<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Things You Can Do With Neo</title><link>https://www.pulumi.com/blog/series/neo-things/</link><description>Pulumi blog posts: Things You Can Do With Neo.</description><language>en-us</language><pubDate>Tue, 19 May 2026 05:00:00 -0700</pubDate><item><title>Ten More Things You Can Do With Pulumi Neo</title><link>https://www.pulumi.com/blog/10-more-things-you-can-do-with-neo/</link><pubDate>Tue, 19 May 2026 05:00:00 -0700</pubDate><guid>https://www.pulumi.com/blog/10-more-things-you-can-do-with-neo/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/10-more-things-you-can-do-with-neo/index.png" /&gt;
&lt;p&gt;Last fall, after launching &lt;a href="https://www.pulumi.com/neo/"&gt;Pulumi Neo&lt;/a&gt;, we wrote up &lt;a href="https://www.pulumi.com/blog/10-things-you-can-do-with-neo/"&gt;10 things you could do with it&lt;/a&gt;. In the months that followed, as platform teams handed Neo more real work, we watched and listened, shipping a steady stream of features like &lt;a href="https://www.pulumi.com/blog/neo-plan-mode/"&gt;plan mode&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/neo-read-only-mode/"&gt;read-only mode&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/pulumi-neo-now-supports-agentsmd/"&gt;AGENTS.md&lt;/a&gt;, an &lt;a href="https://www.pulumi.com/blog/neo-integration-catalog/"&gt;integration catalog&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/neo-migration/"&gt;cross-cloud migration&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/blog/neo-task-sharing/"&gt;task sharing&lt;/a&gt;. With &lt;a href="https://www.pulumi.com/releases/agentic-infrastructure-era/"&gt;today&amp;rsquo;s release&lt;/a&gt;, Neo extends beyond the Pulumi Cloud console into the Pulumi CLI, GitHub, and Slack.&lt;/p&gt;
&lt;p&gt;So here are &lt;strong&gt;10 more&lt;/strong&gt; things you can do with Neo.&lt;/p&gt;
&lt;h2 id="1-deploy-your-app-to-aws-without-writing-iac"&gt;1. Deploy your app to AWS without writing IaC&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Hand Neo a repo. Neo picks the right services — ECS, AWS Fargate, ALB — writes the Pulumi, and opens a PR.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The cloud infrastructure part of getting a new service running, especially one in a new language, is always a few hours of boilerplate: a VPC and subnets, an IAM role, security groups, a load balancer, DNS, and a TLS cert.&lt;/p&gt;
&lt;p&gt;With Neo, that work collapses into a prompt. Point Neo at a repo and ask:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Deploy this app to AWS as a publicly accessible service.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/neo-plan-mode/"&gt;Plan mode&lt;/a&gt; comes back with the resources Neo will create, named and sized: ECS running on AWS Fargate, an ALB, and the VPC wiring. Approve, and Neo writes the Pulumi program, runs a preview, and opens a PR. You, the human in the loop, merge it after review.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Neo deploying an app to AWS: prompt, plan mode, PR, public URL"
autoplay muted playsinline
loop &gt;
&lt;source src="deploy-to-aws2.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Neo planning a PR and deploying an app to AWS.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=I%27d&amp;#43;like&amp;#43;to&amp;#43;deploy&amp;#43;this&amp;#43;app&amp;#43;to&amp;#43;AWS.&amp;#43;Confirm&amp;#43;what&amp;#43;you%27ll&amp;#43;create." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Ask Neo to deploy your app to AWS and make a PR&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="2-diagnose-a-slow-api-from-metrics-logs-and-code"&gt;2. Diagnose a slow API from metrics, logs, and code&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Slow endpoints live at the seam between runtime metrics and the stack that runs them. Neo reads both and proposes a fix with the metric evidence as the rationale.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Production incidents often involve multiple tools. When the &lt;code&gt;checkout&lt;/code&gt; endpoint&amp;rsquo;s p95 latency climbs from 200ms to 1.2s, the metric is in Datadog, but the cause might be somewhere in your AWS account: maybe RDS is out of IOPS, maybe the connection pool is too small, maybe the autoscaler isn&amp;rsquo;t keeping up. Connecting &amp;ldquo;this metric looks bad&amp;rdquo; to a recent backend change and then to a one-line fix in your Pulumi program is an exercise in detective work.&lt;/p&gt;
&lt;p&gt;Neo&amp;rsquo;s &lt;a href="https://www.pulumi.com/blog/neo-integration-catalog/"&gt;integration catalog&lt;/a&gt; bridges this gap. With built-in Datadog APM, PagerDuty, and Honeycomb integrations sitting alongside your Pulumi state, Neo can read traces and metrics from the tools your team already uses and take action.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Find the scaling bottleneck on &lt;code&gt;/checkout&lt;/code&gt; from the last 7 days of metrics and propose a fix.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo pulls the metric history, matches the Datadog tag &lt;code&gt;db.cluster=checkout-rds&lt;/code&gt; to the RDS instance in your &lt;code&gt;prod-checkout&lt;/code&gt; Pulumi stack, and opens a PR with a Pulumi diff that bumps the storage IOPS and raises the connection-pool ceiling. You review and roll out the fix.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Enabling the Honeycomb integration in Neo"
autoplay muted playsinline
loop &gt;
&lt;source src="honey-comb.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Toggle on the Honeycomb integration so Neo can read traces and metrics alongside your Pulumi stacks.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;h2 id="3-automate-pagerduty-incident-response-from-slack"&gt;3. Automate PagerDuty incident response from Slack&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;A page comes in. You paste it into your on-call channel and tag Neo, and Neo replies with the cross-system view you&amp;rsquo;d otherwise spend the first 20 minutes assembling.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;On-call triage is often about getting up to speed quickly. You get paged because something is in the red, and you don&amp;rsquo;t know why.&lt;/p&gt;
&lt;p&gt;You mention Neo in the on-call Slack channel:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;@neo, what&amp;rsquo;s going on with this alert?&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo starts querying metrics and traces. With PagerDuty and Datadog in the integration catalog, it correlates the alert with every deploy and stack change tagged with the alert&amp;rsquo;s service in the last hour, and finds the change that lines up:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Two deploys in the last hour touched services tagged &lt;code&gt;service:checkout&lt;/code&gt;: &lt;code&gt;checkout-api@a3f9c2&lt;/code&gt; (12 min ago, app-layer deploy) and Pulumi stack &lt;code&gt;prod-checkout-rds&lt;/code&gt; (45 min ago, decreased &lt;code&gt;max_connections&lt;/code&gt; from 200 → 100). p99 latency inflection at 14:03 lines up with the stack change. Likely cause: the connection-pool reduction is starving the API under current load.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;You ask a couple of clarifying questions in-thread, then ask Neo to open a rollback PR against the Pulumi stack.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-integration-catalog.png" alt="Neo Settings → Integrations page: six integrations available with Authorize buttons for Atlassian, Datadog, Honeycomb, Linear, PagerDuty, and Supabase"&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Authorize PagerDuty and Datadog in Neo's settings. Neo can then read alerts in your on-call Slack channel, find the change that correlates, and open a PR when you ask.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;h2 id="4-implement-a-jira-or-linear-ticket-end-to-end"&gt;4. Implement a Jira or Linear ticket end-to-end&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Hand Neo a ticket number from Linear, Jira, or GitHub Issues. Neo reads the description and acceptance criteria, plans against your stack, and opens a PR.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Tickets often pile up not because they&amp;rsquo;re unimportant, but because they&amp;rsquo;re not urgent. Ongoing maintenance quietly accumulates. Bumping a provider version, centralizing secret management, working through small policy violations: each one matters, but none of them ever moves to the top of the queue. Explaining each one to an agent is its own overhead.&lt;/p&gt;
&lt;p&gt;The fix is letting Neo read the ticket itself. Connect Linear integration or Jira automation through the integration catalog (GitHub Issues works too), and Neo pulls the ticket the same way an engineer would: title, description, acceptance criteria.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Implement CAD-1234 in our payments stack.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo reads the ticket, plans against your existing stack, opens a PR, and drops a comment back on the ticket. The ticket and the PR end up linked, and your backlog shrinks.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Neo running locally in the Pulumi CLI: fielding a Linear issue, analyzing the codebase, and producing a PR that upgrades multiple projects to the latest Pulumi and AWS provider versions"
autoplay muted playsinline
loop &gt;
&lt;source src="neo-linear.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Neo running locally in the Pulumi CLI: fielding a Linear issue, analyzing the codebase, and producing a PR that upgrades multiple projects to the latest Pulumi and AWS provider versions.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=I%27d&amp;#43;like&amp;#43;to&amp;#43;implement&amp;#43;a&amp;#43;ticket&amp;#43;from&amp;#43;Linear&amp;#43;%28or&amp;#43;Jira%2C&amp;#43;or&amp;#43;GitHub&amp;#43;Issues%29.&amp;#43;Ask&amp;#43;me&amp;#43;for&amp;#43;the&amp;#43;ticket&amp;#43;number." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Implement a Linear ticket end-to-end&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="5-audit-and-tighten-over-privileged-iam-roles"&gt;5. Audit and tighten over-privileged IAM roles&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Neo audits each role against what your stack code actually does, and proposes scoped policies that improve your security posture.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;IAM cleanup is the kind of work nobody has the time to prioritize. Production has 40 roles. Half of them started with &lt;code&gt;s3:*&lt;/code&gt; because nobody had time to scope them, and the cleanup slips quarter to quarter.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Audit IAM permissions across my accounts and propose narrower policies for over-privileged stack-managed roles.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo cross-references each role&amp;rsquo;s policy against what the stack code actually calls, and opens a PR per role. The PR body lists the API calls Neo found in the stack code, like &lt;code&gt;s3:GetObject&lt;/code&gt; on &lt;code&gt;audit-logs-*&lt;/code&gt; and &lt;code&gt;s3:PutObject&lt;/code&gt; on &lt;code&gt;audit-logs-staging&lt;/code&gt;, as the justification for the scoped policy. The evidence sits next to the diff.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re unclear about which roles count as in-scope or what your team considers over-privileged, start in &lt;a href="https://www.pulumi.com/blog/neo-plan-mode/"&gt;plan mode&lt;/a&gt; and agree on that with Neo first.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Neo auditing IAM and proposing narrower policies"
autoplay muted playsinline
loop &gt;
&lt;source src="iam-narrow.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Neo auditing an over-privileged IAM role and proposing a narrower policy, with the actually-used permissions as evidence.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=Audit&amp;#43;IAM&amp;#43;permissions&amp;#43;across&amp;#43;my&amp;#43;accounts&amp;#43;and&amp;#43;propose&amp;#43;narrower&amp;#43;policies&amp;#43;for&amp;#43;over-privileged&amp;#43;stack-managed&amp;#43;roles." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Audit IAM and tighten over-privileged roles&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="6-migrate-from-aws-cdk-onto-your-platforms-golden-paths"&gt;6. Migrate from AWS CDK onto your platform&amp;rsquo;s golden paths&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Neo reads your existing AWS CDK app and lands a PR that swaps AWS&amp;rsquo;s defaults for your team&amp;rsquo;s published components.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;CDK&amp;rsquo;s L2 constructs encode AWS&amp;rsquo;s defaults. &lt;code&gt;s3.Bucket&lt;/code&gt; with &lt;code&gt;encryption: BucketEncryption.S3_MANAGED&lt;/code&gt; is a sane choice, but it&amp;rsquo;s AWS&amp;rsquo;s idea of sane, not yours. A platform team that&amp;rsquo;s published its own components to the &lt;a href="https://www.pulumi.com/docs/idp/concepts/private-registry/"&gt;Pulumi Private Registry&lt;/a&gt; has already decided what &lt;em&gt;your&lt;/em&gt; bucket defaults look like: encryption with the right KMS key, tagging by cost center.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Migrate the &lt;code&gt;payments-vpc&lt;/code&gt; CDK stack to Pulumi using our published components.&lt;sup id="fnref:1"&gt;&lt;a href="#fn:1" class="footnote-ref" role="doc-noteref"&gt;1&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo reads the source CDK app and your registry side by side. It maps each CDK construct to its closest team-published equivalent, clarifying with you where the mapping is ambiguous.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// Before (AWS CDK, AWS&amp;#39;s defaults)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;s3&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Bucket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;this&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Assets&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;bucketName&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;payments-assets&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;encryption&lt;/span&gt;: &lt;span class="kt"&gt;s3.BucketEncryption.S3_MANAGED&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;versioned&lt;/span&gt;: &lt;span class="kt"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// After (Pulumi, your team&amp;#39;s published component)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="kr"&gt;as&lt;/span&gt; &lt;span class="nx"&gt;platform&lt;/span&gt; &lt;span class="kr"&gt;from&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;@payments/platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;bucket&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;platform&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Bucket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;assets&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;bucketName&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;payments-assets&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;classification&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;internal&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=I%27d&amp;#43;like&amp;#43;to&amp;#43;migrate&amp;#43;this&amp;#43;CDK&amp;#43;stack&amp;#43;to&amp;#43;Pulumi.&amp;#43;Use&amp;#43;our&amp;#43;published&amp;#43;components&amp;#43;where&amp;#43;you&amp;#43;can." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Migrate CDK onto your golden paths&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;p&gt;Neo handles &lt;a href="https://www.pulumi.com/blog/neo-migration/"&gt;Terraform and Azure ARM migrations&lt;/a&gt; the same way.&lt;/p&gt;
&lt;h2 id="7-containerize-a-service-and-migrate-it-to-kubernetes-from-a-runbook"&gt;7. Containerize a service and migrate it to Kubernetes from a runbook&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Write the containerization pattern down once. Every service after that is a prompt away.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Containerizing an application and moving it to Kubernetes involves several small decisions: which Docker image, what labels go on deployments, how ingress is wired, and how secrets reach the pod. But after a team has moved two or three services, the pattern is set. The decisions get written down in a runbook, and every subsequent migration is mostly the same shape.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Containerize the &lt;code&gt;billing-api&lt;/code&gt; service and write its Kubernetes manifests, following our K8s migration runbook in Confluence.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo reads the source repo and the runbook in Confluence via the &lt;a href="https://www.pulumi.com/blog/neo-integration-catalog/"&gt;integration catalog&lt;/a&gt; and starts working on your request.&lt;/p&gt;
&lt;p&gt;You can save this as a Neo skill that splits the work into multiple PRs — Dockerfile first, ECR config next, Deployment/Service/Ingress manifests after — and link back to each runbook convention for ease of review. The output reflects your conventions: the labels you actually use, the ingress class you&amp;rsquo;ve standardized on, and the External Secrets Operator config your team prefers.&lt;/p&gt;
&lt;p&gt;You&amp;rsquo;re still the one reviewing the PRs and deciding what the cutover looks like in production. Neo follows your internal standards, so the new service ends up shaped like the last one you migrated.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-migration-prs.png" alt="Five GitHub PRs in a row, one per migration step (Dockerfile, Deployment, Service+Ingress, ExternalSecret, HPA+PDB), each citing the runbook section it implements"&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Neo migrating a VM-based service to Kubernetes step by step, following the team's Confluence runbook.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;p&gt;Once you&amp;rsquo;ve delegated something a few times, the next move is to automate it. The remaining three tasks are the kind Neo doesn&amp;rsquo;t need to be asked for. Drift, deps, compliance: they&amp;rsquo;re the operations you put on a schedule via &lt;a href="https://www.pulumi.com/blog/neo-automations/"&gt;Neo Automations&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="8-schedule-daily-configuration-drift-detection-across-your-cloud-infrastructure"&gt;8. Schedule daily configuration drift detection across your cloud infrastructure&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Schedule a daily drift check across your cloud. Wake up to PRs that fix what changed overnight.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Configuration drift is an ongoing challenge. The security team rotated an IAM role at 04:47 UTC. Someone changed a security group in the AWS console three weeks ago. Left alone, drift turns into security gaps, into compliance issues, and into the kind of &amp;ldquo;wait, who changed that?&amp;rdquo; confusion nobody wants to chase down.&lt;/p&gt;
&lt;p&gt;Pulumi Cloud is already good at configuration drift detection. Neo takes it a step further.&lt;/p&gt;
&lt;p&gt;Ask Neo:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Every morning at 6 AM, check all production infrastructure for drift and create PRs to fix any issues you find.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;From then on, the task runs on its own, and you wake up to a PR per drifted resource. The description spells out what happened (&lt;code&gt;iam_role.audit-reader&lt;/code&gt; had inline policy &lt;code&gt;AllowReadAuditLogs&lt;/code&gt; added at 04:47 UTC) and cites the section of &lt;code&gt;infra/runbooks/drift.md&lt;/code&gt; Neo followed.&lt;/p&gt;
&lt;p&gt;Some drift gets encoded into the Pulumi program, like the IAM rotation above. Some gets reverted, like the security group rule added from the console. Some gets ignored entirely, like autoscaler-managed Lambda concurrency reservations the runbook tells Neo to skip. You write the runbook once; Neo follows it every morning to decide what to do.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-drift-pr.png" alt="Neo&amp;rsquo;s morning drift PR: encodes a security-team IAM rotation into the prod-audit stack, citing the runbook section that says to accept and encode the change"&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Neo's morning drift PR. The body names the resource, the change, when it happened, and the section of the runbook Neo followed to decide what to do.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=Every&amp;#43;morning&amp;#43;at&amp;#43;6&amp;#43;AM%2C&amp;#43;check&amp;#43;all&amp;#43;production&amp;#43;infrastructure&amp;#43;for&amp;#43;drift&amp;#43;and&amp;#43;create&amp;#43;PRs&amp;#43;to&amp;#43;fix&amp;#43;any&amp;#43;issues&amp;#43;you&amp;#43;find." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Schedule a daily drift check&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="9-schedule-weekly-upgrades-for-outdated-lambda-runtimes-and-providers"&gt;9. Schedule weekly upgrades for outdated Lambda runtimes and providers&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Lambda runtimes and container base images age out. Schedule the upgrade pass; review the PRs Neo opens.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;AWS Lambda end-of-life notices come out months ahead. Node 20 stopped receiving updates as an AWS Lambda runtime at the end of April. Python 3.9 reached end-of-support last December. After the deadline, AWS blocks new deploys and eventually stops invoking the function. Each one needs to move to a supported runtime before the cutoff.&lt;sup id="fnref:2"&gt;&lt;a href="#fn:2" class="footnote-ref" role="doc-noteref"&gt;2&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
&lt;p&gt;Schedule it:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Every Sunday night at 10 PM, check our Lambda functions for runtimes nearing end-of-support and open PRs to upgrade them.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo reads the AWS Lambda runtime deprecation page, matches the end-of-support runtimes against every Lambda function in your stacks, and opens one PR per stack.&lt;/p&gt;
&lt;p&gt;If Python 3.9 is reaching end-of-support, the upgrade is to Python 3.12, and &lt;code&gt;datetime.utcnow()&lt;/code&gt; calls need to move to &lt;code&gt;datetime.now(datetime.UTC)&lt;/code&gt;. Neo can make all of those replacements in the same PR.&lt;/p&gt;
&lt;p&gt;The same task can catch container base images with critical CVEs and bump them too.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Setting up a weekly scheduled task in Neo"
autoplay muted playsinline
loop &gt;
&lt;source src="neo-schedule-setup.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
Setting up a weekly task in the Scheduled Tasks UI. Once saved, Neo runs the prompt every Sunday night and opens PRs you review on Monday.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=Every&amp;#43;Sunday&amp;#43;night&amp;#43;at&amp;#43;10&amp;#43;PM%2C&amp;#43;check&amp;#43;our&amp;#43;Lambda&amp;#43;functions&amp;#43;for&amp;#43;runtimes&amp;#43;nearing&amp;#43;end-of-support&amp;#43;and&amp;#43;open&amp;#43;PRs&amp;#43;to&amp;#43;upgrade&amp;#43;them." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Schedule a weekly runtime upgrade check&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="10-fix-aws-cis-benchmark-failures-with-daily-prs"&gt;10. Fix AWS CIS Benchmark failures with daily PRs&lt;/h2&gt;
&lt;p&gt;&lt;em&gt;Run the AWS CIS Benchmark on a schedule. Wake up to PRs that fix every failure.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html"&gt;CIS AWS Foundations Benchmark&lt;/a&gt;, available through AWS Security Hub, is something every team should be keeping an eye on. The benchmark finds issues like S3 buckets that allow public read access (&lt;code&gt;S3.1&lt;/code&gt;), root user access keys that shouldn&amp;rsquo;t exist (&lt;code&gt;IAM.4&lt;/code&gt;), or CloudTrail not being enabled (&lt;code&gt;CloudTrail.1&lt;/code&gt;). Scanning for these issues is a solved problem, but closing and addressing them is not. They pile up between audits because each one is a code change in a different stack, and nobody owns the cross-stack cleanup.&lt;sup id="fnref:3"&gt;&lt;a href="#fn:3" class="footnote-ref" role="doc-noteref"&gt;3&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
&lt;p&gt;Schedule the cleanup:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Every morning, read CIS Benchmark failures from Security Hub. For every failure on an IaC-managed resource, open a PR with the fix.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Neo opens one PR per failure. A bucket failing &lt;code&gt;S3.1&lt;/code&gt; arrives as a Pulumi diff that adds &lt;code&gt;blockPublicAccess&lt;/code&gt; to the bucket in your &lt;code&gt;prod-checkout&lt;/code&gt; stack. The PR body lists the CIS rule number, the resource ID, the diff, and a clean &lt;code&gt;pulumi preview&lt;/code&gt; against the live infrastructure.&lt;/p&gt;
&lt;p&gt;The runbook is where your security team writes down what each control means for your stacks. Block public S3 buckets, except the ones tagged &lt;code&gt;public-content=true&lt;/code&gt; for CloudFront origins. Don&amp;rsquo;t auto-touch the break-glass IAM roles; page a human instead. Multi-region CloudTrail stays on, no exceptions. Neo reads that file, checks each Security Hub finding against it, and only opens a PR for the ones you&amp;rsquo;ve said are safe to fix. The rest get routed or ignored, the way your team already handles them.&lt;/p&gt;
&lt;p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded w-full" title="Scrolling through Neo&amp;#39;s morning CIS Benchmark PR"
autoplay muted playsinline
loop &gt;
&lt;source src="neo-cis-pr.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;figcaption&gt;
&lt;center&gt;
&lt;i&gt;
A PR raised by Neo to fix a CIS Benchmark failure, with the failing rule, the resource, and the runbook decision laid out in the body.
&lt;/i&gt;
&lt;/center&gt;
&lt;/figcaption&gt;
&lt;/p&gt;
&lt;a href="https://app.pulumi.com/neo?prompt=Every&amp;#43;morning%2C&amp;#43;verify&amp;#43;all&amp;#43;resources&amp;#43;meet&amp;#43;our&amp;#43;compliance&amp;#43;policies&amp;#43;and&amp;#43;create&amp;#43;PRs&amp;#43;to&amp;#43;fix&amp;#43;violations." class="neo-card"&gt;
&lt;div class="neo-card-content"&gt;
&lt;div class="neo-card-icon"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--regular" fill="currentColor" role="img" aria-label="Pulumi Neo AI icon"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#c-pulumi-neo-regular"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;div class="neo-card-text"&gt;
&lt;span class="neo-card-subtitle"&gt;Start a Neo task&lt;/span&gt;
&lt;span class="neo-card-title"&gt;Schedule daily AWS CIS Benchmark scans&lt;/span&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="neo-card-arrow"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--bold" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-caret-right-bold"/&gt;&lt;/svg&gt;
&lt;/div&gt;
&lt;/a&gt;
&lt;h2 id="neo-your-newest-platform-engineer"&gt;Neo: your newest platform engineer&lt;/h2&gt;
&lt;p&gt;Over the past year, many product teams have stopped treating AI as a request-by-request assistant and started delegating to it outright.&lt;sup id="fnref:4"&gt;&lt;a href="#fn:4" class="footnote-ref" role="doc-noteref"&gt;4&lt;/a&gt;&lt;/sup&gt; Agents open pull requests, investigate issues, and iterate on review feedback.&lt;/p&gt;
&lt;p&gt;But platform engineers have held back because a bad infrastructure change doesn&amp;rsquo;t just fail, it can take production down. Coding agents benefit from fast, forgiving feedback loops, but infrastructure recovery is rarely as simple as reverting a commit.&lt;/p&gt;
&lt;p&gt;What was missing wasn&amp;rsquo;t the appetite. It was an agent with enough organizational context and &lt;a href="https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/"&gt;grounding&lt;/a&gt; to plan reliably, enough guardrails to feel safe and contain mistakes, and enough discipline to keep working without being asked.&lt;/p&gt;
&lt;p&gt;The theme across these tasks is clear. A thing platform engineers used to keep in their heads becomes a task you delegate, then becomes work that runs without you. Neo isn&amp;rsquo;t generating infrastructure from a template. It&amp;rsquo;s a teammate who knows your code, your providers, your conventions, your production metrics, and can raise PRs for you to review.&lt;/p&gt;
&lt;p&gt;Neo now lives in your terminal, in your pull requests, in your Slack workspace, and in Pulumi Cloud. Pick one of these workflows and &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/neo/"&gt;give it a try&lt;/a&gt;.&lt;/p&gt;
&lt;div class="footnotes" role="doc-endnotes"&gt;
&lt;hr&gt;
&lt;ol&gt;
&lt;li id="fn:1"&gt;
&lt;p&gt;The observant reader will notice Terraform-to-Pulumi was covered &lt;a href="https://www.pulumi.com/blog/10-things-you-can-do-with-neo/"&gt;in the original post&lt;/a&gt;.&amp;#160;&lt;a href="#fnref:1" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:2"&gt;
&lt;p&gt;Also covered in the &lt;a href="https://www.pulumi.com/blog/10-things-you-can-do-with-neo/"&gt;original post&lt;/a&gt;. Last year you could ask Neo to do it once. This year you can put it on a schedule.&amp;#160;&lt;a href="#fnref:2" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:3"&gt;
&lt;p&gt;Also covered in the &lt;a href="https://www.pulumi.com/blog/10-things-you-can-do-with-neo/"&gt;original post&lt;/a&gt;. Last year Neo could remediate violations on demand. This year Security Hub feeds findings to a scheduled task that knows your runbook&amp;rsquo;s interpretation of each control.&amp;#160;&lt;a href="#fnref:3" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:4"&gt;
&lt;p&gt;For a concrete example, see &lt;a href="https://www.pulumi.com/blog/seven-rules-ai-native-software-factory/"&gt;Seven Rules for Building an AI-Native Software Factory&lt;/a&gt;: Ewan Dawson, CTO of Compostable AI, runs nineteen client deployments with five engineers, using Pulumi Neo to handle most of the infrastructure work.&amp;#160;&lt;a href="#fnref:4" class="footnote-backref" role="doc-backlink"&gt;&amp;#x21a9;&amp;#xfe0e;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt;</description><author>Adam Gordon Bell</author><category>ai</category><category>platform-engineering</category><category>pulumi-neo</category><category>aws</category></item><item><title>10 Things You Can Do With Our Infrastructure Agent, Neo</title><link>https://www.pulumi.com/blog/10-things-you-can-do-with-neo/</link><pubDate>Mon, 06 Oct 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/10-things-you-can-do-with-neo/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/10-things-you-can-do-with-neo/index.png" /&gt;
&lt;p&gt;Since launching &lt;a href="https://www.pulumi.com/blog/pulumi-neo/"&gt;Pulumi Neo&lt;/a&gt; two weeks ago, we&amp;rsquo;ve seen platform teams discover creative ways to put their newest AI teammate to work. We have also been using Neo internally for a handful of use cases. Neo shifts the conversation from &amp;ldquo;what could AI do for infrastructure?&amp;rdquo; to &amp;ldquo;what can I actually accomplish with Neo today?&amp;rdquo;&lt;/p&gt;
&lt;p&gt;The answer is quite a bit. Here are 10 concrete workflows that platform teams can use Neo for right now, each one designed to save hours of manual work while keeping humans in the driver seat.&lt;/p&gt;
&lt;h2 id="1-explain-infrastructure-in-plain-english-or-diagrams"&gt;1. Explain infrastructure in plain English or diagrams&lt;/h2&gt;
&lt;p&gt;Neo answers questions about your infrastructure instantly, turning complex resource relationships into conversational insights (and diagrams!).&lt;/p&gt;
&lt;p&gt;No more digging through AWS consoles or parsing state files to understand what you have deployed. Neo speaks your language about your infrastructure. Ask questions like &lt;em&gt;&amp;ldquo;What databases do we have?&amp;rdquo;&lt;/em&gt;, &lt;em&gt;&amp;ldquo;Which S3 buckets aren&amp;rsquo;t encrypted?&amp;rdquo;&lt;/em&gt;, &lt;em&gt;&amp;ldquo;Show me all resources in us-east-1&amp;rdquo;&lt;/em&gt; or &amp;ldquo;draw an architecture diagram of our service&amp;rdquo; and get immediate, accurate answers.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-diagram.png" alt="Neo explaining and diagramming infrastructure"&gt;&lt;/p&gt;
&lt;h2 id="2-generate-infrastructure-code-from-natural-language"&gt;2. Generate infrastructure code from natural language&lt;/h2&gt;
&lt;p&gt;Neo turns plain English descriptions into production-ready Pulumi code, eliminating the blank-page problem that slows down new projects.&lt;/p&gt;
&lt;p&gt;Instead of starting from scratch or hunting through documentation, describe what you need and Neo generates the complete infrastructure. Ask Neo: &lt;em&gt;&amp;ldquo;Create a serverless API with PostgreSQL database and Redis cache on AWS&amp;rdquo;&lt;/em&gt; and it produces fully configured resources with proper networking, security groups, and IAM policies.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-postgresql-redis.png" alt="Neo generating infrastructure code for a serverless API with PostgreSQL and Redis"&gt;&lt;/p&gt;
&lt;h2 id="3-assist-with-terraform-to-pulumi-migration"&gt;3. Assist with Terraform to Pulumi migration&lt;/h2&gt;
&lt;p&gt;Neo analyzes existing Terraform code (and/or state files) and generates equivalent Pulumi programs, accelerating migration without starting from scratch.&lt;/p&gt;
&lt;p&gt;Migrating from Terraform to Pulumi traditionally means rewriting everything. Neo understands both languages and can convert HCL to TypeScript, Python, or Go while preserving your infrastructure patterns. You can also use the Terraform state file. Ask Neo: &lt;em&gt;&amp;ldquo;Analyze the provided terraform state. Based on it, generate a python pulumi program that imports the resources without requiring updates.&amp;rdquo;&lt;/em&gt; and it generates equivalent code with proper typing and best practices.&lt;/p&gt;
&lt;p&gt;Using this prompt with a Terraform state file containing EC2 instances and supporting resources, Neo generated a complete Pulumi program that imported everything without requiring updates:&lt;/p&gt;
&lt;p&gt;&lt;img src="tf-up.png" alt="Neo converting Terraform state to Pulumi code"&gt;&lt;/p&gt;
&lt;h2 id="4-automate-cicd-pipeline-generation"&gt;4. Automate CI/CD pipeline generation&lt;/h2&gt;
&lt;p&gt;Neo creates complete GitHub Actions workflows configured specifically for Pulumi deployments, with proper preview stages.&lt;/p&gt;
&lt;p&gt;Setting up CI/CD for infrastructure projects usually involves copying workflows from other repos and adapting them. Neo generates purpose-built pipelines that understand your stack structure and deployment patterns. Ask Neo: &lt;em&gt;&amp;ldquo;Create a GitHub Actions pipeline for this Pulumi project with preview and production stages&amp;rdquo;&lt;/em&gt; and it produces workflows with proper secrets management, approval gates, and deployment strategies.&lt;/p&gt;
&lt;p&gt;Here is what Neo gives us using that prompt on a very basic Pulumi project:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Simple Pulumi Deploy&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;on&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;push&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;branches&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="l"&gt;main]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;workflow_dispatch&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;env&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;PULUMI_ACCESS_TOKEN&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${{ secrets.PULUMI_ACCESS_TOKEN }}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;AWS_ACCESS_KEY_ID&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${{ secrets.AWS_ACCESS_KEY_ID }}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;AWS_SECRET_ACCESS_KEY&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${{ secrets.AWS_SECRET_ACCESS_KEY }}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;jobs&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;deploy&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;runs-on&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;ubuntu-latest&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;steps&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Checkout code&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;actions/checkout@v4&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Install Pulumi&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;pulumi/actions@v4&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;with&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;pulumi-version&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;latest&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Configure AWS credentials&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;uses&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;aws-actions/configure-aws-credentials@v4&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;with&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;aws-access-key-id&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${{ secrets.AWS_ACCESS_KEY_ID }}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;aws-secret-access-key&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;${{ secrets.AWS_SECRET_ACCESS_KEY }}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;aws-region&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;us-west-2&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Deploy infrastructure&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;run&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="sd"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sd"&gt; pulumi stack select production
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sd"&gt; pulumi up --yes&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;working-directory&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;./infrastructure&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="5-identify-inefficient-infrastructure-patterns"&gt;5. Identify inefficient infrastructure patterns&lt;/h2&gt;
&lt;p&gt;Neo analyzes your infrastructure and spots patterns that create unnecessary management overhead, helping you consolidate and optimize.&lt;/p&gt;
&lt;p&gt;When you have 10 identical EC2 instances that should be an auto-scaling group, or multiple Lambda functions doing the same job, Neo spots these patterns. Ask Neo: &lt;em&gt;&amp;ldquo;Analyze our infrastructure for inefficient patterns&amp;rdquo;&lt;/em&gt; and it can identify consolidation opportunities.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Example analysis:&lt;/strong&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-text" data-lang="text"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;Neo identified these optimization opportunities:
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;1. Duplicate EC2 Instances (High Priority)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Found 8 identical t3.medium instances running the same application
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Recommendation: Consolidate into an Auto Scaling Group
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Benefits: Simplified management, automatic scaling, reduced configuration drift
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;2. Scattered Lambda Functions (Medium Priority)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Found 12 Lambda functions with identical runtime and dependencies
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Recommendation: Combine into a single function with routing logic
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Benefits: Reduced cold starts, simplified monitoring, easier updates
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;3. Redundant Security Groups (Low Priority)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Found 15 security groups with identical rules
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Recommendation: Create shared security groups for common patterns
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; • Benefits: Easier rule management, reduced complexity
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="6-upgrade-ekskubernetes-clusters"&gt;6. Upgrade EKS/Kubernetes clusters&lt;/h2&gt;
&lt;p&gt;Neo manages Kubernetes version upgrades across multiple clusters, planning upgrade paths and validating compatibility.&lt;/p&gt;
&lt;p&gt;Kubernetes upgrades are complex, especially across multiple clusters with different workloads. Neo analyzes your cluster configurations, identifies upgrade blockers, and creates systematic upgrade plans. Ask Neo: &lt;em&gt;&amp;ldquo;Plan an upgrade path for our EKS clusters from 1.27 to 1.28&amp;rdquo;&lt;/em&gt; and it maps dependencies, checks add-on compatibility, and sequences the upgrades.&lt;/p&gt;
&lt;h2 id="7-respond-to-security-vulnerabilities"&gt;7. Respond to security vulnerabilities&lt;/h2&gt;
&lt;p&gt;When CVEs are announced, Neo can help security teams move at machine speed addressing them.&lt;/p&gt;
&lt;p&gt;Security vulnerabilities require immediate response across your entire infrastructure. Neo understands your resource inventory and can quickly identify what&amp;rsquo;s affected by new CVEs. When you ask Neo: &lt;em&gt;&amp;ldquo;Identify all resources affected by CVE-2025-XXXXX and create remediation PRs&amp;rdquo;&lt;/em&gt;, it scans your infrastructure, maps vulnerable components, and generates targeted fixes.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-cves.png" alt="Neo identifying and remediating CVE vulnerabilities"&gt;&lt;/p&gt;
&lt;h2 id="8-remediate-policy-violations"&gt;8. Remediate policy violations&lt;/h2&gt;
&lt;p&gt;Neo detects non-compliant resources and generates pull requests to fix them, turning compliance headaches into automated workflows.&lt;/p&gt;
&lt;p&gt;When your policy violations detect unencrypted EBS volumes, overly permissive security groups, or missing resource tags, Neo identifies the issues and proposes specific fixes. Ask Neo: &lt;em&gt;&amp;ldquo;Fix all policy violations in our production account&amp;rdquo;&lt;/em&gt; and it analyzes your compliance dashboard, identifies the problematic resources, and creates PRs with the exact changes needed.&lt;/p&gt;
&lt;p&gt;&lt;img src="neo-policies.png" alt="Neo identifying and fixing policy violations"&gt;&lt;/p&gt;
&lt;h2 id="9-update-lambda-runtimes-across-multiple-accounts"&gt;9. Update Lambda runtimes across multiple accounts&lt;/h2&gt;
&lt;p&gt;Neo identifies outdated Lambda runtimes, stages updates, and manages the rollout across your entire AWS organization.&lt;/p&gt;
&lt;p&gt;When AWS announces runtime deprecations, Neo scans all your accounts, identifies functions running outdated versions, and creates a systematic upgrade plan. Ask Neo: &lt;em&gt;&amp;ldquo;Upgrade all Lambda functions to Python 3.11&amp;rdquo;&lt;/em&gt; and it maps your functions, checks compatibility, and generates account-by-account PRs.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Before (outdated runtime):&lt;/strong&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// Create the process email Lambda function
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;lambdaFunction&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;aws&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;lambda&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;Function&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;emailProcessor&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;runtime&lt;/span&gt;: &lt;span class="kt"&gt;aws.lambda.Runtime.Python3d8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;// ❌ Deprecated
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;code&lt;/span&gt;: &lt;span class="kt"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;asset&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;AssetArchive&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;.&amp;#34;&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;asset&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;FileArchive&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;./lambda&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// ... other configuration
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;After (Neo&amp;rsquo;s upgrade):&lt;/strong&gt;&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-typescript" data-lang="typescript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// Create the process email Lambda function
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kr"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;lambdaFunction&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;aws&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;lambda&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;Function&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;emailProcessor&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;runtime&lt;/span&gt;: &lt;span class="kt"&gt;aws.lambda.Runtime.Python3d11&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="c1"&gt;// ✅ Upgraded
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nx"&gt;code&lt;/span&gt;: &lt;span class="kt"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;asset&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;AssetArchive&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;.&amp;#34;&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nx"&gt;pulumi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;asset&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;FileArchive&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;./lambda&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}),&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;// ... other configuration
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;});&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id="10-enforce-multi-account-policy-compliance"&gt;10. Enforce multi-account policy compliance&lt;/h2&gt;
&lt;p&gt;Neo applies organizational policies across your entire AWS Organizations structure, ensuring governance at scale without creating bottlenecks.&lt;/p&gt;
&lt;p&gt;Large organizations struggle to maintain consistent policies across dozens of AWS accounts. Neo understands your organizational structure and can enforce tagging standards, encryption requirements, and security policies uniformly. Ask Neo: &lt;em&gt;&amp;ldquo;Ensure all accounts follow our tagging and encryption policies&amp;rdquo;&lt;/em&gt; and it audits compliance across your organization.&lt;/p&gt;
&lt;h2 id="your-newest-platform-engineer"&gt;Your newest platform engineer&lt;/h2&gt;
&lt;p&gt;These workflows represent just the beginning of what&amp;rsquo;s possible when an AI agent deeply understands infrastructure context.&lt;/p&gt;
&lt;p&gt;The outcome is simple: spend less time on operational toil and more time on the architecture and policies that make your organizations successful.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/neo/"&gt;Get started with Neo&lt;/a&gt; and discover what becomes possible when AI truly understands infrastructure.&lt;/p&gt;
&lt;p&gt;The future of platform engineering isn&amp;rsquo;t about choosing between speed and safety. It&amp;rsquo;s about having tools that help you with both simultaneously.&lt;/p&gt;</description><author>Meagan Cojocar</author><category>ai</category><category>platform-engineering</category><category>pulumi-neo</category><category>aws</category></item></channel></rss>