Jan. releases: Pulumi Packages support for plugins hosted anywhere and Pulumi Service 3rd party audit for secrets decryption

Posted on

Over the holidays we have been releasing new features and improvements. Read on to learn about what’s new in this release!

Cloud Providers and Packages

New Command package

As part of creating or updating infrastructure, it is often necessary to run scripts and/or commands. In order to improve this experience we released a new Pulumi Command package in the Pulumi Registry which enables users to run scripts locally or remotely on a target VM as part of the Pulumi resource lifecycle.

This new package is supported in all Pulumi languages.

The Command package supports quite a few common patterns involving local and remote scripts execution, such as:

Learn more in the Command package GitHub issue

Support pulumi import for Kubernetes CRDs

We have added pulumi import support for Kubernetes CustomResourceDefiniton (CRD). Now the spec of a CRD will be imported during pulumi import. The same fix improves input generation for other Kubernetes resources as well, providing significantly better fidelity in covering inputs for existing resources.

Learn more in this GitHub issue.

Various improvements to Helm Release

This milestone we spent some time making improvements to the Helm Release support. Of particular note are the ability to import existing Helm releases installed via the Helm command line into Pulumi and the ability to supply Helm values through YAML files. In addition, we have made a variety of bug fixes this iteration to make Helm Release a more robust option to use for your Kubernetes environment.

Learn more in these GitHub issues:

Pulumi CLI and core technologies

Support using native ES modules as Pulumi scripts

Native ECMAScript module (ESM) support has been added for the Node.js SDK. Pulumi users can now use Pulumi in projects with “type”: “module” configured. In addition, we can now support top-level await in Node.js within Pulumi programs.

Learn more in these GitHub issue:

Support packages with plugins hosted in any third-party location

Pulumi Packages can now host their plugins anywhere (like GitHub releases) instead of needing to be published by Pulumi. We now detect any dependency that contains pulumi-plugin.json and treat it as a Pulumi Package, automatically downloading associated plugins as needed. To support this, the freshly generated Multi-Language Component (MLC) plugin will now include pulumi-plugin.json by default.

Learn more in the following GitHub issues:

State locking default enabled

We previously added support for self-managed backend state locking behind the PULUMI_SELF_MANAGED_STATE_LOCKING=1 flag. After positive feedback from users on this feature, we are making this the default when using a local or cloud backend such as Amazon S3, Google Cloud Storage and Azure Blob Storage.

Learn more in this GitHub issue.

Pulumi Service & Pulumi.com

Audit logging for third-party secrets managers

Previously secret decryption Audit Log events were only logged for users using the Pulumi Service secrets provider. Now users who use the Pulumi Service for their state but a third-party secrets provider (AWS KMS, Azure KeyVault, HashiCorp Vault, etc.) will have a log of these events.

Learn more in this GitHub issue.