Pulumi Release Notes: Pulumi Copilot, Pulumi ESC Versioning, Pulumi ESC SDK, Docker Provider, and more!

What an incredible two months at Pulumi! From the revolutionary AI-powered Pulumi Copilot to robust infrastructure lifecycle management, enhanced Pulumi ESC with versioning and SDKs, and a brand-new Docker Build provider, this release cycle is packed with high-impact features delivered at an unprecedented pace. Ready to see all the details? We’ve got a lot to cover, so let’s jump right into the highlights of this action-packed release.

• AI
  • Pulumi Copilot: The Future of Cloud Infrastructure
• Pulumi Cloud
  • New Infrastructure Lifecycle Management Features
    • Drift Detection and Remediation
    • Time-to-Live Stacks
    • Scheduled Deployments
  • Pulumi ESC: New Features to Supercharge Your Secrets and Config Management
    • Pulumi ESC Versioning
    • Pulumi ESC SDK
    • Pulumi Service Provider for ESC
    • Automation API Support for ESC
  • Pulumi Cloud OIDC Trust Relationship
  • New Project Wizard Enhancements
• Core
  • Continue On Error in the Pulumi CLI
  • Run Pulumi with Any TypeScript Version
• Providers and Packages
  • Next-Generation Docker Image Builds with Pulumi
  • Using Pulumi with Azure Deployment Environments
    • Helm Chart v4 Resource
  • New Provider Resources
• Wrap up

AI

Pulumi Copilot: The Future of Cloud Infrastructure

Pulumi Copilot is a game-changing conversational AI assistant for Pulumi Cloud, leveraging large language models (LLMs) to simplify and enhance your cloud management experience. Get instant answers about your cloud by querying the state of any resource managed by Pulumi, across all your clouds and accounts. Explore historical data on stacks, projects, deployments, and more, gaining deep insights into your infrastructure. Write and deploy IaC with ease as Pulumi Copilot brings the power of Pulumi AI directly to your fingertips. Gain insights from cloud provider metadata as Pulumi Copilot integrates with AWS, Azure, Kubernetes, and more; to provide real-time insights into usage, costs, and your infrastructure.

Pulumi Copilot enforces the same strict identity and RBAC rules as Pulumi Cloud, ensuring data security and privacy for your organization. Try Pulumi Copilot for free! It’s in public beta and available to all Pulumi Cloud organizations. Enable it in your organization settings: Settings > Access Management > Pulumi Copilot. Read the blog post | Explore the docs

Pulumi Cloud

New Infrastructure Lifecycle Management Features

We introduced a wave of new Infrastructure Lifecycle Management capabilities in Pulumi Cloud, building upon the power of Pulumi Deployments, and directly addressing the needs of our customers for robust Day 2 operations and beyond. These new features—Drift Detection and Remediation, Time-to-Live Stacks, and Scheduled Deployments—enhance security, optimize costs, and automate key infrastructure management tasks. We also announced a new Pulumi Deployments Free Tier for all users, providing 3,000 free deployment minutes every month to easily test and use these new features.

Drift Detection and Remediation

Uncontrolled configuration drift can wreak havoc on your cloud environments, leading to security vulnerabilities, compliance violations, costly outages, and wasted resources. Pulumi Cloud’s new Drift Detection and Remediation feature empowers platform teams to maintain complete control over their cloud infrastructure. This feature periodically compares the actual state of cloud resources with the desired state defined in Pulumi programs, identifying any discrepancies. Automatically detect any deviation from your desired state, whether caused by manual edits or external scripts, and receive timely alerts through integrations like Slack and Microsoft Teams. Pulumi Deployments users can enable automatic remediation to correct drift and ensure their infrastructure remains consistent with their code. You can manage Drift Detection and Remediation through the Pulumi Cloud console, the Pulumi CLI, the REST API, or the Pulumi Service Provider. Check out our detailed post.

Time-to-Live Stacks

Creating temporary environments is crucial for running experiments, testing new features, and ensuring that everything works smoothly before going live. However, these environments are often forgotten and left running, consuming resources and adding unnecessary costs. Manually managing these temporary stacks is time-consuming, operationally burdensome, and prone to errors. Pulumi’s Time-to-Live Stacks feature solves this by allowing teams to set a predefined lifespan on any stack. After the specified time, the stack is automatically destroyed, preventing cost overruns and reducing security risks from idle resources. This automated cleanup process ensures cost control, enhances developer enablement, and improves security. Time-to-Live Stacks can be easily managed through the Pulumi Cloud console, REST API, or the Pulumi Service Provider. See our launch blog post.

Scheduled Deployments

We also rolled out Scheduled Deployments, extending the automation capabilities of Drift Detection and Remediation and Time-to-Live Stacks. Scheduled Deployments enable precise automation of cloud operations, allowing users to schedule any Pulumi operation—such as pulumi up, pulumi refresh, pulumi destroy, or pulumi preview—for any stack with Pulumi Deployments. This provides greater flexibility for managing your cloud operations, whether it’s scheduling off-peak deployments, optimizing resource costs, or automating routine infrastructure updates. You can easily set up and manage Scheduled Deployments through the Pulumi Cloud console, REST API, or directly within your code using the Pulumi Service Provider.

Pulumi ESC: New Features to Supercharge Your Secrets and Config Management

We unleashed a wave of powerful new features for Pulumi Environments, Secrets, and Configuration (ESC), taking secrets and configuration management to the next level. Read the blog post to learn more about these enhancements that bring best-in-class software engineering practices to your fingertips, enabling you to manage secrets and configuration complexity at scale across all your cloud applications and infrastructure.

Pulumi ESC Versioning

Pulumi ESC Versioning gives you unprecedented control over your secrets and configuration. Every change is captured in an immutable revision history, allowing you to audit modifications, compare versions, and safely roll back. Assign meaningful tags to revisions (e.g., production, v1.2.1, stable) for easy management, just like Docker tags. When importing an environment, pin it to a specific version using tags or a revision number to prevent automatic propagation of changes from the source. This enables phased rollouts and thorough testing before deploying new configurations. You can also reference specific versions with the esc run command, targeting different environments for different tasks. This granular control minimizes risks, enhances collaboration, and streamlines workflows. Access versioning features through the Pulumi Cloud Console, the ESC CLI, or the ESC REST API.

Pulumi ESC SDK

Pulumi ESC SDKs are now available for Python, TypeScript/JavaScript, and Go, making it easier than ever to harness the power of ESC directly within your applications using your favorite programming languages. The SDKs provide a simple and intuitive programmatic interface to manage your ESC environments, securely access secrets and configurations at runtime, and eliminate the need for hardcoded credentials. This streamlines your development process, enhances security, and promotes best practices for handling sensitive data. Check out our docs.

Pulumi Service Provider for ESC

You can now manage your Pulumi ESC Environments using the powerful Pulumi Service Provider. This means you can define environments, add version tags, and even control access using familiar Infrastructure as Code (IaC) practices, ensuring consistency and repeatability across your deployments. The Pulumi Service Provider empowers you to manage your entire infrastructure and application landscape through a unified approach.

Automation API Support for ESC

We’ve expanded the powerful Pulumi Automation API to include new methods for interacting with Pulumi ESC Environments programmatically. These new methods– addEnvironments(…), listEnvironments(), and removeEnvironment(environment) – enable you to seamlessly integrate environment management into your automated workflows and build sophisticated custom tooling. The Automation API provides the building blocks for advanced automation scenarios such as dynamically configuring applications based on environments, managing environment dependencies, and integrating ESC into CI/CD pipelines. Pulumi ESC Automation API capabilities are available for TypeScript/JavaScript, Go, and Python. Check out our blog post for examples.

Pulumi Cloud OIDC Trust Relationship

Pulumi Cloud now supports OpenID Connect (OIDC) Trust Relationships, allowing you to securely integrate Pulumi into any ecosystem that supports OIDC. This feature addresses the “secret zero” challenge by facilitating the exchange of secure platform tokens for short-lived Pulumi tokens, enhancing security and simplifying token management. You can configure trusted OIDC identity providers, such as GitHub, GitLab, or Google Cloud, and set granular policies to control token exchange based on issuer, subject, or additional claims. This integration extends to Kubernetes, enabling pods to authenticate to Pulumi Cloud using OIDC tokens issued by Google Kubernetes Engine GKE. To further streamline the integration with GitHub Actions, we introduced a new GitHub Action that automates the retrieval of Pulumi access tokens, making it even easier to leverage OIDC for secure authentication within your workflows. Check out our OIDC docs.

New Project Wizard Enhancements

We enhanced the New Project Wizard in Pulumi Cloud to streamline developer workflows and give platform teams more control over deployments. You can now configure the Developer Portal Gallery to exclusively display organization-specific templates, ensuring developers only use approved configurations. This simplifies template discovery and selection, reinforcing governance and compliance across development projects. We also streamlined project creation by introducing default repository locations and auto-generated project names, eliminating manual steps and potential naming conflicts. Read the New Project Wizard updates blog post for more details.

Core

Continue On Error in the Pulumi CLI

Pulumi now offers more control over error handling during deployments with the new --continue-on-error flag for pulumi up and pulumi destroy. When managing complex infrastructure with Pulumi, deployments can involve a large number of concurrent resource operations. Previously, if an error occurred during a deployment, Pulumi would stop all new operations to prevent potential cascading failures. While this approach is often desirable, there are cases where you might want to continue updating or destroying resources that are independent of the failed resource. The –continue-on-error flag enables this behavior, allowing deployments to proceed even in the presence of errors, while still respecting resource dependencies. This can be especially useful when destroying resources, as it allows you to clean up as much infrastructure as possible. Read the blog post for more details.

Run Pulumi with Any TypeScript Version

Previously, Pulumi’s seamless TypeScript experience was limited to version 3.8, requiring manual build steps for newer versions. But now, with the release of the Pulumi Node.js SDK 3.113.0, you can use any TypeScript version 3.8 or later, including the latest TypeScript 5.4, by simply adding it as a dependency in your project’s package.json file. Pulumi will automatically use the specified version for compilation, unlocking access to the newest TypeScript features and improved type checking. Read the blog post for a detailed example and instructions on upgrading your projects.

Providers and Packages

Next-Generation Docker Image Builds with Pulumi

Pulumi introduces the new Docker Build provider, a dedicated package designed to modernize and streamline Docker image builds directly from your Pulumi programs. The new provider exposes Docker’s next-generation buildx interface, unlocking advanced features such as multi-platform image support, advanced caching mechanisms, built-in support for build secrets, and seamless integration with Docker Build Cloud. This unlocks powerful scenarios, including building multi-architecture images and optimizing build performance with various cache backends. Read the blog post for detailed examples and migration guides.

Using Pulumi with Azure Deployment Environments

Pulumi now supports authoring Azure Deployment Environments (ADE) environment definitions, empowering developers to self-serve the application infrastructure they need while maintaining centralized management and governance. This integration allows you to leverage Pulumi’s familiar programming model and the full power of its Infrastructure as Code (IaC) platform to define and manage Azure resources within ADE environments. You can define ADE environments using a simple YAML configuration file that references a Pulumi program written in any of Pulumi’s supported languages, including C#, TypeScript, Python, Go, and YAML. Leveraging a dedicated Pulumi Docker image, ADE seamlessly executes the selected Pulumi program, provisioning the defined Azure resources. This streamlines the creation of new environments, enhances developer productivity, and ensures consistency and compliance with organizational standards. Read the blog post for a detailed walkthrough and examples.

Helm Chart v4 Resource

Pulumi introduces a new and improved Helm Chart v4 resource (kubernetes.helm.sh/v4.Chart) in the Pulumi Kubernetes provider, offering enhanced functionality, and a more streamlined experience for deploying Helm charts. A key improvement in v4 is expanded language support. Previous versions of the Chart resource were implemented separately for each Pulumi SDK, leading to inconsistencies and limited language compatibility. The new Chart v4 resource ensures consistent behavior and functionality across all Pulumi SDKs, including Python, TypeScript/JavaScript, Go, C#, Java, and YAML. Other notable enhancements include full OCI registry support, improved handling of chart values, better connectivity for cluster interactions, and improved resource ordering. Read the blog post for a detailed overview, examples, and migration guidance.

New Provider Resources

We have added 121 functions and 159 resources across our most popular providers, along with many more throughout our ecosystem. We also welcome our new community provider resource: Genesis cloud.

Wrap up

Phew, that’s a lot! We’ve packed this release with features to empower you to build and manage modern cloud infrastructure and applications with greater efficiency, control, and confidence. Explore all the new capabilities and share your feedback – we’re always listening! Open an issue in the Pulumi Cloud requests repository or the pulumi/pulumi repository for anything CLI-related. Stay tuned for more exciting updates!