install/"&gt;here&lt;/a&gt;. It’s easy to get started, but you may want to take time now to explore the platform. You might also like to sign up for Pulumi Cloud, which can be done &lt;a href="https://app.pulumi.com/signup"&gt;here&lt;/a&gt;.&lt;/p&gt;</description><author>Joe Duffy</author><category>infrastructure-as-code</category><category>fundamentals</category></item><item><title>Pulumi's Declarative and Imperative Approach to IaC</title><link>https://www.pulumi.com/blog/pulumi-is-imperative-declarative-imperative/</link><pubDate>Fri, 23 Sep 2022 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-is-imperative-declarative-imperative/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-is-imperative-declarative-imperative/index.png" /&gt;
&lt;p&gt;On a regular basis, articles and tweets pass by discussing whether some specific tool is imperative or declarative.&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s no surprise that Pulumi is often the tool being debated. What if I tell you that Pulumi is imperative, declarative and imperative?&lt;/p&gt;
&lt;p&gt;When we look at our &lt;a href="https://www.pulumi.com/docs/support/faq#is-pulumi-imperative-or-declarative"&gt;Frequently Asked Questions&lt;/a&gt;, we read the following on the declarative versus imperative topic:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Pulumi is a declarative tool that uses imperative languages to define your end state. The language is used for authoring your program.
It’s not used for talking to the cloud provider API.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;It is good to know to refresh what &lt;code&gt;declarative&lt;/code&gt; and &lt;code&gt;imperative&lt;/code&gt; mean:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Both terms refer to how the user provides direction to the automation platform. With an imperative tool, you define the steps to execute in order to reach the desired solution. With a declarative tool, you define the desired state of the final solution, and the automation platform determines how to achieve that state. (&lt;a href="https://www.linode.com/blog/devops/declarative-vs-imperative-in-iac/"&gt;Source&lt;/a&gt;)&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The title of the article mentions &lt;code&gt;imperative&lt;/code&gt; and &lt;code&gt;declarative&lt;/code&gt; both. Pulumi leverages the best of both worlds into our product.&lt;/p&gt;
&lt;p&gt;Pulumi tries to offer a solution where our customers are only limited by their imagination rather than the tool at hand. Let me use the Pulumi architecture to highlight why I mention &lt;em&gt;imperative&lt;/em&gt; twice.&lt;/p&gt;
&lt;h2 id="pulumi-architecture"&gt;Pulumi Architecture&lt;/h2&gt;
&lt;p&gt;Here is the diagram from our &lt;a href="https://www.pulumi.com/docs/concepts/how-pulumi-works/"&gt;How Pulumi Works&lt;/a&gt; page:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/images/docs/reference/engine-block-diagram.png" alt="Pulumi Architecture"&gt;&lt;/p&gt;
&lt;p&gt;You code your infrastructure in your preferred programming language. When you are done coding, you run &lt;code&gt;pulumi up&lt;/code&gt; and the Pulumi CLI starts the language host for your selected programming language, as well as the required providers. The interaction between these 3 parts of the architecture results in the actual creation or modification of your infrastructure.&lt;/p&gt;
&lt;h3 id="an-imperative-part-the-language-host"&gt;An Imperative Part: The Language Host&lt;/h3&gt;
&lt;p&gt;Under the hood, the Pulumi CLI does a lot of things, but one of the first actions is starting the language runtime, which is configured in
the &lt;code&gt;Pulumi.yaml&lt;/code&gt; project file:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;blog_code&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;description&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Example for declarative blog post&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;runtime&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;python&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;main&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;blog_code/&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Once the language runtime is up, it turns to the program file. Here is a small Python example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pulumi_aws&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;s3&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Bucket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;bucket&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nb"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;10&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;BucketObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;object-&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;BucketObjectArgs&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;A Pulumi program models the to-be state of your infrastructure. If you read this program, you can find that
we define 11 resources as our to-be infrastructure:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;1 &lt;a href="https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucket/"&gt;AWS S3&lt;/a&gt; bucket&lt;/li&gt;
&lt;li&gt;10 &lt;a href="https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketobject/"&gt;Objects&lt;/a&gt; in the bucket created in the previous step&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The stack itself is also modelled as a resource, and it is the parent to all other resources.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi up
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Updating &lt;span class="o"&gt;(&lt;/span&gt;&amp;lt;masked&amp;gt;/dev&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;View Live: https://app.pulumi.com/&amp;lt;masked&amp;gt;/blog_code/dev/updates/1
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; Type Name Status
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + pulumi:pulumi:Stack blog_code-dev created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:Bucket bucket created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-0 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-1 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-3 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-2 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-6 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-4 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-5 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-7 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + ├─ aws:s3:BucketObject object-9 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + └─ aws:s3:BucketObject object-8 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Resources:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + &lt;span class="m"&gt;12&lt;/span&gt; created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Duration: 13s
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;While this is definitely an imperative program, there is one important thing to understand: Instantiating an &lt;code&gt;s3.Bucket&lt;/code&gt;, &lt;code&gt;s3.BucketObject&lt;/code&gt;, or any other Pulumi resource should not be interpreted as an imperative creation of the resource in the language host. Behind the scenes, any resource instantiation in the language host triggers a &lt;code&gt;Register Resource&lt;/code&gt; request to the Pulumi deployment engine. All these &lt;code&gt;Register Resource&lt;/code&gt; requests together form the resource model you as an infrastructure developer want to get in the end.&lt;/p&gt;
&lt;p&gt;Running your program always sends the full resource model to the Pulumi deployment engine regardless of what state your current infrastructure is in.&lt;/p&gt;
&lt;p&gt;Our previous example was shown in Python, but recently we also delivered &lt;a href="https://www.pulumi.com/docs/languages-sdks/yaml/"&gt;support for YAML&lt;/a&gt;.
The creation of our S3 bucket could be converted to this snippet:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;resources&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;bucket&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;aws:s3:Bucket&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The separation of language support from the engine allows us to offer both imperative &amp;amp; declarative solutions. But remember that none of the supported languages do any of the provisioning directly in the language host.&lt;/p&gt;
&lt;p&gt;If the resource provisioning is not taking place in the language host, where is the magic happening then?&lt;/p&gt;
&lt;h3 id="the-declarative-part-the-cli-and-engine"&gt;The Declarative Part: The CLI and Engine&lt;/h3&gt;
&lt;p&gt;In the previous step, you found out that the language host sends requests to the engine to fulfill your to-be infrastructure.&lt;/p&gt;
&lt;p&gt;It is now that the Pulumi deployment engine gets to work. The engine combines the intended model of the infrastructure received from the language host, the current state recorded in the state backend, and the actual resource state to compute which actions need to be executed to bring the actual state in line with the intended model.&lt;/p&gt;
&lt;p&gt;Our little example contains dependencies: every &lt;code&gt;s3.BucketObject&lt;/code&gt; uses the &lt;code&gt;bucket.id&lt;/code&gt; as a way to define in which bucket these objects should be stored. The property &lt;code&gt;id&lt;/code&gt; from the &lt;code&gt;s3.Bucket&lt;/code&gt; is an &lt;code&gt;Output&lt;/code&gt;. Outputs are Pulumi&amp;rsquo;s way of tracking which property of one resource is required by another, hereby creating a dependency between the resources. The engine uses all these outputs passed from one resource to another as the vertices in a &lt;a href="https://en.wikipedia.org/wiki/Directed_acyclic_graph"&gt;directed acyclic graph&lt;/a&gt; (DAG). The engine determines the order of actions based on this graph.&lt;/p&gt;
&lt;p&gt;On a first run of &lt;code&gt;pulumi up&lt;/code&gt; of our example program, the engine will first create the bucket and wait for the provisioning to be complete, after which the actual bucket ID is passed to the creation of all the bucket objects. Since none of the bucket objects depend on other resources, these bucket objects can all be provisioned concurrently.&lt;/p&gt;
&lt;p&gt;On a second run, assuming no modifications to our example program, the Pulumi deployment engine will compare the to-be model with the actual state and conclude that nothing needs to be done.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s crank up the number of bucket objects to 11.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;pulumi_aws&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;s3&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Bucket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;bucket&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nb"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;11&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt; &lt;span class="c1"&gt;# &amp;lt;- number of objects increased by 1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;BucketObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;object-&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;s3&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;BucketObjectArgs&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;bucket&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The third Pulumi run will find the bucket and the first 10 objects in the state. The only action taken now is the creation of the 11th bucket object. This brings the actual state back in sync with your intended model.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ pulumi up
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Updating &lt;span class="o"&gt;(&lt;/span&gt;&amp;lt;masked&amp;gt;/dev&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;View Live: https://app.pulumi.com/&amp;lt;masked&amp;gt;/blog_code/dev/updates/2
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; Type Name Status
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; pulumi:pulumi:Stack blog_code-dev
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + └─ aws:s3:BucketObject object-10 created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Resources:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; + &lt;span class="m"&gt;1&lt;/span&gt; created
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="m"&gt;12&lt;/span&gt; unchanged
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Duration: 5s
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Although you create the intended model of your infrastructure with an imperative language, the engine definitely processes this in a declarative way.&lt;/p&gt;
&lt;h3 id="another-imperative-part-the-providers"&gt;Another Imperative Part: The Providers&lt;/h3&gt;
&lt;p&gt;These examples hopefully made clear that the Pulumi deployment engine calculates a set of actions to declaratively bring the actual state in sync with your intended model. But the engine is not the component which knows how to talk to all the different APIs of cloud and tool vendors. That&amp;rsquo;s the role of the provider.&lt;/p&gt;
&lt;p&gt;The engine and the provider processes are connected with a &lt;a href="https://en.wikipedia.org/wiki/GRPC"&gt;gRPC&lt;/a&gt; connection. This is similar to the connection between the language host and the engine, with the only difference of which requests are sent. The API that providers expose are of a &lt;a href="https://en.wikipedia.org/wiki/Create,_read,_update_and_delete"&gt;CRUD&lt;/a&gt; nature:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;em&gt;Create&lt;/em&gt;: create a new resource&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Read&lt;/em&gt;: read information of an existing resource&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Update&lt;/em&gt;: update an existing resource with modified information&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Delete&lt;/em&gt;: delete an existing resource when no longer needed&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The providers receive requests from the engine dependent on the set of actions the engine calculated. A provider doesn&amp;rsquo;t know anything about the state, the correlation between resource, and so forth.&lt;/p&gt;
&lt;p&gt;The nature of the provider API is clearly imperative.&lt;/p&gt;
&lt;h3 id="summary"&gt;Summary&lt;/h3&gt;
&lt;p&gt;If the question ever pops up again whether Pulumi is declarative or imperative, the answer is clearly we are both. It is only based on which component of our architecture you are talking about:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;em&gt;Language host&lt;/em&gt;: imperative (JS/TS, Go, Python, C#/F#/.NET, Java) and declarative (YAML)&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Pulumi engine&lt;/em&gt;: declarative&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Providers&lt;/em&gt;: imperative&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To us, it mainly matters if we can solve your infrastructure automation problem. If you still miss something in our offering, we want to &lt;a href="https://www.pulumi.com/contact/"&gt;hear from you&lt;/a&gt;!&lt;/p&gt;</description><author>Ringo De Smet</author><category>cloud-engineering</category><category>infrastructure-as-code</category></item><item><title>Pulumi and RedMonk on developer-first infrastructure and why it matters</title><link>https://www.pulumi.com/blog/redmonk-pulumi-developer-first-infrastructure/</link><pubDate>Tue, 26 Apr 2022 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/redmonk-pulumi-developer-first-infrastructure/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/redmonk-pulumi-developer-first-infrastructure/index.png" /&gt;
&lt;p&gt;What do assembly languages and the cloud have in common? Are abstractions the future of cloud computing? What does &amp;ldquo;infrastructure&amp;rdquo; really mean? And why do these questions matter to the platform engineers, infrastructure engineers, and developers who are building modern cloud applications today?&lt;/p&gt;
&lt;p&gt;Joe Duffy (Founder &amp;amp; CEO, Pulumi) and James Governor (Co-founder, RedMonk) recently answered these questions and more in a conversation about developer-first infrastructure. Developer-first infrastructure means empowering developers to build and deploy modern cloud applications and infrastructure through the use of software engineering practices that tame modern cloud complexity.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re interested in learning how the worlds of software engineering and cloud infrastructure are intersecting in addition to principles and best practices for building in the cloud, then watch the 28-minute video below.&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/h4nA1-O0QrI?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;h2 id="highlights-of-pulumi-and-redmonks-discussion-on-developer-first-infrastructure"&gt;Highlights of Pulumi and RedMonk&amp;rsquo;s discussion on developer-first infrastructure&lt;/h2&gt;
&lt;p&gt;In the first half of the discussion, Joe and James discuss the complexities of building on the modern cloud as application architectures have evolved from simple three-tier apps to the modern, distributed applications of today. Joe traces the evolution of modern computing in which complexity has been tamed over time through abstractions: from low-level assembly languages to higher-level languages and runtimes that make software more accessible, and finally to operating systems. They then discuss how an analogous transformation has yet to occur in the cloud on a mainstream basis.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&amp;ldquo;The level of abstraction [that most people are doing] with cloud infrastructure reminds me of assembly languages. You look at writing these YAML templates that over-specify every detail of the underlying architecture. I think [the industry] can do better. I think we can be inspired by what we&amp;rsquo;ve done in programming languages.&amp;rdquo; &amp;mdash; Joe Duffy&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In the second half of the discussion, the two discuss what developer-first infrastructure is, and how companies can use this philosophy to tame modern cloud complexity and accelerate development velocity. Companies that execute this well have a &amp;ldquo;developer-first multiple&amp;rdquo; &amp;mdash; that is, the most valuable companies in the world today are the ones who&amp;rsquo;ve thought hard about the developer experience for their own employees or the communities that interact with them.&lt;/p&gt;
&lt;p&gt;Joe describes five principles of developer-first infrastructure that make developers&amp;rsquo; lives easier when building on the cloud.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/cloud-engineering/"&gt;Cloud Engineering&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Harmonized Applications and Infrastructure&lt;/li&gt;
&lt;li&gt;Beyond &amp;ldquo;Lift and Shift&amp;rdquo;&lt;/li&gt;
&lt;li&gt;Secure and Observable By-Construction&lt;/li&gt;
&lt;li&gt;An API for Everything&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/redmonk-pulumi-developer-first-infrastructure/developer-first-infra-principles.png" alt="Principles of developer-first infrastructure"&gt;&lt;/p&gt;
&lt;p&gt;Finally, Joe dives into the best practices of developer-first infrastructure:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://www.pulumi.com/blog/redmonk-pulumi-developer-first-infrastructure/developer-first-infra-best-practices.png" alt="Best practices of developer-first infrastructure"&gt;&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Unified Engineering&lt;/strong&gt;: Software engineering tools and practices for applications and infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;APIs&lt;/strong&gt;: Making everything programmable and composable with APIs.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Everything as Code&lt;/strong&gt;: Use &amp;ldquo;as code&amp;rdquo; techniques like infrastructure as code and policy as code.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Polyglot&lt;/strong&gt;: Embrace the best language ecosystems for the job at hand.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Modularity&lt;/strong&gt;: Tackle complexity with real sharing and reuse, not copy &amp;amp; paste.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Continuous Delivery&lt;/strong&gt;: Deliver and scale applications and infrastructure with automated techniques.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Continuous Verification&lt;/strong&gt;: Verify and enforce guardrails at all times.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Environment Parity&lt;/strong&gt;: Share as much as possible between dev, test, and prod environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Securely Configured&lt;/strong&gt;: Loosely couple and securely configure environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Distributed Architectures&lt;/strong&gt;: Go beyond &amp;ldquo;lift and shift&amp;rdquo; to building truly cloud-native applications and infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Observable&lt;/strong&gt;: Instrument applications and infrastructure to log high cardinality events, early and often.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="next-steps"&gt;Next steps&lt;/h2&gt;
&lt;p&gt;Developer-first infrastructure means empowering developers to build and deploy modern cloud applications and infrastructure through the use of software engineering practices that tame modern cloud complexity. If you feel inspired after viewing the Pulumi/RedMonk discussion video, then consider applying developer-first principles and practices for your next greenfield project or application using an infrastructure as code tool like &lt;a href="https://www.pulumi.com/docs/get-started/"&gt;Pulumi&lt;/a&gt;. You can also &lt;a href="https://www.youtube.com/watch?v=SQRM0r5U1js"&gt;watch Joe Duffy&amp;rsquo;s presentation&lt;/a&gt; on developer-first infrastructure from the Cloud Engineering Summit to learn more about developer-first.&lt;/p&gt;</description><author>George Huang</author><category>cloud-engineering</category><category>enterprise</category><category>developer-first-infrastructure</category><category>cloud-computing</category><category>infrastructure-as-code</category></item><item><title>What Exactly Is Cloud Engineering?</title><link>https://www.pulumi.com/blog/what-exactly-is-cloud-engineering/</link><pubDate>Fri, 23 Jul 2021 12:46:42 -0500</pubDate><guid>https://www.pulumi.com/blog/what-exactly-is-cloud-engineering/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/what-exactly-is-cloud-engineering/index.png" /&gt;
&lt;p&gt;When we think about the idea of &amp;ldquo;cloud engineering,&amp;rdquo; we often think about the concept of taking standard software engineering practices and tools, and making them available and consistent across development, infrastructure, and compliance teams.&lt;/p&gt;
&lt;p&gt;It sounds a lot like what DevOps was supposed to accomplish, right? Many great practices have come out of software engineering that we can apply to operations and infrastructure. Likewise, practices from operational disciplines are equally applicable to development teams.&lt;/p&gt;
&lt;p&gt;In cloud engineering, we look at how all of these practices are available to multiple functions and teams. It&amp;rsquo;s a compelling concept, and the more that we refactor our thinking around this, the more effective we can be at delivering value to our customers and users.&lt;/p&gt;
&lt;p&gt;Cloud engineering has three main components: Build, Deploy, and Manage. These are all different areas, but they have a lot in common. We will dig into each of these areas in detail in upcoming posts in this series, but here are the key concepts around each.&lt;/p&gt;
&lt;h2 id="build"&gt;Build&lt;/h2&gt;
&lt;p&gt;This might sound like it’s just about writing code, but the &lt;em&gt;build&lt;/em&gt; area of cloud engineering is about creating services and infrastructure that provide what our customers need. In today’s world, we use cloud resources to build applications, services, and infrastructure. These resources can make up a shared service platform, giving a single, consistent experience across multiple teams.&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s also advantageous to create reusable infrastructure components so that application and service delivery focuses on differentiators rather than &amp;ldquo;reinventing the wheel.&amp;rdquo; Reusable components provide a consistent and standard implementation, using our organizations&amp;rsquo; and teams&amp;rsquo; existing practices.&lt;/p&gt;
&lt;p&gt;Besides expressing our own best practices and common configurations and approaches, when we build our infrastructure using standard programming languages, we can take advantage of the entire ecosystem surrounding them! We can leverage existing IDEs, test frameworks and approaches, and other wonderful tools available for those languages. Using modern architectures also focuses on the value our services and platforms provide, rather than bespoke and custom implementations.&lt;/p&gt;
&lt;h2 id="deploy"&gt;Deploy&lt;/h2&gt;
&lt;p&gt;It doesn&amp;rsquo;t count until it&amp;rsquo;s in production, right? Code and infrastructure don&amp;rsquo;t give any value until it&amp;rsquo;s in front of our customers and users. But doing this in a manner that is highly efficient and quality-consistent is key. Deployment processes that take too long or require too many manual steps can block us from getting new features to our customers or resolving service issues.&lt;/p&gt;
&lt;p&gt;When we apply software engineering practices to our deployment processes, this can ensure that we ship the same way, every time. It&amp;rsquo;s become common practice to apply the principles of continuous integration and delivery to our application software, but we can use the same principles with our infrastructure. This means that new and changed infrastructure resources can meet our quality controls and be tracked and understood when we are investigating the dreaded “what changed?” problem.&lt;/p&gt;
&lt;p&gt;The value of automating deployment isn&amp;rsquo;t just about providing the tests; it ensures all the steps we require are performed every time. Regardless of years of experience, every human is capable of missing a step or making an error. We want to have our skilled humans focus on the areas that benefit from human expertise and not waste their time on the things that don&amp;rsquo;t.&lt;/p&gt;
&lt;p&gt;“But what about checklists?” Checklists are great! But they are even better when a human defines them and are run by software. The power of a checklist is in defining steps, and in many ways, automation expresses our checklists in code. Code that can be tested, reviewed, and managed.&lt;/p&gt;
&lt;p&gt;But beyond simple automation, having a unified approach to deployment for both application code and infrastructure changes allows us to consider automation as the key part of the application. We think about infrastructure as a critical and essential component rather than something that happens “on the side.”&lt;/p&gt;
&lt;h2 id="manage"&gt;Manage&lt;/h2&gt;
&lt;p&gt;Getting our services into production is a key step, but it’s not the end. Our customers constantly use our services and applications, and we need to manage all of the resources in use. As it applies to our applications and services, visibility across all of our infrastructure allows everyone on our team, regardless of their role, to have a common understanding of what’s going on.&lt;/p&gt;
&lt;p&gt;You may be familiar with the adage &amp;ldquo;security is everyone&amp;rsquo;s job.&amp;rdquo; What that means in the world of cloud engineering is that we consider security and compliance (whether regulatory policies or organizational policies) to be closely integrated into our work. Treating our policy as code, just as we treat our infrastructure as code, is a powerful idea! When we express these policies as code rather than prose in a document, we can apply these policy checks both before and after we deploy our services and infrastructure. Doing so extends the common &amp;ldquo;vocabulary&amp;rdquo; for collaboration across all teams, regardless of where they sit in the org chart.&lt;/p&gt;
&lt;p&gt;Another key piece of the manage story is that we need controls in place to allow who can make changes and what they can change! We trust our team members to want to do the right thing, but we also need guardrails and controls to ensure that they can do so. This means that we need visibility into all changes that occur - treating our infrastructure just like we do our source code in git! Additionally, having the capability and intentionality around fine-grained access controls is critical to make all of our team members successful, provide reliability around our services, and provide confidence for our customers.&lt;/p&gt;
&lt;h2 id="summary"&gt;Summary&lt;/h2&gt;
&lt;p&gt;When we take the ideas of cloud engineering and apply them to our organizations, we can deliver value to our customers and users. We can do this by applying the practices and tools already available to our teams and applying the same principles to our infrastructure and application code. We get increased collaboration capability within our teams, a higher level of trust and confidence in our services and applications, and a better handle on the complexity of the modern cloud. We will explore some specific practices and tools around each of these areas in future posts and how they can be applied to your organization!&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Do you have a great story around your experiences with cloud engineering? We would love to hear it at the upcoming &lt;a href="https://www.pulumi.com/cloud-engineering/"&gt;Cloud Engineering Summit&lt;/a&gt;! &lt;a href="https://sessionize.com/cloud-engineering-summit-hosted-by-pulumi/"&gt;Submit your proposal to the CFP&lt;/a&gt; by July 31st!&lt;/em&gt;&lt;/p&gt;</description><author>Matty Stratton</author><category>cloud-engineering</category></item><item><title>The Past, Present, and Future of Cloud Engineering</title><link>https://www.pulumi.com/blog/future-of-cloud-engineering/</link><pubDate>Thu, 08 Oct 2020 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/future-of-cloud-engineering/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/future-of-cloud-engineering/index.png" /&gt;
&lt;p&gt;All software is cloud software. All modern applications interact with the cloud in some way, whether it&amp;rsquo;s using cloud for storage, compute capabilities, or with rich cloud services for data, AI/ML, and so much more, to deliver amazing new experiences. As a result, all developers today are cloud developers, and infrastructure teams are key to enabling innovation across the entire organization. I had a great time telling this story at the &lt;a href="https://www.youtube.com/playlist?list=PLyy8Vx2ZoWlodkVaCTO3Y-3vya68J2c6y"&gt;Cloud Engineering Summit&lt;/a&gt; today and wanted to take a moment to put pen to paper.&lt;/p&gt;
&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;The cloud is the world&amp;rsquo;s biggest supercomputer. Although the cloud broke our architectures, workflows, and teams, we are now amidst a renaissance of rebuilding new ways to create truly cloud-native applications and experiences.&lt;/p&gt;
&lt;p&gt;We conceived of the Cloud Engineering Summit to celebrate this renaissance. The talks throughout the day explore how we build &lt;em&gt;architectures&lt;/em&gt; and applications. We also explore how to operate those cloud architectures in a team setting through &lt;em&gt;workflows&lt;/em&gt; using automation and processes to build, deploy, and manage those applications and their infrastructure. Finally, &lt;em&gt;teams&lt;/em&gt; are working together more closely and in new ways in order to collaborate to deliver applications and infrastructure across all cloud engineering disciplines.&lt;/p&gt;
&lt;p&gt;This is what we are calling &lt;em&gt;Cloud Engineering&lt;/em&gt;: the next quantum leap in how we build cloud software. Cloud engineering means bringing the cloud closer to application development and infusing its capabilities to create new cloud-enabled experiences. Cloud engineering also means bringing more engineering practices to infrastructure, enabling us to leverage infrastructure as not just code but software. And finally, cloud engineering enables us to unlock collaboration, enabling the entire team to move faster with confidence.&lt;/p&gt;
&lt;h2 id="cloud-engineering-in-practice"&gt;Cloud Engineering in Practice&lt;/h2&gt;
&lt;p&gt;When the cloud came along, our initial approach was to reuse the same application patterns from the Internet 1.0 era, starting with &amp;ldquo;lift and shift&amp;rdquo; and virtual machine-centric architectures. We&amp;rsquo;ve gone through at least two major sea changes since then, including the introduction of containers and serverless architectures, and if we were to start over with a blank slate today, we&amp;rsquo;d surely do things very differently.&lt;/p&gt;
&lt;p&gt;In fact, the cloud effectively broke our existing approaches for architectures, workflows, and teams.&lt;/p&gt;
&lt;p&gt;As the cloud incrementally broke these over the past decade, we invented best practices, tools, and techniques to cope with it. This led to DevOps and a fundamental change to how we worked together to build increasingly cloud-enabled software. DevOps started from a place of collaboration, bringing engineers and operations people closer together and was a very powerful precursor to what is now happening.&lt;/p&gt;
&lt;p&gt;This is where cloud engineering now enters the picture. Instead of being &lt;em&gt;reactionary&lt;/em&gt; to change, we can now &lt;em&gt;proactively&lt;/em&gt; pursue approaches designed for the cloud. Instead of just coping, we can take a step back and reimagine new ways of doing things.&lt;/p&gt;
&lt;p&gt;Cloud engineering takes the best practices from DevOps and extends them. There is no question that DevOps, despite its original intent, ended up more &amp;ldquo;opsy&amp;rdquo; than &amp;ldquo;devvy&amp;rdquo;. With cloud engineering, application developers are now embracing the cloud and infusing cloud capabilities such as microservices and serverless into applications in fundamentally new ways, creating new application experiences for end users.&lt;/p&gt;
&lt;p&gt;And at the same time, infrastructure experts, capabilities, and teams are key to enabling innovation more than ever before. During the cloud era, infrastructure became &lt;em&gt;programmable software&lt;/em&gt;, which allows us to apply all the software engineering practices we know and love to infrastructure, including testing, refactoring, security, continuous delivery, and agile.&lt;/p&gt;
&lt;p&gt;More cloud infrastructure capabilities have moved into application land, while at the same time more application development practices have moved into infrastructure land. What this means is that the whole team is collaborating more closely than ever before. Everyone is empowered to bring their unique skillsets to the table to enable moving faster and deliver amazing software capabilities, regardless of title — developer, DevOps, systems engineer, infrastructure architect, security engineer, etc. This is the modern cloud engineering organization.&lt;/p&gt;
&lt;h3 id="cloud-engineering-architectures"&gt;Cloud Engineering Architectures&lt;/h3&gt;
&lt;p&gt;Infrastructure used to be a tax, and IT a cost center, but cloud infrastructure is increasingly a competitive advantage that can transform entire business models. Just think of the many cloud era companies that are enabling new experiences thanks to the cloud — AirBnB, Amazon, Lyft, Spotify, and others. Zoom experienced a 20x increase in usage when COVID started and, because they architected their application for the cloud, they were able to scale and meet demand. Five to ten years ago, without cloud engineering, that wouldn&amp;rsquo;t have been possible.&lt;/p&gt;
&lt;p&gt;Zoom massively scaling is a great example of the difference between just tossing a traditional application into a virtual machine, versus fully embracing cloud capabilities as a foundational piece of the application&amp;rsquo;s design. The ability to scale up elastically, and pay as you go, is an immense competitive advantage when designing applications to run on the cloud&amp;rsquo;s planet-scale supercomputer.&lt;/p&gt;
&lt;p&gt;This means that cloud infrastructure is a &lt;em&gt;superpower&lt;/em&gt; to be wielded and used for great things, not an afterthought. If only teams can figure out how to harness them, they can accomplish new business outcomes and reshape how applications work.&lt;/p&gt;
&lt;p&gt;Application models have also evolved in ways that enable this new cloud engineering era. In the 2010s, you had XML web services and SOA, which was the precursor to microservices, and now with modern programming languages, the shift to distributed architectures is a lot easier. Asynchronous programming and concurrency models are pervasive on all of our modern languages and frameworks, and we can use those things to build truly distributed applications that are composed of many smaller pieces that communicate asynchronously and can scale on demand.&lt;/p&gt;
&lt;h3 id="cloud-engineering-workflows"&gt;Cloud Engineering Workflows&lt;/h3&gt;
&lt;p&gt;It&amp;rsquo;s not just the application architectures that have changed; the way that we build, secure, test, ship, and manage those applications and their infrastructures have also fundamentally changed. This is what we call &amp;ldquo;workflows&amp;rdquo;: the way in which we operationalize, and often continuously deliver, our cloud applications and infrastructure into our many dev, test, and production environments.&lt;/p&gt;
&lt;p&gt;Infrastructure as code lets us declare infrastructure using &amp;ldquo;code&amp;rdquo; (although, in many cases, code is really just markup or &amp;ldquo;text&amp;rdquo;). We are only just now beginning to apply all the engineering practices that are available to developers when building infrastructure, with technologies like Pulumi that enable infrastructure as &lt;em&gt;software&lt;/em&gt;. This includes leveraging great IDEs and tools, enabling higher levels of productivity. Instead of copying and pasting text, we have real patterns and best practices thanks to sharing and reuse.&lt;/p&gt;
&lt;p&gt;Among the many things the cloud broke is the inner loop development cycle. We&amp;rsquo;re often stepping into and out of our IDE, running command lines, pointing and clicking in the cloud console, and so on. The infrastructure as text world often means finding failures 10 minutes into a deployment, when it&amp;rsquo;s too late, rather than finding errors interactively in your IDE. By embracing &lt;a href="https://www.pulumi.com/what-is/what-is-infrastructure-as-software/"&gt;infrastructure as software&lt;/a&gt;, and the fact that infrastructure is moving closer to application architectures, our inner loop and great productivity is starting to be restored.&lt;/p&gt;
&lt;p&gt;Treating infrastructure as software enables us to test infrastructure before it has been deployed, spin up ephemeral environments to exhaustively validate changes before attempting to deploy them, or even apply advanced forms of testing, such as chaos testing, to ensure applications function properly during a service outage, or fuzz testing, to ensure the application works in the face of randomized changes.&lt;/p&gt;
&lt;p&gt;Security is a also a key cross-cutting concern but is still often overlooked during the inner loop of developing cloud software. The security perimeter for cloud software is no longer the four walls of the data center but has instead moved to software managed networks and firewalls. This changes the threat model and requires that teams adopt zero trust and principle of least privilege approaches, where applications, infrastructure, and team members have the least permissions possible to get the job done, minimizing the blast zone of possible incidents. We must also adopt approaches that ensure software is secure &lt;em&gt;before&lt;/em&gt; deploying, including applying policies that do things like preventing unintended Internet access to services, block S3 buckets and databases open to the Internet, and scan containers for known vulnerabilities.&lt;/p&gt;
&lt;p&gt;Once you&amp;rsquo;ve shipped an application to production, the job has only just begun. Teams must adopt patterns and practices for how to monitor and react to situations that occur in their live environments. That often also includes testing and flighting changes in production. One approach is to adopt an &amp;ldquo;OODA loop&amp;rdquo; like approach, where OODA means Observe, Orient, Decide, Act. This is a decision-making framework that allows for rapid decision making with the context of a situation, and good analogy for how we maintain our cloud applications in the real world. How do we know something is wrong? How do we react? The old model of simply relying on performance counters, such as CPU or memory utilization, and highly structured logging, doesn&amp;rsquo;t really work in the modern cloud era. Instead, teams are adopting observability, and a &amp;ldquo;log everything&amp;rdquo; approach, so that unstructured and semi-structured high-cardinality data is available at all times, enabling us to observe, debug problems in realtime as they occur, and make decisions and act when when things go wrong.&lt;/p&gt;
&lt;p&gt;Continuous delivery is not a new idea, however, teams are now moving beyond just delivering applications towards shipping entire environments, packaging applications and infrastructure together. This enables all of the above practices, including security and testing, to apply to entire cloud application environments. Continuous delivery is also how application and infrastructure teams work more closer together, enabling teams to go from shipping features shipping quarterly, to monthly, to every week, to daily, to shipping features on every Git commit. Delivery and workflow are intertwined, and our cloud engineering brings them even closer together across the entire team.&lt;/p&gt;
&lt;h3 id="cloud-engineering-teams"&gt;Cloud Engineering Teams&lt;/h3&gt;
&lt;p&gt;Cloud engineering teams are &lt;em&gt;empowered&lt;/em&gt;: everybody brings their unique skills, as an expert in their domain, and collaborates to enable 1+1=3 outcomes. Cloud engineering is &lt;em&gt;not&lt;/em&gt; about &amp;ldquo;NoOps&amp;rdquo; or operations being less important than it was before. It is about recognizing that all of these skills are essential and that a cloud engineering team is the composition of all of these skillsets.&lt;/p&gt;
&lt;p&gt;Application developers can focus on what they&amp;rsquo;re great at: architecting, implementing, and delivering new functionality to their application&amp;rsquo;s end users. Developers probably aren&amp;rsquo;t going to want to suddenly go deep in what it takes to create and configure an AWS virtual private cloud, but they sure do want to tap into all of those amazing data and AI/ML services, and bring container and serverless architectures and continuous delivery into the inner loop of how they are building and shipping code. And there&amp;rsquo;s just no way to ignore the runtime environment when it comes to debugging, performance tuning, scaling the application, and observability, just to name a few important facets.&lt;/p&gt;
&lt;p&gt;Infrastructure and DevOps engineers likewise can also focus on what they&amp;rsquo;re great at: building scalable, reliable, and cost-effective foundations that the entire organization runs on. Infrastructure teams can benefit from great productivity wins of great IDEs, tools, and true sharing and reuse of best practices. That&amp;rsquo;s not to say suddenly infrastructure engineers need or want to learn everything there is to know about the latest application frameworks or patterns. But many of the foundations of DevOps, where we apply more software engineering and agile practices to how we ship infrastructure, including test driven infrastructure, have reshaped how infrastructure experts operate.&lt;/p&gt;
&lt;p&gt;Security engineers are also empowered to be part of this entire lifecycle. This ensures that security isn&amp;rsquo;t an afterthought, but instead, that security engineers have all the requisite insertion points into the application and infrastructure architectures and workflows, to ensure that solutions are secure on day one, and stay secure. Security engineering is a central part of how cloud engineering teams operate.&lt;/p&gt;
&lt;p&gt;Finally, all of these modern cloud engineering practices have helped teams to cope in this suddenly all-remote COVID world. By embracing distributed architectures, automated workflows, and multi-faceted teams that collaborate closely, entire businesses have made the shift to all-remote and online collaboration much faster. Those teams practicing cloud engineering have had an easier time reacting to rapid change.&lt;/p&gt;
&lt;h2 id="towards-a-cloud-operating-system"&gt;Towards a Cloud Operating System&lt;/h2&gt;
&lt;p&gt;Today&amp;rsquo;s cloud is comprised of 1,000s of building block services across a landscape of multiple cloud providers. AWS alone offers over 200 of these building blocks, and every SaaS infrastructure provider is part of the picture too. As we have seen above, this offers incredible capability, if teams can only figure out how to harness the power of those building blocks. It&amp;rsquo;s not always easy but the cloud engineering practices above are key to getting started.&lt;/p&gt;
&lt;p&gt;It does beg the question, however: If the cloud is a giant supercomputer, where is its &lt;em&gt;operating system&lt;/em&gt;? When will we go beyond building blocks? In fact, we are well on our way.&lt;/p&gt;
&lt;p&gt;Kubernetes gives us some fundamental operating system-like components — a scheduler, resource model, and a security model, for example — but a complete operating system must go well beyond this, including programming and application models, and many key facets of the cloud, including all those AWS building blocks, still live outside of the Kubernetes cluster (and likely always will).&lt;/p&gt;
&lt;p&gt;What&amp;rsquo;s the &lt;em&gt;user interface&lt;/em&gt; to this giant supercomputer supposed to look like? What&amp;rsquo;s the human experience of using that computer? We&amp;rsquo;ve extended our previous experience from client-server desktop and Internet applications into the cloud, but it&amp;rsquo;s just the start of how we interact with the cloud.&lt;/p&gt;
&lt;p&gt;What does the developer&amp;rsquo;s interface to that supercomputer, the &lt;em&gt;programming model&lt;/em&gt;, look like? For now, YAML and tools like Terraform give us a way to configure the building blocks using low-level markup languages, but we need to go beyond this and leverage all the things we know and love about other operating system programming models. This includes using great languages and runtimes like TypeScript, Python, .NET, and Go. This is the approach we&amp;rsquo;ve taken with Pulumi to start creating richer developer experiences with respect to how we stitch together all those building blocks and build bigger things out of smaller things, but it is still early days here.&lt;/p&gt;
&lt;p&gt;Finally, where is the &lt;em&gt;application model&lt;/em&gt;? How do we reliably and repeatably install, version, secure, work with, and manage these cloud applications? Containers provide a building block for building and deploying applications in the cloud, Helm and ideas like CNAB provide an installation model, but it is a far cry from an &amp;ldquo;AppStore&amp;rdquo; experience that we get on other operating systems. The cloud supercomputer interface is very low-level and bottom-up compared to application models which approach the experience from a top-down perspective.&lt;/p&gt;
&lt;p&gt;Despite the clear gaps, it is clear we&amp;rsquo;ve taken some major steps in the direction of a true cloud operating system.&lt;/p&gt;
&lt;h2 id="the-future-of-cloud-engineering"&gt;The Future of Cloud Engineering&lt;/h2&gt;
&lt;p&gt;As we&amp;rsquo;ve seen, the future of cloud engineering is already here in a very real way. The cloud is being infused into application development, we are increasingly treating cloud infrastructure as software, and teams are embracing new ways of working together.&lt;/p&gt;
&lt;p&gt;We hope you enjoyed learning more about cloud engineering architectures, workflows, and teams. &lt;a href="https://www.youtube.com/watch?v=w6Dj2zf-39M&amp;amp;list=PLyy8Vx2ZoWlodkVaCTO3Y-3vya68J2c6y&amp;amp;index=2"&gt;Watch the Cloud Engineering Summit Keynote here&lt;/a&gt; or check out &lt;a href="hhttps://www.youtube.com/playlist?list=PLyy8Vx2ZoWlodkVaCTO3Y-3vya68J2c6y"&gt;one of the many amazing Cloud Engineering talks now&lt;/a&gt;!&lt;/p&gt;
&lt;p&gt;This event would not have been possible without the participation and support of our top sponsors:&lt;/p&gt;
&lt;div class="flex flex-col md:flex-row md:flex-wrap items-center justify-center"&gt;
&lt;a href="https://about.gitlab.com/"&gt;&lt;img src="gitlab.png" alt="GitLab logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;a href="https://www.jetstack.io/"&gt;&lt;img src="jetstack.png" alt="Jetstack logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;a href="https://aws.amazon.com/"&gt;&lt;img src="aws.png" alt="AWS logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;a href="https://jfrog.com/"&gt;&lt;img src="jfrog.png" alt="JFrog logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;a href="https://chef.io"&gt;&lt;img src="chef.png" alt="Chef logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;a href="https://ns1.com/"&gt;&lt;img src="ns1.png" alt="NS1 logo" class="h-16 md:mx-4 my-4"&gt;&lt;/a&gt;
&lt;/div&gt;</description><author>Joe Duffy</author><category>cloud-engineering</category></item></channel></rss>