<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Platform Engineering Pillars Series</title><link>https://www.pulumi.com/blog/series/platform-engineering-pillars/</link><description>Pulumi blog posts: Platform Engineering Pillars Series.</description><language>en-us</language><pubDate>Tue, 17 Jun 2025 00:00:00 +0000</pubDate><item><title>Governance as an Enabler: Scaling Safely and Confidently</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-7/</link><pubDate>Tue, 17 Jun 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-7/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-7/index.png" /&gt;
&lt;p&gt;In previous articles in this series, we&amp;rsquo;ve explored how &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;platform engineering&lt;/a&gt; transforms infrastructure chaos into consistent provisioning, empowers engineering teams through self-service infrastructure, optimizes workflows, embeds security directly into your platform, and provides observability as a superpower. Each pillar builds upon the previous ones, creating a cohesive foundation that accelerates innovation and productivity.&lt;/p&gt;
&lt;p&gt;But as your platform scales, new challenges inevitably emerge. You&amp;rsquo;ve empowered engineering teams with self-service infrastructure, streamlined workflows, and embedded security directly into your platform. But as your platform scales, new challenges emerge: How do you ensure consistency, compliance, and cost control without slowing your teams down?&lt;/p&gt;
&lt;p&gt;In this article, we&amp;rsquo;ll explore how Platform Engineering transforms governance from a manual, bureaucratic process into an automated, built-in enabler, helping your organization scale safely and confidently. By embedding governance directly into your platform, you can maintain control, ensure compliance, and manage costs effectively, all while preserving the autonomy and speed your engineering teams have come to expect.&lt;/p&gt;
&lt;h2 id="the-problem-governance-as-a-manual-bottleneck"&gt;The Problem: Governance as a Manual Bottleneck&lt;/h2&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="frustrated.png" width="200px" alt="frustrated expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Dealing with manual compliance checks and red tape&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;With increased team autonomy and self-service capabilities, how do you ensure consistency, compliance, and cost control across your entire organization?&lt;/p&gt;
&lt;p&gt;Governance often feels like a necessary evil: manual, bureaucratic, and slow. Application teams see it as red tape, while operations teams struggle to maintain control. Manual compliance checks, lengthy audits, and unclear or inconsistent policies create friction and frustration. Teams may bypass governance processes entirely, leading to shadow IT, inconsistent resource configurations, and hidden risks.&lt;/p&gt;
&lt;p&gt;The consequences of manual, bureaucratic governance are clear:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Increased compliance risks and audit failures:&lt;/strong&gt; Without automated enforcement, compliance becomes reactive and error-prone, increasing the likelihood of regulatory violations and audit findings.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Unpredictable cloud costs and budget overruns:&lt;/strong&gt; Without clear guardrails, self-service infrastructure can lead to resource sprawl, wasted resources, and unexpected cloud bills.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced team autonomy and slower innovation:&lt;/strong&gt; Manual governance processes reintroduce bottlenecks, slowing down deployments and undermining the agility your platform was designed to achieve.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="the-solution-embedding-governance-into-your-platform"&gt;The Solution: Embedding Governance into Your Platform&lt;/h2&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="satisfied.png" width="200px" alt="satisfied expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Successfully scaling safely with embedded governance&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;Governance should live inside your platform, not off to the side as a separate process. To make that happen, build these four capabilities into your IDP:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Policy-as-Code for Automated Compliance:&lt;/strong&gt; Declare rules (like approved regions or required tags) as code. The platform enforces them whenever infrastructure is created or updated, so compliance happens automatically.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Platform-Level RBAC for Permission Boundaries:&lt;/strong&gt; Decide who can act on projects, stacks, and templates before any cloud credentials run. This early check prevents unauthorized requests from ever reaching cloud provider.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit Logs and Drift Detection for Real-Time Visibility:&lt;/strong&gt; Record every deployment, who ran it, and what changed. Continuously compare live infrastructure to the desired state in code. If someone bypasses approved processes, the platform flags it and alerts the team.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Resource Lifecycle and Deployment Controls:&lt;/strong&gt; Automatically retire idle environments after a set time (Resource TTLs) so forgotten test clusters don’t rack up bills. Also if needed, gate production changes behind lightweight approval workflows. Routine dev or staging updates roll out instantly, but high impact production changes wait until a reviewer signs off.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Let’s dive into each of these.&lt;/p&gt;
&lt;h3 id="a-policy-as-code-for-compliance-and-operational-standards-automating-trust-and-consistency"&gt;A. Policy-as-Code for Compliance and Operational Standards: Automating Trust and Consistency&lt;/h3&gt;
&lt;p&gt;An engineering team is ready to launch a new service. They’ve tested it and everything looks good, until the deployment fails. Not because of a bug. Because it’s targeting an unapproved cloud region.&lt;/p&gt;
&lt;p&gt;Now they’re stuck. A compliance review kicks off. Slack threads fly. A ticket gets filed. What should’ve been a smooth release turns into a delay, all because of a policy someone missed.&lt;/p&gt;
&lt;p&gt;Policy-as-code prevents this.&lt;/p&gt;
&lt;p&gt;When teams deploy something that breaks the rules (like using an unapproved region), the platform blocks it automatically. The error shows up right away, with a clear message. Nothing gets provisioned, and nobody has to file a ticket.&lt;/p&gt;
&lt;p&gt;If you’re already using intent-based components (“I need a Java service with Kafka and PostgreSQL”), most details are handled for you: tags, regions, naming. But people still override things. That’s why policy-as-code matters.&lt;/p&gt;
&lt;p&gt;Think of it as a safety net. A menu of components handle the defaults. Policies catch anything that slips through. Together, they keep your platform consistent without slowing anyone down.&lt;/p&gt;
&lt;h3 id="b-role-based-access-control-rbac-balancing-autonomy-and-control"&gt;B. Role-Based Access Control (RBAC): Balancing Autonomy and Control&lt;/h3&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="blocked.png" width="200px" alt="blocked expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Stopped by lengthy approval processes&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;As your platform grows, managing permissions manually gets messy. If an engineer needs to fix a production issue but doesn’t have access, they file a ticket and wait, sometimes for days. Give developers too many rights, and they might change production by accident. Both options slow teams down and increase risk.&lt;/p&gt;
&lt;p&gt;The fix is an RBAC model built into your platform. First, the platform decides who can deploy, who can publish components, and who can manage templates. This check runs before any cloud credentials are used, so invalid requests get blocked early. Second, the cloud IAM layer controls which API calls are allowed, like creating an EC2 instance or updating a database.&lt;/p&gt;
&lt;p&gt;This pairs well with a two-level intent-based approach. Teams describe what they need (“I want a Python Lambda with an SQS queue”), and the platform enforces access only for users with the right scopes. Everyone gets just enough access to do their job, no more, no less.&lt;/p&gt;
&lt;p&gt;A Platform with RBAC makes permissions clear, reduces mistakes, and keeps everything auditable. Devs move fast, spinning up resources as needed, while strong guardrails stay in place. The result is a scalable, least-privilege model that balances autonomy and control, so your organization can grow safely.&lt;/p&gt;
&lt;h3 id="c-auditability-traceability-and-drift-detection-ensuring-visibility-and-trust"&gt;C. Auditability, Traceability, and Drift Detection: Ensuring Visibility and Trust&lt;/h3&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="stressed.png" width="200px" alt="stressed expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Anxious about audit failures and compliance risks&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;An ops engineer spots a production database misbehaving. A quick check shows someone changed its configuration outside the approved workflow. Without an audit trail or drift detection, the team scrambles to figure out who made the change and when. Meanwhile, the incorrect setting stays active, posing a security and compliance risk. No one can fix it without guessing.&lt;/p&gt;
&lt;p&gt;A platform with audit logs records every action: who deployed, when, and what changed. Drift detection watches live infrastructure and compares it to the desired state in code. If someone bypasses the workflow (say, editing a database setting in the console), the platform flags it and alerts:
“User Alice changed max_connections on prod-db-01 at 3:42 PM, which no longer matches the expected state.”
Now the team can pinpoint the change, talk to the right person, and revert or update the code, restoring consistency in minutes, not hours.&lt;/p&gt;
&lt;p&gt;Together, audit logs and drift detection give you real-time visibility into every change. You stop playing detective. You see who did what, when, and how it deviated from code, all in one place. That transparency speeds audits, catches unauthorized changes fast, and builds trust across teams. With automatic traces of every change, your platform scales without surprises.&lt;/p&gt;
&lt;h3 id="d-resource-lifecycle-and-deployment-controls-scaling-responsibly-and-safely"&gt;D. Resource Lifecycle and Deployment Controls: Scaling Responsibly and Safely&lt;/h3&gt;
&lt;p&gt;An engineer spins up a test environment, then walks away. Another pushes a change straight to production without review. The abandoned test cluster runs up cloud costs; the unreviewed prod tweak risks an outage. Without automation, both lead to wasted spend and stressful cleanups.&lt;/p&gt;
&lt;p&gt;A modern platform handles this with &lt;strong&gt;ephemeral environments where possible&lt;/strong&gt; and &lt;strong&gt;approval gates where it matters&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;In dev and staging, engineers can move quickly. They can create test or preview environments, often tied to users or pull requests, that shut down automatically after a set time. TTL rules keep things tidy without manual cleanup.&lt;/p&gt;
&lt;p&gt;Production, by contrast, is gated. High-impact changes, like modifying a database schema or adjusting a load balancer, require approval. Before anything is provisioned, sign-off is required. Every approval (or denial) is logged: who, when, and why.&lt;/p&gt;
&lt;p&gt;This setup keeps development fast and flexible, while making production changes deliberate and auditable. Your platform stays clean, cost-effective, and safe without getting in the way.&lt;/p&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="overwhelmed.png" width="200px" alt="overwhelmed expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Drowning in resource sprawl and unexpected costs&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;h2 id="real-world-example-governance-enablement-in-action"&gt;Real-World Example: Governance Enablement in Action&lt;/h2&gt;
&lt;p&gt;An engineering team opens a pull request for a new customer-facing service. The platform spins up a preview environment using a template with secure defaults, pre-approved modules, and policy checks. CI runs tests and policy checks in preview (names, regions, encryption, compliance) so the team catches issues early. If a rule fails (say, an unencrypted database), the PR fails before it reaches main. After the PR merges to main, it deploys to production, confident all policy validations have passed.&lt;/p&gt;
&lt;p&gt;Idle QA environments shut down after 48 hours, so forgotten clusters don’t rack up bills. Sensitive production changes, like updating a load balancer or altering a critical schema, are carefully reviewed via pull request. Once approved, the platform deploys automatically and logs every action. Drift detection flags console edits, letting the team revert or update code in minutes.&lt;/p&gt;
&lt;p&gt;Result: Governance becomes an invisible safety net. Engineers move fast, knowing policy-as-code, RBAC, TTL cleanup, approval gates, and change tracking catch mistakes. Ops stays in control without firefighting or chasing orphan resources. The platform scales safely, balancing freedom with built-in guardrails.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h2 id="metrics-measuring-governance-enablement"&gt;Metrics: Measuring Governance Enablement&lt;/h2&gt;
&lt;p&gt;To ensure your governance practices truly empower your organization, it&amp;rsquo;s essential to track clear, actionable metrics. These metrics help you understand the effectiveness of your governance processes, identify areas for improvement, and ensure governance remains frictionless and enabling:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Time Spent on Manual Compliance Checks and Audits&lt;/strong&gt;:
Measure how much time your teams spend manually verifying compliance or performing audits. Effective governance automation should significantly reduce this overhead, freeing teams to focus on higher-value tasks.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Number of Compliance Violations or Audit Findings&lt;/strong&gt;:
Track how frequently compliance violations or audit issues occur. Effective governance should reduce these incidents, demonstrating that automated policies and guardrails are working as intended.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Cloud Cost Predictability and Budget Adherence&lt;/strong&gt;:
Monitor how accurately your cloud spending aligns with forecasts and budgets. Good governance practices, such as automated tagging, resource lifecycle management, and cost controls, should improve predictability and reduce unexpected cost overruns.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Engineering Team Satisfaction with Governance Processes&lt;/strong&gt;:
Regularly survey engineering teams to gauge their satisfaction with governance processes. High satisfaction indicates that governance is enabling rather than hindering their workflows.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Tracking these metrics helps you continuously improve your platform&amp;rsquo;s governance practices, ensuring they remain effective and frictionless.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="confident.png" width="200px" alt="confident expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Working within clear, automated guardrails&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;h2 id="pulumi-and-governance-enablement"&gt;Pulumi and Governance Enablement&lt;/h2&gt;
&lt;p&gt;Pulumi provides built-in governance features that help you scale safely and confidently, embedding compliance, consistency, and control directly into your platform:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;CrossGuard (Policy as Code)&lt;/strong&gt;
Define and enforce compliance and operational policies automatically. CrossGuard checks every resource against your organization’s standards before deployment, preventing non-compliant resources and reducing manual audits.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Role-Based Access Control (RBAC) and Teams&lt;/strong&gt;
Manage permissions with precision. Pulumi’s RBAC ensures teams get exactly the access they need, no more, no less, so developers can move quickly within clear boundaries and ops can reduce risk.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit Logs and Drift Detection&lt;/strong&gt;
Capture a full history of every change and compare live infrastructure to the desired state in code. Audit logs simplify compliance reviews, drift detection spots unauthorized edits, and teams can fix issues in minutes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Time-to-Live (TTL) Stacks / Ephemeral Environments&lt;/strong&gt;
Spin up short-lived environments for testing or previews. You can assign a TTL to any stack so it shuts down automatically after a set period. That keeps forgotten test resources from racking up costs and ensures your platform stays clean.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By leveraging Pulumi’s governance features, including CrossGuard, RBAC, audit logs, and TTL stacks, your platform becomes a powerful enabler. You automate compliance, maintain consistency, and empower engineering teams to innovate quickly and safely.&lt;/p&gt;
&lt;h2 id="conclusion-governance-as-a-platform-feature"&gt;Conclusion: Governance as a Platform Feature&lt;/h2&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="empowered.png" width="200px" alt="empowered expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Having autonomy with built-in controls&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;Governance doesn&amp;rsquo;t have to slow you down. By embedding governance directly into your platform, you empower engineering teams to innovate quickly while ensuring compliance, consistency, and control. Instead of manual checks, governance becomes automatic, transparent, and frictionless, enabling your organization to scale safely and confidently.&lt;/p&gt;
&lt;p&gt;Your engineering teams gain autonomy and speed, your operations teams gain visibility and control, and your organization gains the confidence to innovate at scale.&lt;/p&gt;
&lt;p&gt;You’ve now seen all six pillars of a modern internal developer platform—&lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-2/"&gt;provisioning&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-3/"&gt;self-service&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-4/"&gt;developer experience&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-5/"&gt;security&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-6/"&gt;observability&lt;/a&gt;, and governance. If you’d like to see how Pulumi makes building and running a platform like this simpler, check out &lt;a href="https://www.pulumi.com/product/internal-developer-platforms/"&gt;Pulumi IDP&lt;/a&gt;.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Observability as a Developer Superpower</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-6/</link><pubDate>Tue, 10 Jun 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-6/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-6/index.png" /&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="frustrated.png" width="200px" alt="frustrated expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Frustratedly trying to figure out what's actually happening&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;In previous articles in this series, we’ve shown how &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;platform engineering&lt;/a&gt; turns infrastructure chaos into consistency, gives teams self-service tools, smooths developer workflows, and bakes security into the platform. Each pillar builds on the last. Together, they create an internal developer platform that cuts friction and speeds innovation.&lt;/p&gt;
&lt;p&gt;Even so, teams still face a big challenge: seeing what’s really happening. Whether things go wrong or run smoothly, engineering teams need clear, actionable insights into their systems. Without observability, you end up guessing, reacting slowly, and hunting through scattered data.&lt;/p&gt;
&lt;p&gt;This article shows how observability can be a superpower, giving teams the visibility, insights, and confidence to build better software. Embedding observability into your platform lets teams spot, understand, and fix problems fast, turning reactive firefighting into proactive innovation.&lt;/p&gt;
&lt;h2 id="the-problem-data-overload-without-insights"&gt;The Problem: Data Overload Without Insights&lt;/h2&gt;
&lt;p&gt;Teams drown in metrics, logs, and traces but lack useful insights. In practice, this shows up in three common friction points:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Tool sprawl:&lt;/strong&gt; Teams use separate tools for metrics, logs, and traces. They waste time flipping between dashboards and stitching data together.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Alert fatigue:&lt;/strong&gt; Teams get hit with noisy, context-free alerts. With no clear priority or context, key alerts get lost, causing missed issues or slow responses.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Reactive debugging:&lt;/strong&gt; Troubleshooting turns into a late-night fire drill. Teams spend hours digging through logs and metrics after users have already noticed the problem.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When observability is limited to post-mortems and fragmented dashboards, your team wastes time reacting instead of preventing problems, and innovation grinds to a halt.&lt;/p&gt;
&lt;h2 id="the-solution-observability-as-an-engineering-superpower"&gt;The Solution: Observability as an Engineering Superpower&lt;/h2&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="tired.png" width="200px" alt="tired expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Exhausted from hours of reactive debugging when the problem could have been caught earlier&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;The solution isn’t just about bolting on more monitoring tools. it’s about baking visibility, context, and guidance into your platform. To do this, embrace three key principles:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Centralized Service Dashboards &amp;amp; Service List&lt;/strong&gt;
Surface every running service (or database, function, etc.) in one “Services” portal, complete with health badges (CPU, error rate), on-call owner info, and one-click links to that service’s metrics, logs, and traces. By unifying all telemetry behind a single service card, you eliminate context-switching and help engineers find exactly what they need in seconds, not minutes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Actionable Alerts and Insights&lt;/strong&gt;
Replace vague, noisy notifications with context-rich, prioritized alerts that include severity, correlated root-cause data, and recommended next steps (“Database latency jumped 200% since last deploy: rollback or scale up replicas”). Group and surface only the most critical issues first to reduce alert fatigue and speed up resolution.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Embedding Observability into Engineering Workflows&lt;/strong&gt;
Ship every new microservice with built-in logging, metrics, and tracing by including those hooks in your platform’s service templates and CI/CD pipelines. When instrumentation is automatic, “oops, I forgot to add a span” moments disappear, and teams gain immediate visibility into performance and errors from day one.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When observability becomes a superpower, engineering teams gain the visibility and insights they need to confidently build, deploy, and operate software. Instead of drowning in data, they proactively identify and resolve issues, optimize performance, and innovate with confidence.&lt;/p&gt;
&lt;h3 id="a-centralized-service-dashboards--service-list"&gt;A. Centralized Service Dashboards &amp;amp; Service List&lt;/h3&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="learning.png" width="200px" alt="learning expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Reading the Service Catalog&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;Imagine you’re paged at 2 AM because “OrderService” is failing, but you don’t know where to look. Metrics live in Grafana, logs are in Elasticsearch, traces in Jaeger, and you still have to hunt down who’s on call. You spend precious minutes clicking through multiple UIs and Slack channels just to figure out who owns the service and where its telemetry lives.&lt;/p&gt;
&lt;p&gt;A centralized service list solves this by surfacing every running microservice (or database, or function) in one place. In your platform’s web portal, you land on a “Services” page that shows OrderService alongside CPU and error‐rate badges, an on-call owner, and links to its real-time dashboard, filtered logs, and trace waterfall. No matter which team spun it up, you know exactly where to click: metrics, logs, traces, deployment history, and contact info all live behind a single service card.&lt;/p&gt;
&lt;p&gt;By embedding a service list into your platform, you eliminate context switching and reduce onboarding friction. If a service isn’t listed, it isn’t properly instrumented, so gaps stand out immediately. In practice, this “one‐pane‐of‐glass” approach means engineers spend seconds finding the right dashboard and the right person, instead of minutes piecing together fragments across disconnected tools.&lt;/p&gt;
&lt;h3 id="b-actionable-alerts-and-insights-reducing-noise-and-accelerating-response"&gt;B. Actionable Alerts and Insights: Reducing Noise and Accelerating Response&lt;/h3&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="angry.png" width="200px" alt="locked-in expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Digging through alert noise&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;It’s 4 AM and your phone buzzes with three simultaneous alerts, each with vague descriptions like &amp;ldquo;High CPU usage detected&amp;rdquo; or &amp;ldquo;Error rate increased.&amp;rdquo; Without clear context or recommended actions, you must manually investigate each alert, digging through logs and metrics to determine severity and root cause. This manual triage process is slow, frustrating, and error-prone, increasing the risk of missing critical issues or delaying resolution.&lt;/p&gt;
&lt;p&gt;Engineering teams often face a constant barrage of alerts, many of which lack clear context, severity, or actionable next steps. This flood of noisy, ambiguous notifications creates alert fatigue, causing your team to overlook critical issues or waste valuable time investigating false positives.&lt;/p&gt;
&lt;p&gt;A platform approach should focus on actionable metrics. Instead of vague notifications, clearly state the issue (&amp;ldquo;Database latency increased by 200%&amp;rdquo;), provide relevant context (&amp;ldquo;Latency spike correlated with recent deployment&amp;rdquo;), and suggest immediate actions (&amp;ldquo;Rollback recent deployment or scale database resources&amp;rdquo;). Additionally, alerts are automatically grouped and prioritized based on severity and impact, ensuring you focus on the most critical issues first.&lt;/p&gt;
&lt;p&gt;By holistically approaching alerts and insights, you significantly reduce alert fatigue and noise, accelerate incident response and resolution, and empower engineering teams with greater confidence and autonomy. Your team spends less time manually triaging alerts and more time proactively resolving issues, improving reliability, productivity, and overall team satisfaction.&lt;/p&gt;
&lt;h3 id="c-embedding-observability-into-engineering-workflows-visibility-from-day-one"&gt;C. Embedding Observability into Engineering Workflows: Visibility from Day One&lt;/h3&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="sleepy.png" width="200px" alt="sleepy expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;At 2 AM, where are the logs for this service.&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;You’ve just deployed a brand-new microservice to production, only to discover performance issues or unexpected behavior. Sure, you should remember to add tracing, logging, and metrics by hand, but in practice, things slip through the cracks. It isn’t until real-world traffic hits that you realize you forgot to instrument X or Y, and now you’re scrambling to retroactively add code, redeploy, and wait for data to appear, delaying resolution and frustrating your team.&lt;/p&gt;
&lt;p&gt;If your platform’s service templates already include all the necessary logging, metrics gathering, and tracing out of the box, it makes life a lot easier. Embedding observability into those templates and engineering workflows ensures every new microservice ships with built-in instrumentation.&lt;/p&gt;
&lt;p&gt;This proactive approach reduces “oops, I forgot” moments, accelerates troubleshooting, and increases team productivity and satisfaction, ultimately improving the reliability and quality of your software.&lt;/p&gt;
&lt;h2 id="real-world-example-observability-superpower-in-action"&gt;Real-World Example: Observability Superpower in Action&lt;/h2&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="excited.png" width="200px" alt="excited expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Applying an Actional Metric&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;At 3:15 AM, your pagerduty alert goes off: “CheckoutService latency spiked 150%.” You log into your platform’s Services portal and immediately see CheckoutService highlighted with a red latency badge and Todd Rivera listed as the on-call owner. Rather than scouring multiple dashboards, you click its service card to jump straight to the metrics, logs, and trace views.&lt;/p&gt;
&lt;p&gt;The alert itself is remarkably precise: “CheckoutService latency rose 150% at 3:10 AM following the v2.3.1 deployment. PaymentGatewayService upstream error rate jumped from 0.2% to 2.3%. Recommendation: rollback v2.3.1 or scale PaymentGateway pods. Contact Todd Rivera.” Instantly, you know where the problem lies, which upstream service is impacted, and what the next step should be.
In the trace waterfall, you spot a 200 ms delay on CheckoutService calls to PaymentGateway. The logs, automatically instrumented by your service template, filter to TimeoutException entries all timestamped at 3:10 AM. Opening the “Ask Platform” AI widget, you type, “Why did CheckoutService latency spike at 3:10 AM?” The AI responds: “Likely cause: v2.3.1 added index idx_created_at to PaymentGateway’s transactions table, causing an 80 ms delay per request. Rollback v2.3.1 or patch queries to remove the new index.”&lt;/p&gt;
&lt;p&gt;Armed with this precise diagnosis, you open a rollback pull request and, after Todd&amp;rsquo;s ok, deploy it within minutes.&lt;/p&gt;
&lt;p&gt;CheckoutService latency and PaymentGateway errors immediately return to baseline. By moving from alert to resolution entirely within the platform (thanks to built-in instrumentation, actionable alerts, and AI-driven analysis, you’ve squashed a major incident before most users ever noticed.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h2 id="metrics-measuring-observability-enablement"&gt;Metrics: Measuring Observability Enablement&lt;/h2&gt;
&lt;p&gt;To ensure your observability practices truly empower engineering teams, it&amp;rsquo;s essential to track clear, actionable metrics. These metrics help you understand the effectiveness of your observability tools and processes, identify areas for improvement, and demonstrate the tangible impact observability has on your organization.&lt;/p&gt;
&lt;p&gt;Key metrics to measure observability enablement include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mean Time to Detection (MTTD)&lt;/strong&gt;:&lt;br&gt;
How quickly are issues identified after they occur? Effective observability should significantly reduce the time it takes to detect problems, enabling faster responses and minimizing user impact.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mean Time to Resolution (MTTR)&lt;/strong&gt;:&lt;br&gt;
How quickly are issues resolved once detected? With clear, actionable insights and unified observability, your teams should resolve issues faster, reducing downtime and improving reliability.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Engineering Team Satisfaction with Observability Tools&lt;/strong&gt;:&lt;br&gt;
Regularly survey your teams to gauge their satisfaction with observability tools and workflows. Higher satisfaction indicates that observability is effectively embedded into engineering workflows, reducing friction and increasing productivity.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adoption Rate of Observability Tools and Dashboards&lt;/strong&gt;:&lt;br&gt;
Track how widely observability tools and dashboards are adopted across teams. Increased adoption indicates that your teams find these tools valuable, intuitive, and helpful in their daily work.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Reduction in Alert Noise and False Positives&lt;/strong&gt;:&lt;br&gt;
Measure the volume and accuracy of alerts over time. Effective observability should reduce noisy, irrelevant alerts, ensuring your teams focus on meaningful, actionable notifications.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Tracking these metrics helps you continuously improve your observability practices, ensuring they remain effective and empowering. By regularly reviewing and acting on these insights, you can proactively enhance team productivity, reliability, and overall satisfaction.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="pulumi-and-observability-enablement"&gt;Pulumi and Observability Enablement&lt;/h2&gt;
&lt;span style="width: 225px; float: right; margin-left: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="new-idea.png" width="200px" alt="new-idea expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Platform insights&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;Pulumi’s platform features let you explore observability without bolting on extra tools. Key Pulumi features that enable observability include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Pulumi Insights&lt;/strong&gt;:&lt;br&gt;
Provides unified visibility and powerful search across all your cloud resources. Your teams can quickly discover, explore, and understand their infrastructure, eliminating manual searches and reducing cognitive load.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Centralized Service List&lt;/strong&gt;:
Pulumi IDP’s Services portal gives you a single place to register each microservice, database, or cloud resource and link to its dashboards, logs, and traces.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pulumi Co-Pilot&lt;/strong&gt;:&lt;br&gt;
Delivers AI-powered troubleshooting and insights directly within your workflows. Your teams can ask natural-language questions about their infrastructure (such as &amp;ldquo;What infrastructure changed yesterday?&amp;rdquo;) and receive immediate, actionable answers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Built-In Instrumentation via IDP Components&lt;/strong&gt;:&lt;br&gt;
When you author components and templates in Pulumi IDP, you can bake in standard logging, metrics, and tracing hooks. Every service spun up from those templates ships with consistent instrumentation on day one.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With Pulumi, observability can become an integrated part of your platform, accelerating innovation, improving reliability, and empowering engineering teams to confidently build, deploy, and operate software.&lt;/p&gt;
&lt;h2 id="conclusion-observability-as-a-platform-feature"&gt;Conclusion: Observability as a Platform Feature&lt;/h2&gt;
&lt;span style="width: 225px; float: left; margin-right: 20px;"&gt;
&lt;span style="text-align:center"&gt;
&lt;img src="happy.png" width="200px" alt="happy expression"&gt;
&lt;figcaption&gt;
&lt;i&gt;Happy resolving an incident in minutes.&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/span&gt;
&lt;/span&gt;
&lt;p&gt;Observability isn’t just about plugging in more tools. It’s about baking-in consistent instrumentation, measurement, and context so every engineer (platform, DevOps/SRE, or application) knows exactly where to look and how to act.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Service-Templates with Built-In Telemetry&lt;/strong&gt;
By providing service templates that already include logging, metrics gathering, and tracing, you eliminate “Oops, I forgot to instrument X” moments. Every new microservice inherits a standard setup, so you never have to retroactively add code or scramble when traffic first hits production.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Consistent Service Dashboards &amp;amp; Centralized Service List&lt;/strong&gt;
Instead of hunting across eight different dashboards, engineers always start from a single “Service List” page. From there, one click takes them to that service’s metrics overview, log stream, or trace waterfall. This unified entry point reduces cognitive load and cuts straight to “Where’s the problem?”&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Measuring Alert Quality and Actionability&lt;/strong&gt;
A truly mature platform doesn’t just send alerts. It tracks whether those alerts are helpful or noise. By measuring “ratio of actionable alerts vs. false positives,” you continuously fine-tune thresholds and eliminate alert fatigue. The result? Engineers trust their notifications and respond faster to real incidents.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;AI-Driven Context and Natural-Language Troubleshooting&lt;/strong&gt;
On top of unified telemetry and alert quality metrics, AI can instantly correlate recent deployments, configuration changes, and error spikes. Engineers can ask, “Why did latency jump at 3 AM?” or “What changed in production last night?” in plain English, and the platform provides a clear, context-enriched answer. This additional layer turns reactive firefighting into proactive problem prevention.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;When you combine these elements (components and templates, a single service dashboard, alert quality measurement, and AI/natural-language querying), you transform observability into a genuine superpower. Issues are spotted, triaged, and fixed before customers even notice.&lt;/p&gt;
&lt;p&gt;Next time, we’ll dive into the final pillar, Platform Governance, showing how to enforce policy, manage costs, and keep your platform secure and compliant as it scales.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Security as an Enabler: Building Trust into Your Platform</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-5/</link><pubDate>Fri, 11 Apr 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-5/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-5/index.png" /&gt;
&lt;p&gt;In previous articles, we looked at how &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;platform engineering&lt;/a&gt; fixes infrastructure chaos, enables self-service, and improves developer workflows. These pillars work together to boost both developer productivity and organizational speed.&lt;/p&gt;
&lt;p&gt;But there&amp;rsquo;s still one critical element that can make or break all this progress: security.&lt;/p&gt;
&lt;p&gt;Traditional security efforts — even &amp;ldquo;shift-left&amp;rdquo; initiatives — often create friction instead of clearing the way for innovation. Embedding security directly into your platform changes that. By weaving in policy-as-code, centralized secrets management, and identity-based authentication, you turn security from a blocker into an enabler. And with the right metrics, you can measure how well your platform balances protection and speed.&lt;/p&gt;
&lt;p&gt;When security is baked into your internal developer platform, it stops being a gatekeeper. Developers move faster — and with more confidence.&lt;/p&gt;
&lt;p&gt;Done right, your teams gain autonomy without compromising safety. Security people become partners instead of blockers. Your organization builds trust that speeds up innovation rather than slowing it down.&lt;/p&gt;
&lt;h2 id="the-problem-security-as-a-gatekeeper"&gt;The Problem: Security as a Gatekeeper&lt;/h2&gt;
&lt;p&gt;Traditional security practices often create friction rather than enable innovation. Developers run into several pain points: last-minute security reviews that delay deployments, unclear policies that feel arbitrary, and security teams that act more like blockers than partners.&lt;/p&gt;
&lt;p&gt;This friction has real consequences. When security becomes a bottleneck, developers find ways around it. They take shortcuts. All of this increases risk through inconsistent security practices.&lt;/p&gt;
&lt;p&gt;The end result is that innovation slows down. Developer autonomy shrinks. And the agility your platform was supposed to deliver disappears.&lt;/p&gt;
&lt;p&gt;Many organizations try to fix this by &amp;ldquo;shifting security left&amp;rdquo; - moving security checks earlier in development. But just dumping security responsibilities onto developers isn&amp;rsquo;t the answer. It overwhelms them and can still create inconsistencies.&lt;/p&gt;
&lt;p&gt;The real solution isn&amp;rsquo;t just about changing when security happens. It&amp;rsquo;s about changing how it works.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h3 id="key-security-functions-within-a-platform"&gt;Key Security Functions within a Platform&lt;/h3&gt;
&lt;p&gt;Effective platform security involves several key functions, regardless of how they are distributed across teams or individuals in your organization:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Defining Security Strategy &amp;amp; Policy:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Developing and maintaining security policies, standards, and architectural best practices tailored to the organization.&lt;/li&gt;
&lt;li&gt;Providing security guidance, education, and support across engineering teams.&lt;/li&gt;
&lt;li&gt;Performing threat modeling, security architecture reviews, and proactive security assessments.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Monitoring &amp;amp; Responding to Threats:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Actively monitoring systems to detect security events and potential threats in real-time.&lt;/li&gt;
&lt;li&gt;Managing security tooling (like SIEMs, vulnerability scanners) and orchestrating incident response procedures.&lt;/li&gt;
&lt;li&gt;Investigating incidents, coordinating remediation efforts, and managing security automation.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Integrating Security into Development &amp;amp; Infrastructure:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Embedding security controls directly into the development lifecycle and infrastructure provisioning processes.&lt;/li&gt;
&lt;li&gt;Implementing secure-by-default configurations, automated security checks (SAST, DAST, SCA), and policy-as-code guardrails.&lt;/li&gt;
&lt;li&gt;Ensuring security considerations are built into CI/CD pipelines, service templates, and infrastructure modules from the start.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Collaboration &lt;em&gt;between&lt;/em&gt; these functions is crucial. A successful platform ensures that policy definition, operational monitoring, and practical implementation work together seamlessly to create a secure environment without hindering velocity.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3 id="the-solution-embedding-security-into-developer-workflows"&gt;The Solution: Embedding Security into Developer Workflows&lt;/h3&gt;
&lt;p&gt;The key to solving security friction isn&amp;rsquo;t just adding more checkpoints earlier. It&amp;rsquo;s weaving security directly into your platform and your developers&amp;rsquo; daily work.&lt;/p&gt;
&lt;p&gt;Adding automated scans to your CI/CD pipeline is a good start. Tools like Dependabot, Snyk, and Trivy catch problems early and alert developers quickly. But these &amp;ldquo;shift-left&amp;rdquo; checks alone aren&amp;rsquo;t enough. Developers still need to interpret findings and fix issues, often without adequate support.&lt;/p&gt;
&lt;p&gt;Platform engineering takes a different approach. It builds security in from the start, rather than treating it as a final hurdle or dumping complex responsibilities on developers. It uses secure-by-default components and automated guardrails that work continuously.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s see what this looks like in practice.&lt;/p&gt;
&lt;h3 id="policy-as-code-for-security-automating-trust"&gt;Policy-as-Code for Security: Automating Trust&lt;/h3&gt;
&lt;p&gt;If you&amp;rsquo;ve implemented the &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-3/"&gt;intent-based approach&lt;/a&gt; we covered earlier, your developers already use secure-by-default modules. They simply request what they need (&amp;ldquo;I need a Java service with Kafka and PostgreSQL&amp;rdquo;), and the platform handles security details like IAM roles, encryption, and permissions.&lt;/p&gt;
&lt;p&gt;But secure defaults aren&amp;rsquo;t enough. You still need automated guardrails. Policy-as-Code adds this enforcement layer, keeping security standards consistent—even when someone tries to bypass or change the modules. It&amp;rsquo;s a backup system: secure modules provide your first defense, and Policy-as-Code catches anything that might slip through.&lt;/p&gt;
&lt;p&gt;For Example:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;IAM Roles with Least Privilege:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Secure Default (Module):&lt;/strong&gt; The platform team&amp;rsquo;s IAM module automatically generates roles with least-privilege permissions. Developers don&amp;rsquo;t specify IAM roles directly.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Policy-as-Code (Additional Guardrail):&lt;/strong&gt; A policy explicitly checks all IAM roles provisioned by the platform, ensuring no role grants overly broad permissions (e.g., no wildcard permissions). If a module is accidentally modified or misconfigured, the policy catches it immediately.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mandatory Encryption at Rest:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Secure Default (Module):&lt;/strong&gt; The platform team&amp;rsquo;s database module automatically provisions databases with encryption at rest enabled. Developers don&amp;rsquo;t specify encryption settings directly.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Policy-as-Code (Additional Guardrail):&lt;/strong&gt; A policy explicitly checks all storage resources to ensure encryption at rest is always enabled. If a developer or platform engineer accidentally modifies the module or bypasses it, the policy immediately flags the issue.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When you add Policy-as-Code to your platform, security becomes automatic and clear. Developers get instant feedback they can trust, and security teams maintain control without slowing things down. Your teams can move fast without taking shortcuts that create risk.&lt;/p&gt;
&lt;h3 id="protecting-sensitive-credentials-by-default"&gt;Protecting Sensitive Credentials by Default&lt;/h3&gt;
&lt;p&gt;Policy-as-Code secures your infrastructure, but you still need to protect how applications access sensitive resources like databases and APIs.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s what often happens: A developer copies database passwords into a local .env file. They accidentally commit this file to Git, exposing the credentials to anyone with repository access. Or they inadvertently bake these secrets into a Docker image that others can download. Worse yet, if their laptop gets hacked, attackers can use these credentials to break into production systems.&lt;/p&gt;
&lt;p&gt;When these breaches happen, everything stops. Teams scramble to rotate credentials, investigate the damage, and fix systems—creating delays and increasing risk.&lt;/p&gt;
&lt;p&gt;Centralized secrets management provides a robust solution to credential security. It stores sensitive information in a secure vault and offers controlled access methods at runtime. Developers work with the secrets management solution instead of handling credentials directly, which significantly reduces exposure risk.&lt;/p&gt;
&lt;p&gt;Platform teams build these secure patterns into their service templates. They create clear pathways for accessing credentials that guide developers toward secure practices in both development and production environments.&lt;/p&gt;
&lt;p&gt;With this approach, your deployments become both faster and safer. Developers follow simpler, more consistent security procedures, while security teams gain confidence that credentials are properly protected throughout your systems.&lt;/p&gt;
&lt;h3 id="identity-and-access-management-frictionless-security-through-identity"&gt;Identity and Access Management: Frictionless Security through Identity&lt;/h3&gt;
&lt;p&gt;Your platform must also solve another security problem: how people and systems safely access cloud resources.&lt;/p&gt;
&lt;p&gt;Developers hate juggling multiple credentials—cloud provider keys, passwords, or tokens. These credentials can expire, get lost, or leak, causing headaches and security risks.&lt;/p&gt;
&lt;p&gt;Consider a common scenario: A developer trying to fix a broken production system finds their credentials have expired. Now they&amp;rsquo;re stuck hunting for new credentials instead of fixing the problem.&lt;/p&gt;
&lt;p&gt;Identity-based authentication fixes this. Developers just use their regular login. When developers log in normally, they automatically get secure access to cloud resources through OIDC or SAML. No more managing credentials. Access stays secure and current.&lt;/p&gt;
&lt;p&gt;This approach simplifies access and removes barriers. Developers get secure access to resources when they need them, speeding up work without weakening security.&lt;/p&gt;
&lt;p&gt;Identity-based authentication, combined with policy-as-code guardrails and centralized secrets management, creates a comprehensive security system that protects without impeding work. To see how these practices function together, let&amp;rsquo;s look at a real example.&lt;/p&gt;
&lt;h2 id="real-world-example-security-enablement-from-build-to-incident-response"&gt;Real-World Example: Security Enablement from Build to Incident Response&lt;/h2&gt;
&lt;p&gt;A developer deploys a new microservice. They select a secure template from the service catalog. Policy-as-code instantly checks that encryption and permissions are set correctly, and credentials are setup in a centralized secrets management environment.&lt;/p&gt;
&lt;p&gt;As the service builds, automatic scans check dependencies and container images for vulnerabilities. The system creates a dependency list (SBOM), tracking every component used. Build pipelines verify and sign code, so only trusted code reaches production.&lt;/p&gt;
&lt;p&gt;Once deployed, security monitoring begins automatically, showing the service&amp;rsquo;s security status in real time. Later, someone discovers a vulnerability in a library used by the microservice. Thanks to the dependency list, the security team immediately knows which services are vulnerable. Monitoring spots suspicious activity and sends clear alerts to the team&amp;rsquo;s dashboards.&lt;/p&gt;
&lt;p&gt;Clear incident response plans help teams contain and fix the problem. The team patches the vulnerable component, using the same secure pipelines to quickly roll out the fix.&lt;/p&gt;
&lt;p&gt;In this scenario, security helps rather than blocks at every stage. From building to responding to incidents, your platform helps teams build secure software quickly.&lt;/p&gt;
&lt;p&gt;But how do you know if your security practices are truly enabling your teams? To answer that, you need clear, actionable metrics.&lt;/p&gt;
&lt;h2 id="metrics-measuring-security-enablement"&gt;Metrics: Measuring Security Enablement&lt;/h2&gt;
&lt;p&gt;To check if your security approach works, track two things:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Security Incident Rate:&lt;/strong&gt;&lt;br&gt;
Count how many security problems reach production. Fewer incidents means your security is working.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Developer Security Friction Score:&lt;/strong&gt;&lt;br&gt;
Include security questions in your regular developer surveys. Ask how much security processes slow their work or cause frustration. Improving scores show that security fits naturally into their workflow.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These two measures combined tell you your security works and at what cost, so your team can build good software fast.&lt;/p&gt;
&lt;h2 id="pulumi-and-security-enablement"&gt;Pulumi and Security Enablement&lt;/h2&gt;
&lt;p&gt;Achieving these goals, a decreasing incident rate coupled with a low developer friction score, requires a platform built with the right foundations. Pulumi helps you construct such a platform by providing built-in capabilities that directly embed security into your infrastructure workflows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/crossguard/"&gt;Policy as Code (CrossGuard)&lt;/a&gt;:&lt;/strong&gt; Automatically enforce security and compliance standards.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/product/esc/"&gt;Secure Secrets Management (Pulumi ESC)&lt;/a&gt;:&lt;/strong&gt; Centralize and securely inject secrets without manual handling.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/"&gt;Identity-Based Authentication&lt;/a&gt;:&lt;/strong&gt; Simplify secure access to cloud resources using existing identities.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With Pulumi, security becomes an integrated, frictionless part of your platform—accelerating innovation while building trust.&lt;/p&gt;
&lt;h2 id="security-as-a-platform-feature"&gt;Security as a Platform Feature&lt;/h2&gt;
&lt;p&gt;Security can help, not hinder. By building security into your platform, you help developers work faster and safer. Security becomes a feature, not an obstacle.&lt;/p&gt;
&lt;p&gt;Security completes the platform foundation we&amp;rsquo;ve built in previous articles on &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-2/"&gt;Provisioning&lt;/a&gt;, &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-3/"&gt;Self-Service&lt;/a&gt;, and &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-4/"&gt;Developer Experience&lt;/a&gt;, creating a platform that speeds up development.&lt;/p&gt;
&lt;p&gt;But developers still need to see what&amp;rsquo;s happening in their systems. Next time, we&amp;rsquo;ll explore how Observability helps developers spot and fix problems quickly.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Improve Developer Experience: Increase Dev Productivity with Internal Developer Platforms</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-4/</link><pubDate>Thu, 13 Mar 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-4/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-4/index.png" /&gt;
&lt;p&gt;In the last article in this &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;Platform Engineering Pillars series&lt;/a&gt;, we explored how &lt;strong&gt;self-service infrastructure&lt;/strong&gt; frees developers from bottlenecks and dependency gates. By providing reusable infrastructure modules and intent-based configurations, platform teams dramatically reduce infrastructure friction. This self-service model powers faster deployments, increased autonomy, and fewer delays.&lt;/p&gt;
&lt;p&gt;However, &lt;strong&gt;infrastructure provisioning alone isn’t enough to improve developer experience&lt;/strong&gt;. Even with efficient provisioning, developers can still face inconsistent local setups, sluggish CI/CD pipelines, poor documentation, and fragmented tooling. These obstacles quietly reduce &lt;strong&gt;developer productivity&lt;/strong&gt;, slow &lt;strong&gt;developer velocity&lt;/strong&gt;, and increase operational overhead.&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/is83TV8nrTg?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;Your platform’s ability to support daily workflows directly impacts core success metrics like &lt;strong&gt;time to first commit&lt;/strong&gt;, &lt;strong&gt;time to production&lt;/strong&gt;, and &lt;strong&gt;developer satisfaction&lt;/strong&gt;.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;p&gt;When improving &lt;strong&gt;developer experience&lt;/strong&gt; as part of a platform engineering initiative, measure:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Time to First Commit&lt;/strong&gt; – How quickly a developer can become productive in a new environment or project. Pay particular attention to new hires.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Time to Production&lt;/strong&gt; – How fast code moves from commit to successful production release.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Developer Satisfaction&lt;/strong&gt; – Regularly survey friction points and prioritize fixing the top issues.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Friction logs&lt;/strong&gt; are also a powerful way to identify roadblocks, recording every obstacle encountered during common workflows. This reveals hidden friction and provides a roadmap for improvement.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;A great &lt;strong&gt;developer experience&lt;/strong&gt; accelerates iteration, improves problem-solving, and drives better products. An &lt;strong&gt;internal developer platform (IDP)&lt;/strong&gt; designed for &lt;a href="https://www.pulumi.com/blog/developer-experience-business-critical/"&gt;DevEx is a fundamental competitive advantage&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="the-service-catalog-foundation-for-developer-experience"&gt;The Service Catalog: Foundation for Developer Experience&lt;/h2&gt;
&lt;p&gt;Developer friction often starts with something simple: not knowing what’s already available or who owns it. Without a single, reliable source of truth, developers reinvent the wheel, duplicate work, and waste time chasing information.&lt;/p&gt;
&lt;p&gt;A well-structured &lt;strong&gt;service catalog&lt;/strong&gt; in your internal developer platform addresses this by providing a central repository for all services and applications. At its most basic, it&amp;rsquo;s just a web page with each service&amp;rsquo;s README, service metadata, and operational information.&lt;/p&gt;
&lt;p&gt;But, properly structured, this delivers some large benefits:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Context at a Glance&lt;/strong&gt;: Every catalog entry follows a standardized template, capturing core information such as purpose, interfaces (REST, gRPC, events, etc.), language/runtime, and environment requirements. New developers can quickly grasp a service&amp;rsquo;s role and easily jump into productive work.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Discoverability and Reuse&lt;/strong&gt;: Without a catalog, teams often recreate services they don&amp;rsquo;t realize already exist. Duplicate services not only waste resources but lead to fragmented knowledge and inconsistencies. With a catalog, developers quickly find and leverage existing solutions, increasing reusability and reducing churn.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ownership Transparency&lt;/strong&gt;: Each entry in the catalog explicitly names team ownership, CODEOWNERS files, and pertinent contact details like Slack channels or on-call rotations. Clear ownership streamlines communication, issue resolution, and collaboration, saving precious time and avoiding frustrations.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;A &lt;strong&gt;service catalog&lt;/strong&gt; supports autonomy, reduces wasted cycles, and increases &lt;strong&gt;developer velocity&lt;/strong&gt; by making essential information instantly accessible.&lt;/p&gt;
&lt;p&gt;But a Service Catalog alone isn&amp;rsquo;t enough. To fully streamline and enhance your development workflow, you must pair it with consistent local environments and reliable CI/CD processes. Both of which can be serviced by standardized service templates.&lt;/p&gt;
&lt;h2 id="service-templates-golden-paths-for-improving-developer-productivity"&gt;Service Templates: Golden Paths for Improving Developer Productivity&lt;/h2&gt;
&lt;p&gt;Earlier in this &lt;a href="https://www.pulumi.com/blog/platform-engineering-pillars-2/"&gt;series&lt;/a&gt;, we introduced &lt;strong&gt;service templates&lt;/strong&gt; as a way to scaffold consistent, ready-to-go services. In an &lt;strong&gt;internal developer platform&lt;/strong&gt;, templates aren’t just for infrastructure, they’re the &lt;strong&gt;&lt;a href="https://www.pulumi.com/blog/golden-paths-infrastructure-components-and-templates/"&gt;golden paths&lt;/a&gt;&lt;/strong&gt; that define how developers start and succeed.&lt;/p&gt;
&lt;p&gt;If 90% of new services are Go GRPC services, then a carefully crafted, opinionated go GRPC service blueprint will remove a lot of friction. It will give developers everything they need to begin delivering real business value immediately. A few select curated options of common starting points will help guide developers to generate projects complete with standardized structure, built-in quality checks, documentation, and clear guidelines for contribution.&lt;/p&gt;
&lt;p&gt;A great service template provides:&lt;/p&gt;
&lt;h3 id="project-bootstrapping"&gt;Project Bootstrapping&lt;/h3&gt;
&lt;p&gt;The template quickly scaffolds an entire service—including all necessary files and directories. Everything essential for your organization&amp;rsquo;s standards should be included, from CI/CD configurations and dependency management to directory structures and environment-specific configuration files.&lt;/p&gt;
&lt;h3 id="built-in-quality-tools"&gt;Built-in Quality Tools&lt;/h3&gt;
&lt;p&gt;Templates embed guardrails that maintain consistency and high-quality standards across teams:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Linting rules and formatters&lt;/strong&gt;: Tools like ESLint, flake8, or Checkstyle that ensure code style and consistency across your codebase.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Testing frameworks&lt;/strong&gt;: Unit tests, integration tests, and contract testing tools set up and pre-configured (JUnit, pytest, Jest, Pact), helping teams maintain high quality right out of the gate.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="documentation-and-contribution-guides"&gt;Documentation and Contribution Guides&lt;/h3&gt;
&lt;p&gt;Many platform teams overlook how clear, consistent documentation is crucial for initial and ongoing developer productivity. Every new service should arrive out-of-the-box with:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;README&lt;/strong&gt;: Describing at a glance what the project does, why it exists, and how to run it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Documentation&lt;/strong&gt;: Service template establishes a place for service-specific documentation that will be surfaced in the Service catalog. Markdown explanations, example input/output, and real-world use-cases.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Contribution guidelines and coding standards&lt;/strong&gt;: Clearly documenting the expectations, conventions, and standards every developer can follow with confidence.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Embedding this documentation into templates ensures that even brand-new services are discoverable, understandable, and maintainable — right from their first commit.&lt;/p&gt;
&lt;p&gt;A great template means the service catalog becomes more than just an organizational listing. These thoughtfully designed templates can directly power it. Every new service entering your catalog aligns neatly with your organization&amp;rsquo;s best practices in code quality, documentation, and process standards.&lt;/p&gt;
&lt;p&gt;When paired with your &lt;strong&gt;service catalog&lt;/strong&gt;, templates ensure every new service aligns with best practices — boosting &lt;strong&gt;developer productivity&lt;/strong&gt; and &lt;strong&gt;developer velocity&lt;/strong&gt; from day one.&lt;/p&gt;
&lt;h2 id="streamlining-local-development-to-reduce-friction"&gt;Streamlining Local Development to Reduce Friction&lt;/h2&gt;
&lt;p&gt;One of the fastest ways to improve &lt;strong&gt;time to first commit&lt;/strong&gt; is to standardize local development workflows through your &lt;strong&gt;internal developer platform&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;Your service templates provide the ideal mechanism for simplifying how quickly developers can get projects running locally. By embedding standardized local-development tooling into these templates, you ensure they&amp;rsquo;re available consistently across your service catalog. Good templates typically contain:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;A preconfigured, containerized environments:&lt;/strong&gt; Using Dev Containers, Docker Compose, or similar tools lets developers launch an environment that closely resembles production with minimal friction, completely avoiding dependency drift or local environment inconsistencies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Simple, standardized command runner:&lt;/strong&gt; Makefiles, just scripts, package.json scripts—whatever works as they&amp;rsquo;re consistently documented and easy to run commands such as &lt;code&gt;make build&lt;/code&gt;, &lt;code&gt;make test&lt;/code&gt;, or &lt;code&gt;make lint&lt;/code&gt;. Teams might diverge on preferred tooling over time; if so, simply record clearly in the project&amp;rsquo;s readme (and thus in your service catalog) exactly what&amp;rsquo;s needed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Built-in documentation:&lt;/strong&gt; Each service template includes clear instructions in a README outlining step-by-step processes for setup, running tests, and other everyday developer tasks.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With these pieces fully integrated into your catalog and templates, you significantly reduce friction and speed up development cycles, moving you meaningfully closer to improving your core developer-experience metrics.&lt;/p&gt;
&lt;p&gt;The next critical area we need to address is how smoothly and quickly code moves from a local commit to a production release.&lt;/p&gt;
&lt;h2 id="cicd-integration-fast-reliable-pipelines-for-experienced-developers"&gt;CI/CD Integration: Fast, Reliable Pipelines for Experienced Developers&lt;/h2&gt;
&lt;p&gt;Experienced developers cite unreliable or slow pipelines as major productivity killers. Their frustrations often revolve around flaky builds, unreliable tests, and cumbersome environment setups. Slow or unpredictable pipelines break developer flow, causing frustration, delays, and lower productivity.&lt;/p&gt;
&lt;p&gt;A strong &lt;strong&gt;internal developer platform&lt;/strong&gt; integrates fast, stable, and predictable CI/CD processes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Stable, Fast Feedback:&lt;/strong&gt;&lt;br&gt;
Every new service comes pre-configured with build acceleration strategies like intelligent caching (Gradle, Bazel, Docker layers) and automatic parallel test execution. Stable and speedy pipelines help teams iterate quickly and confidently.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Ephemeral, Self-service Environments:&lt;/strong&gt;&lt;br&gt;
Instead of battling shared staging environments – which get blocked by other teams— developers spin up short-lived testing environments directly from pull requests. Need to test your payment-service changes against the latest user-authentication service? Create a dedicated, temporary environment on-the-fly, validate interactions, then shut it down automatically when finished.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Test Reliability:&lt;/strong&gt;&lt;br&gt;
Strictly enforce policies to quarantine flaky tests, quickly escalate notifications to responsible developers, and provide clear paths for fixing instabilities. Proactive flakiness management ensures credibility and reliability for test pipelines over time.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Reliable CI/CD pipelines protect developer focus, reduce cognitive load, maintain &lt;strong&gt;developer velocity&lt;/strong&gt;, and prevent wasted time, increasing &lt;strong&gt;developer productivity&lt;/strong&gt;.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;p&gt;Developer experience is a vast, nuanced topic, and there&amp;rsquo;s much more a comprehensive platform can include than we&amp;rsquo;ve been able to explore fully here. Even just within your Service Catalog and developer workflows, valuable additions might include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Onboarding Guides&lt;/strong&gt;: Step-by-step guides rapidly bringing new developers up to speed on teams, tools, and processes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Frictionless Product Backlog Integration&lt;/strong&gt;: Quick access from codebases to the product backlog to connect code directly with the business context.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Code Coverage &amp;amp; Quality Dashboards&lt;/strong&gt;: Easy-to-use visualizations offering fast insights into quality metrics and test coverage.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deprecation Notices &amp;amp; Change Management&lt;/strong&gt;: Automated notifications about changes, upcoming maintenance, or decommission plans to keep developers informed and prepared.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pre-built Common Components&lt;/strong&gt;: Shared libraries and components solving everyday needs like logging, authentication, validation, and configuration.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;And that&amp;rsquo;s truly just scratching the surface. But remember: Platform engineering is an iterative journey, you don&amp;rsquo;t need to tackle every single area all at once. If you start with friction logs and surveys to regularly identify and address pain points affecting daily workflows, you&amp;rsquo;ll already be heading confidently in the right direction.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="conclusion-idps-as-a-devex-multiplier"&gt;Conclusion: IDPs as a DevEx Multiplier&lt;/h2&gt;
&lt;p&gt;A great &lt;strong&gt;developer experience&lt;/strong&gt; is not optional — it’s a force multiplier for &lt;strong&gt;developer productivity&lt;/strong&gt; and &lt;strong&gt;developer velocity&lt;/strong&gt;. An &lt;strong&gt;internal developer platform&lt;/strong&gt; with service catalogs, golden path templates, streamlined local dev, and integrated CI/CD removes friction at every step of the developer journey.&lt;/p&gt;
&lt;p&gt;The result? Faster onboarding, quicker delivery, and happier teams.&lt;/p&gt;
&lt;p&gt;With Pulumi, platform teams can automate consistent environments, implement golden paths, and enable self-service infrastructure that scales with your organization.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/templates/"&gt;Organization Templates&lt;/a&gt; enables standardized service creation and consistent developer experiences&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/concepts/stack/#stackreferences"&gt;Stack References&lt;/a&gt; for managing dependencies between environments and services&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployments&lt;/a&gt; to streamline CI/CD workflows and enable self-service infrastructure&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/review-stacks/"&gt;Review Stacks&lt;/a&gt; for creating ephemeral, on-demand testing environments&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/packages-and-automation/automation-api/"&gt;Automation API&lt;/a&gt; for programmatically managing infrastructure and implementing platform workflows&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By prioritizing &lt;strong&gt;developer experience&lt;/strong&gt; in your &lt;a href="https://www.pulumi.com/blog/idp-strategy-planning-self-service-infrastructure-that-balances-developer-autonomy-with-operational-control/"&gt;platform engineering strategy&lt;/a&gt;, you empower teams to move faster, build better, and maintain momentum, making your internal developer platform one of the most valuable assets in your organization.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Self-Service Infrastructure: From Tickets to Tools</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-3/</link><pubDate>Thu, 06 Mar 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-3/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-3/index.png" /&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;Previous articles&lt;/a&gt; in this series explored &lt;a href="https://www.pulumi.com/what-is/what-is-platform-engineering/"&gt;platform engineering&lt;/a&gt; principles and how Infrastructure as Code creates a solid foundation. But there&amp;rsquo;s still an important challenge to address: the infrastructure provisioning process itself. Without proper modularity and a clear separation between intent and infrastructure details, things get messy—leading to friction, delays, and unnecessary complexity.&lt;/p&gt;
&lt;h2 id="the-missing-layer-abstraction-through-modularity"&gt;The Missing Layer: Abstraction Through Modularity&lt;/h2&gt;
&lt;p&gt;The root issue here is how teams define and work with infrastructure. Without good abstraction layers, infrastructure code typically becomes unwieldy and complex.&lt;/p&gt;
&lt;p&gt;You end up with&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Highly detailed specifications that require deep domain knowledge&lt;/li&gt;
&lt;li&gt;Environment-specific configurations with subtle variations across resources&lt;/li&gt;
&lt;li&gt;Complex interdependencies that are difficult to trace and verify&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This approach burdens developers with low-level details they don’t need to worry about, while platform teams become gatekeepers, reviewing intricate configurations. Alternatively, a traditional ticketing model takes over, discarding the benefits of modern practices.&lt;/p&gt;
&lt;div style="text-align: center; width: 100%; margin: 0 auto;"&gt;
&lt;img src="platform.png" alt="" style="width: 100%;"&gt;
&lt;figcaption&gt;
&lt;i&gt;Solution: A Platform Engineering Approach&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/div&gt;
&lt;p&gt;What’s missing is a proper abstraction layer between raw infrastructure code and developer needs. &lt;strong&gt;That layer is the platform. A Platform for self-service infrastructure.&lt;/strong&gt; Without modular, reusable infrastructure patterns, every new application deployment becomes an exercise in starting from scratch and defining every detail instead of just stating what the application requires and deferring details to the platform.&lt;/p&gt;
&lt;h3 id="common-anti-patterns-without-proper-abstraction"&gt;Common Anti-Patterns Without Proper Abstraction&lt;/h3&gt;
&lt;p&gt;Without this modular platform approach to cloud infrastructure, organizations typically fall into one of two problematic patterns.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Copy-Paste Anti-Pattern&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Developers copy infrastructure code from previous projects. They find something similar, duplicate large chunks of configuration, make a few changes, and hope everything is right, and submit it for review. This leads to a brittle system with siloed knowledge. Security fixes must be applied manually across every instance – no one has a full picture of the infrastructure – and Day 2 Operations become error prone.&lt;/p&gt;
&lt;p&gt;And this isn&amp;rsquo;t limited to infrastructure: CI scripts get copied and modified, Dockerfiles and Kubernetes manifests get copied and modified.&lt;/p&gt;
&lt;p&gt;It feels like control, but it&amp;rsquo;s not. Developers still rely on platform specialists to validate changes and catch mistakes.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Ticketing Anti-Pattern&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Alternatively, some organizations rely on rigid ticketing systems for infrastructure changes. A platform specialist applies writes and applies all changes, ensuring consistency — but also creating bottlenecks. Developers might wait days or weeks for simple modifications, leaving the process entirely unfinished.&lt;/p&gt;
&lt;p&gt;This guarantees expert oversight but strips developers of autonomy, making the platform team a bottleneck for every deployment.&lt;/p&gt;
&lt;p&gt;Neither anti-pattern strikes a balance between standardization and autonomy, leading to either sloppy infrastructure (copy-paste) or slow deployments (ticketing).&lt;/p&gt;
&lt;h3 id="the-resulting-problems"&gt;The Resulting Problems&lt;/h3&gt;
&lt;h4 id="day-1-bottleneck-slow-manual-infrastructure--developer-gridlock"&gt;Day 1 Bottleneck: Slow, Manual Infrastructure = Developer Gridlock&lt;/h4&gt;
&lt;p&gt;When provisioning becomes a bottleneck, developers with finished code wait days for infrastructure. This disrupts focus and forces frequent context switching. They juggle tasks to stay productive and then have to rebuild focus when the requested infrastructure is ready.&lt;/p&gt;
&lt;p&gt;These delays slow the entire delivery pipeline. Teams add buffer time for infrastructure delays, projects slip, and the business sees technology as slow-moving. Meanwhile, the real culprit is slow provisioning that kills momentum.&lt;/p&gt;
&lt;h4 id="day-2-and-beyond-chaos-sprawling-unpredictable-infrastructure--operational-nightmare"&gt;Day 2 And Beyond Chaos: Sprawling, Unpredictable Infrastructure = Operational Nightmare&lt;/h4&gt;
&lt;p&gt;Day 1 bottlenecks frustrate developers, but the real long-term cost is patching hell. Copy-paste infrastructure creates hundreds of snowflakes, each needing manual attention for every security fix or version bump. One-off configurations and custom environments pile up, creating technical debt no one fully understands.&lt;/p&gt;
&lt;p&gt;Operations teams are overwhelmed by the basic, critical task of simply keeping the lights on across a sprawling, inconsistent landscape.&lt;/p&gt;
&lt;h2 id="the-solution-a-platform-of-options-and-self-service"&gt;The Solution: A Platform of Options and Self Service&lt;/h2&gt;
&lt;p&gt;A Self-service platform is the solution to these problems. The platform is this curated list of modules, providing application developers with a set of pre-built options that let them work at a higher level of abstraction. By choosing from these modules, developers express their intent for infrastructure, leaving the platform to handle the implementation details. Let me explain.&lt;/p&gt;
&lt;p&gt;A strong self-service approach divides responsibilities into two clear layers:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Level 1: Platform Team (Module Definition)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Builds and updates reusable infrastructure modules&lt;/li&gt;
&lt;li&gt;Bakes in security, compliance, and best practices&lt;/li&gt;
&lt;li&gt;Hides complexity so developers don’t need to worry about copy and pasting low-level details&lt;/li&gt;
&lt;li&gt;Sets guardrails for scalability, security, and compliance&lt;/li&gt;
&lt;li&gt;Updates modules as technologies and needs change&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Level 2: Application Developers (Module Consumption)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Browse a catalog of ready-made modules&lt;/li&gt;
&lt;li&gt;Compose pre-built modules to set up application infrastructure&lt;/li&gt;
&lt;li&gt;Spend time on code, not cloud configurations&lt;/li&gt;
&lt;li&gt;Operate within built-in guardrails&lt;/li&gt;
&lt;li&gt;Deploy applications faster using standardized components&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This setup keeps things fast and flexible. Developers get the autonomy to build without reinventing infrastructure, while platform teams maintain control where it matters.&lt;/p&gt;
&lt;h2 id="the-power-of-intent-based-specification"&gt;The Power of Intent-Based Specification&lt;/h2&gt;
&lt;div style="text-align: center; width: 100%; margin: 0 auto;"&gt;
&lt;img src="developer-intent.png" alt="" style="width: 100%;"&gt;
&lt;figcaption&gt;
&lt;i&gt;Layer of Abstraction to the Rescue&lt;/i&gt;
&lt;/figcaption&gt;
&lt;/div&gt;
&lt;p&gt;The two-level approach works by replacing over-specification with intent-based design.&lt;/p&gt;
&lt;p&gt;Over-specification happens when developers specify too many infrastructure details that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Require expertise they might not have&lt;/li&gt;
&lt;li&gt;Tightly coupled infrastructure to specific implementations&lt;/li&gt;
&lt;li&gt;Make future changes hard or even impossible&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Intent-based specification means developers state what their app needs, not how to implement it, meaning:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Platform teams can update underlying infrastructure without breaking applications&lt;/li&gt;
&lt;li&gt;New capabilities can be added without disrupting existing applications&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Focusing on what developers need, not how it&amp;rsquo;s built, creates a system that’s easier to maintain and evolve for both platform teams and developers.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s walk through an example.&lt;/p&gt;
&lt;h2 id="practical-example-java-application-with-kafka-postgresql-and-redis"&gt;Practical Example: Java Application with Kafka, PostgreSQL, and Redis&lt;/h2&gt;
&lt;p&gt;The platform team provides reusable modules:&lt;/p&gt;
&lt;h3 id="java-application-module"&gt;Java Application Module&lt;/h3&gt;
&lt;p&gt;This module handles everything needed to run a Java app. It covers the Java runtime, memory settings, JVM options, scaling rules, health checks, monitoring, and Kubernetes namespacing. It also manages containers, security scans, resource limits, and logging integration—so developers don’t have to.&lt;/p&gt;
&lt;h4 id="kafka-integration-module"&gt;Kafka Integration Module&lt;/h4&gt;
&lt;p&gt;Similarly, this module simplifies Kafka integration, handling broker connections, authentication, topics, and security. It takes care of SASL/SSL authentication, replication factors, ACLs, and encryption. Developers just specify topics and schemas.&lt;/p&gt;
&lt;p&gt;And so on for common infrastructure components used in the org.&lt;/p&gt;
&lt;h3 id="level-2-developer-implementation"&gt;Level 2: Developer Implementation&lt;/h3&gt;
&lt;p&gt;Developers use a simpler interface. To deploy a new Java service with Kafka, PostgreSQL, and Redis, they only need to specify the required input parameters in the platform-defined modules:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c"&gt;# Developer&amp;#39;s intent-based configuration&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;application&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;order-processing-service&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;java-application&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;version&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;17&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;memory&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;2GB&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;scaling&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;min&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;2&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;max&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;10&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;integrations&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;kafka&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;topics&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;incoming-orders&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;partitions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;5&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;name&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;processed-orders&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;partitions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;3&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;consumer_group&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;order-processors&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;postgresql&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;database&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;orders_db&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;size&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;medium&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;backup&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;enabled&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;redis&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;size&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;small&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;3600&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;( Note: YAML not required. This pseudo-code could be UI driven, or it could be written in your programming language of choice. The point is it specifies intent and defers specifics to the platform. )&lt;/p&gt;
&lt;h2 id="solving-day-1-and-day-2-challenges"&gt;Solving Day 1 and Day 2 Challenges&lt;/h2&gt;
&lt;p&gt;The intent-based specification solves immediate and long-term problems:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The Self-Service Transformation in Action:&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Developer Experience&lt;/th&gt;
&lt;th&gt;Platform Response&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Submits simple intent-based configuration&lt;/td&gt;
&lt;td&gt;Expands into complete infrastructure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Focuses on application needs, not infrastructure details&lt;/td&gt;
&lt;td&gt;Provisions resources with appropriate sizing and security controls&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Specifies &amp;ldquo;what&amp;rdquo; is needed, not &amp;ldquo;how&amp;rdquo; to configure it&lt;/td&gt;
&lt;td&gt;Handles networking, monitoring, backups, and credentials&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Limited expertise required in Kubernetes, networking, or security&lt;/td&gt;
&lt;td&gt;Implements best practices automatically across all deployments&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;Maintains and updates the underlying implementation over time&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This approach transforms infrastructure from a developer burden into an organizational asset that becomes more valuable over time, rather than decaying into technical debt.&lt;/p&gt;
&lt;h3 id="developer-interaction-models-choosing-your-platform-interface"&gt;&lt;strong&gt;Developer Interaction Models: Choosing Your Platform Interface&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Hopefully, now you are bought in on the value of separate layers of abstraction and building a platform to expose those.&lt;/p&gt;
&lt;p&gt;The next key decision is how developers will actually &lt;em&gt;use&lt;/em&gt; this platform. The ideal interface balances ease of use with the necessary flexibility. Organizations and requirements vary, so a spectrum of interaction models exists, each with its own trade-offs. Tree common approaches are: CLI-Driven Infrastructure as Code, the Self-Service Portal, and a Hybrid model.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Aspect&lt;/th&gt;
&lt;th&gt;CLI-Driven&lt;/th&gt;
&lt;th&gt;Self-Service Portal&lt;/th&gt;
&lt;th&gt;Hybrid Approach&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Developer Experience&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Code-based, using IaC modules and components directly&lt;/td&gt;
&lt;td&gt;Click-based UI with forms and catalogs&lt;/td&gt;
&lt;td&gt;Portal for common tasks, code for customization&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Code Visibility&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Full visibility and control&lt;/td&gt;
&lt;td&gt;Limited or no visibility&lt;/td&gt;
&lt;td&gt;Visible but with varying levels of access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Governance&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Trust-based or PR reviews&lt;/td&gt;
&lt;td&gt;Enforced through portal constraints&lt;/td&gt;
&lt;td&gt;Guided paths with managed exceptions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Learning Curve&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Higher (requires IaC knowledge)&lt;/td&gt;
&lt;td&gt;Lower (minimal infrastructure knowledge)&lt;/td&gt;
&lt;td&gt;Moderate (basic UI with optional advanced use)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Best For&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Experienced teams needing flexibility&lt;/td&gt;
&lt;td&gt;Teams prioritizing speed and standardization&lt;/td&gt;
&lt;td&gt;Organizations with diverse skill levels&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4 id="1-cli-driven-infrastructure-as-code-empowering-developers-with-familiar-tools"&gt;&lt;strong&gt;1. CLI-Driven Infrastructure as Code: Empowering Developers with Familiar Tools&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;In this approach, platform teams build reusable infrastructure modules while developers consume them directly through code. Developers use familiar IaC tools like Pulumi CLI to instantiate these modules, with changes flowing through version control like any other code.&lt;/p&gt;
&lt;p&gt;The key strength is transparency and familiarity. Developers maintain visibility and ownership of their intent-based definitions. This code-centric workflow integrates naturally with existing development practices.&lt;/p&gt;
&lt;p&gt;However, this flexibility creates governance challenges and requires either strong trust or approval processes that might reintroduce bottlenecks. The approach also assumes developers have some IaC knowledge, making it best suited for organizations with mature DevOps practices and experienced teams.&lt;/p&gt;
&lt;h4 id="2-self-service-portal-click-ops-simplicity-for-rapid-provisioning"&gt;&lt;strong&gt;2. Self-Service Portal: Click-Ops Simplicity for Rapid Provisioning&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;The self-service portal approach creates a web interface where developers provision infrastructure without writing code. They simply browse a catalog, fill out forms, and click buttons to deploy standardized resources—all pre-configured by the platform team.&lt;/p&gt;
&lt;p&gt;This approach keeps infrastructure code completely centralized and hidden from developers. The portal translates simple selections (&amp;ldquo;Add Database: Medium Size&amp;rdquo;) into the appropriate underlying configurations, ensuring perfect compliance with organizational standards.&lt;/p&gt;
&lt;p&gt;The result is dramatically reduced friction and learning curve, enabling even infrastructure novices to deploy resources in minutes. However, this simplicity comes at the cost of flexibility. Customizations and unique needs typically require platform team involvement, making this model ideal for organizations with predictable workloads or where standardization outweighs customization needs.&lt;/p&gt;
&lt;h4 id="3-hybrid-approach-code-backed-self-service"&gt;&lt;strong&gt;3. Hybrid Approach: Code-Backed Self-Service&lt;/strong&gt;&lt;/h4&gt;
&lt;p&gt;The hybrid approach generates and modifies infrastructure code via pull requests from UI interactions. When developers configure resources through the portal, the system commits code to repositories automatically, creating a transparent workflow where changes are visible, reviewable, and auditable through standard Git processes.&lt;/p&gt;
&lt;p&gt;This model provides both simplicity and flexibility. Routine tasks remain point-and-click while complex scenarios allow direct code editing within the same PR workflow. The approach maintains a complete audit trail through commit history while giving platform teams visibility into all changes.&lt;/p&gt;
&lt;p&gt;A significant tradeoff is implementation complexity: building a system that generates commits and PRs based on version control integration requires substantial investment. Organizations must weigh this upfront cost against the long-term benefits of combining UI simplicity with code transparency.&lt;/p&gt;
&lt;h4 id="lifecycle-management"&gt;Lifecycle Management&lt;/h4&gt;
&lt;p&gt;More effective lifecycle management is an advantage of a platform approach. Consider migrating from Kafka to AWS Kinesis. Traditionally, this would involve significant application developer effort, including updating connection details, authentication, and application logic. However, with the two-level abstraction and intent-based approach described earlier, this migration becomes simpler. Platform teams introduce a new Kinesis module matching the existing Kafka module&amp;rsquo;s intent-based interface. Data is mirrored, and developers can plan a switchover. Migration will not be free, but efforts and coordination will be reduced.&lt;/p&gt;
&lt;p&gt;Life-Cycle management is a huge topic in Day 2 operations and outside the scope of what can be covered here, but introducing abstractions and a platform of modules will pay off long term.&lt;/p&gt;
&lt;h3 id="looking-ahead-operational-excellence-and-beyond"&gt;Looking Ahead: Operational Excellence and Beyond&lt;/h3&gt;
&lt;p&gt;The two-level abstraction model does not just simplify provisioning. It also lays a strong foundation for operational excellence. By standardizing infrastructure through reusable modules and intent-based specifications, we create consistency and visibility that significantly simplify critical operational concerns such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Drift Detection and Reconciliation:&lt;/strong&gt; Standardized modules make it easier to detect and correct deviations from desired state.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Continuous Compliance and Security:&lt;/strong&gt; Centralized module definitions allow security and compliance controls to be consistently enforced and audited.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost Management and FinOps:&lt;/strong&gt; Intent-based specifications enable clearer cost attribution and optimization opportunities.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Observability and Incident Response:&lt;/strong&gt; Consistent infrastructure patterns simplify monitoring, alerting, and troubleshooting.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Later articles in this series will explore each of these areas in greater depth, demonstrating how a platform approach provides a powerful foundation for addressing them effectively.&lt;/p&gt;
&lt;h2 id="self-service-with-pulumi"&gt;Self-Service with Pulumi&lt;/h2&gt;
&lt;p&gt;The two-level architecture of IDP self-service creates a powerful interface between platform teams and application developers. By embracing intent-based specification, this approach enables developers to clearly express what they need with minimal complexity while giving platform teams the flexibility to implement and evolve the underlying infrastructure.&lt;/p&gt;
&lt;p&gt;As you build out your self-service approach, consider how Pulumi might fit in. With Pulumi, you get:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/components/"&gt;Component resources&lt;/a&gt; for creating reusable infrastructure modules that encapsulate best practices.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/developer-portals/templates/"&gt;Organization templates&lt;/a&gt; for building a catalog of infrastructure templates.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/product/packages/"&gt;Packages&lt;/a&gt; in your language of choice for a code-first self-service workflow.&lt;/li&gt;
&lt;li&gt;A &lt;a href="https://www.pulumi.com/product/internal-developer-platforms/"&gt;Platform-in-the-box&lt;/a&gt; experience for those who want a portal-first experience for self-service infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/developer-portals/backstage/"&gt;A Backstage plugin&lt;/a&gt; for those who prefer to use Backstage for an IDP.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;A great self-service workflow and abstraction layer are key to making platform engineering work. &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;Next in this series&lt;/a&gt;, we’ll tackle developer experience directly.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Provisioning: From Chaos to Control</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-2/</link><pubDate>Thu, 27 Feb 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-2/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-2/index.png" /&gt;
&lt;p&gt;Provisioning is the first &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;pillar of platform engineering&lt;/a&gt;. Without consistent infrastructure provisioning – the automated creation and management of the underlying cloud resources – the rest of the platform suffers. Self-service, governance, and streamlined developer workflows all depend on it. Ultimately, a self-service layer on top of your cloud infrastructure is the goal, enabling developers to quickly and safely provision the resources they need, while adhering to organizational best practices and policies. But before self-service, the foundation of a good IDP is a robust and reliable provisioning system.&lt;/p&gt;
&lt;p&gt;By defining cloud resources as code and automating deployments, platform engineering teams ensure every environment – development, staging, and production – stays consistent and maintainable. This cuts down on configuration drift, reduces manual work, and supports auditable, collaborative workflows for every change.&lt;/p&gt;
&lt;p&gt;Let’s explore how platform engineering teams can achieve this by version-controlling infrastructure, automating deployments, separating environments properly, and limiting console interventions. By applying these principles, teams can create a platform where developers can move fast without breaking things, and where infrastructure supports innovation rather than slowing it down.&lt;/p&gt;
&lt;div class="note note-warning"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-warning-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h3 id="top-5-iac-anti-patterns"&gt;Top 5 IaC anti-patterns&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Console-Only Changes:&lt;/strong&gt; Making &amp;ldquo;quick fixes&amp;rdquo; in production without updating IaC leads to drift, confusion, and hidden risks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hard-Coded Secrets:&lt;/strong&gt; Sensitive values in code or config files are a security liability. Use encrypted state or a secrets manager.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Copy-Paste Config:&lt;/strong&gt; Reusing half-baked snippets across projects creates cruft. Break out shared modules or templates.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;No Clear File Structure:&lt;/strong&gt; Throwing all configs into a single file or folder obscures dependencies. Organize by environment, service, or module.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Skipping Peer Reviews:&lt;/strong&gt; Infrastructure mistakes can be costly. A simple pull request process can catch errors before deployment.&lt;/li&gt;
&lt;/ul&gt;
&lt;h4 id="-tip-read-our-list-of-iac-best-practices-"&gt;💡 Tip: Read our list of &lt;a href="https://www.pulumi.com/blog/iac-recommended-practices-code-organization-and-stacks/"&gt;IaC Best Practices&lt;/a&gt; 💡&lt;/h4&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="building-a-reliable-iac-foundation"&gt;Building a reliable IaC foundation&lt;/h2&gt;
&lt;p&gt;&lt;img src="infra-workflow.png" alt="infra-workflow"&gt;&lt;/p&gt;
&lt;p&gt;It’s not enough to simply define your resources in code. A reliable IaC foundation should ensure that infrastructure changes move smoothly from idea to production, without surprising developers or straining operations. Here’s how to structure these workflows so they’re both transparent and resilient:&lt;/p&gt;
&lt;h2 id="version-control-as-the-single-source-of-truth"&gt;Version control as the single source of truth&lt;/h2&gt;
&lt;p&gt;&lt;img src="commits.png" alt="iac commits"&gt;&lt;/p&gt;
&lt;p&gt;Whether you’re using GitHub, GitLab, or something else, every infrastructure definition needs to live in version control. This is just the basics – and hopefully, you are already doing this, as you have been for years. Version-controlled changes allow you to track history, compare revisions, and peer review. A pull request might catch a misconfigured subnet or a database that was accidentally left publicly accessible, mistakes that could be catastrophic if they slip into production. This also means anyone can propose improvements or bug fixes, expanding the pool of expertise beyond a single “infrastructure guru.”&lt;/p&gt;
&lt;h2 id="automating-changes-with-cicd"&gt;Automating changes with CI/CD&lt;/h2&gt;
&lt;p&gt;&lt;img src="ci.png" alt="iac ci"&gt;&lt;/p&gt;
&lt;p&gt;Next, consider how to apply infrastructure modifications after they’re merged into main. A CI pipeline can automatically run a “plan” or “preview,” then only proceed with the actual update if no blockers appear. Policy checks can also be added, enforcing rules such as “no public S3 buckets” or “use encrypted volumes only.” By codifying these conditions, you avoid manual verification steps and reduce the chance of risky configurations slipping past manual review.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h3 id="trunk-based-infrastructure-workflow"&gt;Trunk-based infrastructure workflow&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Protected main Branch:&lt;/strong&gt; No direct commits&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pull Request Merges:&lt;/strong&gt; Integrate changes via Pull Requests&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automated PR Checks:&lt;/strong&gt; Previews and Policy-as-Code run on every PR&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Merge:&lt;/strong&gt; Merge to main triggers automated deployments&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="distinguish-each-environment"&gt;Distinguish each environment&lt;/h2&gt;
&lt;p&gt;&lt;img src="envs.png" alt="each environment"&gt;&lt;/p&gt;
&lt;p&gt;Not all environments have the same requirements or budgets, so it’s wise to separate dev, staging, and production configurations. You might share core modules across these environments, but keep each environment’s parameters and secrets in independent config files or stack definitions. This deliberate separation ensures that dev changes are tested in a realistic but contained environment before they can impact production. As a result, teams can experiment more confidently without risking live workloads.&lt;/p&gt;
&lt;h2 id="modularity-and-reusability"&gt;Modularity and reusability&lt;/h2&gt;
&lt;p&gt;A key principle of effective IaC, and a cornerstone of any good Internal Developer Platform, is reusability. You shouldn&amp;rsquo;t be copying and pasting large chunks of infrastructure code. Instead, you should build reusable components (or modules, or constructs, depending on the tool&amp;rsquo;s terminology) that encapsulate best practices and can be easily consumed by developers. This achieves several critical goals:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Consistency:&lt;/strong&gt; Ensures that similar resources are provisioned in the same way, reducing configuration drift.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Abstraction:&lt;/strong&gt; Hides complexity from developers. They don&amp;rsquo;t need to know how a secure, compliant database is created, just that it is.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Maintainability:&lt;/strong&gt; Changes to the underlying implementation of a component can be rolled out to all consumers of that component.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Speed:&lt;/strong&gt; Developers can provision infrastructure faster by using pre-built components.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Errors:&lt;/strong&gt; Standard components means that there will be less opportunities to make mistakes.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Think of these reusable components as the &amp;ldquo;building blocks&amp;rdquo; of your IDP. Your platform team creates and maintains them, and developers use them to assemble their applications.&lt;/p&gt;
&lt;p&gt;Regardless of the specific IaC tool you choose, reusable components generally share these characteristics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Parameterized Inputs:&lt;/strong&gt; Components accept inputs (parameters, properties, configuration – the term varies) that allow users to customize their behavior. For example, a &amp;ldquo;database&amp;rdquo; component might accept a database_size parameter.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Defined Outputs:&lt;/strong&gt; Components expose outputs that other parts of the infrastructure can consume. For example, a &amp;ldquo;database&amp;rdquo; component might output the database&amp;rsquo;s connection string.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Encapsulation:&lt;/strong&gt; The internal implementation details of the component are hidden from the consumer. The consumer interacts with a well-defined interface (inputs and outputs).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Versioned:&lt;/strong&gt; Components should be versioned (e.g., using semantic versioning) to allow for controlled updates and rollbacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Discoverable:&lt;/strong&gt; Components should be easily discoverable by developers, often through a central catalog or registry.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="example-an-iam-roles-component"&gt;Example: An IAM roles component&lt;/h3&gt;
&lt;p&gt;IAM roles are one of the most commonly misconfigured AWS resources, making them a perfect candidate for abstraction into a reusable component. Developers frequently make mistakes when setting up roles, leading to overly permissive access, broken permissions, or operational headaches.&lt;/p&gt;
&lt;h3 id="common-iam-role-mistakes"&gt;Common IAM role mistakes&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Overly Broad Permissions&lt;/strong&gt; – Developers often grant &lt;code&gt;*&lt;/code&gt; permissions instead of following the principle of least privilege.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Missing Assume Role Policies&lt;/strong&gt; – Without a proper trust policy, services may not be able to use the role at all.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Directly Attaching Policies to Users&lt;/strong&gt; – Instead of assigning roles to groups, users might manually attach policies, leading to hard-to-audit permission structures.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lack of Naming Conventions &amp;amp; Tagging&lt;/strong&gt; – Unstructured role names and missing tags make governance difficult.&lt;/li&gt;
&lt;/ol&gt;
&lt;h4 id="how-a-reusable-iam-module-fixes-this"&gt;How a reusable IAM module fixes this&lt;/h4&gt;
&lt;p&gt;A platform team can provide a self-service IAM role module that enforces best practices while still allowing customization. This module would:&lt;/p&gt;
&lt;p&gt;✅ &lt;strong&gt;Require a Least Privilege Policy&lt;/strong&gt; – The module only allows explicitly defined permissions, preventing wildcards. &lt;br&gt;
✅ &lt;strong&gt;Auto-Generate Trust Policies&lt;/strong&gt; – Ensures correct settings, reducing misconfigurations. &lt;br&gt;
✅ &lt;strong&gt;Enforce Naming Standards &amp;amp; Tagging&lt;/strong&gt; – Ensures roles are easily identifiable and trackable.&lt;/p&gt;
&lt;p&gt;By using a reusable IAM role module, developers can self-service their permissions while the platform team ensures security, consistency, and maintainability. This removes a major source of security risk and operational overhead.&lt;/p&gt;
&lt;h2 id="no-console-interventions"&gt;No console interventions&lt;/h2&gt;
&lt;p&gt;No matter how carefully IaC is managed, emergencies may occasionally necessitate direct console changes. However, such interventions are strictly forbidden except under an official “break glass” procedure. If a quick fix is applied in the cloud console, it’s critical that the change is immediately documented and returned to code. Regular drift detection can help with this: once a day or once a week, automated scans can compare actual cloud resources to your declared infrastructure. When it detects a mismatch, you decide whether the code or the running resource is the correct version. Either way, human “hotfixes” never linger as hidden surprises for long.&lt;/p&gt;
&lt;p&gt;By combining version control, automation pipelines, environment-based configs, and drift checks, you build a solid provisioning foundation. Once you have that in place, the next step is making these patterns easy to use, so teams can start new services without reinventing the wheel.&lt;/p&gt;
&lt;p&gt;But first, let&amp;rsquo;s cover some metrics and roadblocks.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h3 id="metrics-that-matter"&gt;Metrics that matter&lt;/h3&gt;
&lt;p&gt;The classic &lt;a href="https://dora.dev/guides/dora-metrics-four-keys/"&gt;DORA metrics&lt;/a&gt; focus on software delivery. Adapting and modifying them for infrastructure provisioning can help measure how effectively your platform delivers reliable, self-service cloud resources:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Lead Time for Infrastructure Changes:&lt;/strong&gt; How fast does a merged PR turn into running infrastructure? Shorter indicates efficient automation and fewer manual steps.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Infrastructure Drift Frequency:&lt;/strong&gt; Are developers constantly making console tweaks, or does your infrastructure stay in sync with code? A low drift rate means your code and actual resources stay aligned.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Infrastructure Change Failure Rate:&lt;/strong&gt; What percentage of infrastructure changes result in incidents or rollbacks? A low failure rate indicates a robust, well-tested infrastructure pipeline, reducing wasted effort and potential outages.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Platform Self-Service Rate:&lt;/strong&gt; What percentage of provisioning changes are implemented by the requesting team (without needing to involve a central operations team)? A high self-service rate shows that your platform empowers developers and reduces bottlenecks.&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="common-roadblocks"&gt;Common roadblocks&lt;/h2&gt;
&lt;p&gt;Adopting Infrastructure as Code helps teams automate provisioning, but common pitfalls can slow progress before they see results. Left unaddressed, problems hidden configuration tweaks, scattered code, or reliance on a single &amp;ldquo;infrastructure hero&amp;rdquo; make it hard to keep environments consistent and secure.&lt;/p&gt;
&lt;p&gt;By spotting these roadblocks early, teams can build a stronger foundation for a repeatable, collaborative IaC workflow.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Knowledge silos:&lt;/strong&gt; Relying on just one person (&amp;ldquo;Go ask Sarah&amp;rdquo;) for all infrastructure tasks creates a risky bottleneck. The broader team can&amp;rsquo;t replicate or improve the process, slowing new initiatives and leaving you vulnerable if that individual is out of office or leaves the company. Moving to a collaborative, version-controlled IaC model ensures that no single engineer is a gatekeeper for new environments or configuration changes.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Overly complex or unstructured IaC:&lt;/strong&gt; Bloated or disorganized infrastructure code leads to confusion, duplication, and frequent errors. Engineers might copy-paste configurations from previous projects or cram all resources into a single file. By refactoring IaC into smaller modules, adopting a clear folder structure, and removing dead code, teams gain consistency and accelerate ramp-up times for new services.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Learning curves:&lt;/strong&gt; Teams new to IaC often encounter a steep learning curve. There is initially a lot to learn, and resistance from people used to quickly working through cloud UI can slow down full adoption. But time invested in learning tools and setting cultural norms pay off in agility and a platform strategy with guidance and golden paths can help reduce the burden.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Cultural inertia:&lt;/strong&gt; The adoption of a platform engineering approach is a shift in how organizations manage infrastructure, and like all, change is not merely technical but also organizational. Resistance to change and organizational inertia can make it difficult to implement new ways of getting work done. Expecting, understanding, and working through this resistance is key to overcoming it.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Lack of comprehensive approach:&lt;/strong&gt; IaC tools are great for provisioning, but without a full platform approach, covering monitoring, logging, and the full life cycle of cloud resources, provisioning efforts may fall short. We will see in this series how the pillars of a comprehensive approach strengthen themselves.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These roadblocks highlight why a thoughtful, well-structured approach to provisioning is essential. But that’s not enough because the next step is to make these consistent patterns easily accessible so teams can spin up entire services without starting from scratch. And that’s where “golden path” templates come in.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.74fadd1b94bae866bccf29a780f184a71c5cfc34c8677be70da8fe2ab0309b9e.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;h3 id="platform-team-provisioning-responsibilities"&gt;Platform team provisioning responsibilities&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;Setting up the initial IaC foundation&lt;/li&gt;
&lt;li&gt;Creating and maintaining templates&lt;/li&gt;
&lt;li&gt;Automating workflows&lt;/li&gt;
&lt;li&gt;Monitoring usage and compliance&lt;/li&gt;
&lt;li&gt;Internal Platform Evangelism&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="service-templates"&gt;Service templates&lt;/h2&gt;
&lt;p&gt;&lt;img src="abstraction-levels.png" alt="abstraction-levels"&gt;&lt;/p&gt;
&lt;p&gt;Even with a solid IaC foundation and reusable modules, spinning up a brand-new service can still require developers to understand how to pull in the underlying infrastructure components and how to use them. That’s where templates come in.&lt;/p&gt;
&lt;p&gt;These are pre-vetted, ready-to-use blueprints that capture your organization’s best practices for a complete service or application, including infrastructure, application, and security components. They are the key to enabling true self-service.&lt;/p&gt;
&lt;p&gt;Think of service templates as the next step up from the reusable components we discussed earlier. While a component might represent a single &amp;ldquo;building block&amp;rdquo; (like a secure S3 bucket or a database), a service template represents an entire structure built from those blocks (like a complete web application with a database, load balancer, and containerized application). They combine those building blocks with sensible default configurations and best practices for things like logging, Kubernetes setup, and security baked in.&lt;/p&gt;
&lt;p&gt;Beyond bundling your organization’s best practices into a single repository, these service templates can also include a preconfigured CI/CD pipeline.&lt;/p&gt;
&lt;p&gt;This means that when a team spins up a new service from the template, they inherit not just the infrastructure modules and best-practice configurations, but a fully operational CI/CD workflow. No extra setup is required. Developers get immediate feedback on their changes, and the merge to main triggers automatic deployments that keep every environment consistent.&lt;/p&gt;
&lt;p&gt;Instead of cobbling together snippets from old repos, teams can scaffold out a service by simply selecting the template that fits their need – whether it’s a containerized web app, a serverless function, or a data-processing pipeline – and providing a few key parameters.&lt;/p&gt;
&lt;p&gt;&lt;img src="service-template.png" alt="service template"&gt;&lt;/p&gt;
&lt;p&gt;These curated paths cut onboarding time, reduce configuration missteps, and ensure that the IaC modules are used in new services. If developers don’t have to remember which tags to apply or how to route logs, or even where to import infrastructure modules from, they can focus on delivering features rather than wrestling with infrastructure details. And as your platform matures, and new versions of your modules are introduced, you can update these templates, automatically sharing improvements with every new project.&lt;/p&gt;
&lt;h2 id="bringing-it-all-together-the-impact-of-effective-provisioning"&gt;Bringing it all together: The impact of effective provisioning&lt;/h2&gt;
&lt;p&gt;With reusable modules and service templates in place, and a deployment workflow that takes changes from git commits all the way to your cloud account, your platform engineering team creates a foundation that transforms how developers interact with infrastructure. This transformation yields measurable benefits:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Lower Infrastructure Change Failure Rate:&lt;/strong&gt; Automated validations and peer reviews catch issues early, reducing the number of failed deployments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Increased Platform Self-Service Efficiency:&lt;/strong&gt; Developers can provision resources in minutes instead of days, boosting productivity and reducing bottlenecks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Lead Time for Infrastructure Changes:&lt;/strong&gt; Streamlined automation shortens the time from code commit to deployed infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Minimized Infrastructure Drift:&lt;/strong&gt; Fewer manual console interventions mean your actual infrastructure stays aligned with what’s declared in code.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;(In the upcoming article, we’ll dig deeper into how governance guards these golden paths, ensuring that new projects comply with security and corporate policies right from day one.)&lt;/p&gt;
&lt;h2 id="managing-infrastructure-provisioning-with-pulumi"&gt;Managing infrastructure provisioning with Pulumi&lt;/h2&gt;
&lt;p&gt;As you build out your platform engineering plan, consider how Pulumi might fit in. With Pulumi, you get:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/what-is/what-is-infrastructure-as-code/"&gt;Infrastructure as Code&lt;/a&gt; in the language of your choice.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/iac/concepts/resources/components/"&gt;Component resources&lt;/a&gt; for creating reusable infrastructure modules that encapsulate best practices.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Pulumi Deployments&lt;/a&gt; for a fully managed infrastructure deployment solution.&lt;/li&gt;
&lt;li&gt;And a &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/deployments/"&gt;Platform in the box&lt;/a&gt; experience.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Reliable infrastructure provisioning is the cornerstone that supports your entire platform engineering initiative. By implementing the practices outlined in this article – version-controlled IaC, automated CI/CD workflows, environment separation, and golden-path templates – you establish a foundation that enables consistency, speed, and trust.&lt;/p&gt;
&lt;p&gt;But provisioning alone isn’t enough. In upcoming articles, we’ll explore how policy-as-code and broader governance tie into this foundation, ensuring that all those newly created services meet security and compliance standards from the moment they’re deployed. But first, we’ll look at expanding the provisioning foundation covered here into a true self-service platform, so teams can quickly spin up services without risking the organizational chaos that often accompanies speed.&lt;/p&gt;
&lt;p&gt;Provisioning is the foundation – &lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;next in this series&lt;/a&gt; we’ll build on it.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item><item><title>Platform Pillars: Build Platforms, Not Infrastructure</title><link>https://www.pulumi.com/blog/platform-engineering-pillars-1/</link><pubDate>Wed, 26 Feb 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/platform-engineering-pillars-1/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/platform-engineering-pillars-1/index.png" /&gt;
&lt;p&gt;Software drives innovation. Development teams face pressure to ship features faster. But speed collides with infrastructure complexity. Developers struggle with cloud setups, juggle scattered tools, and wait on operations teams for resources. The result is friction and slower innovation.&lt;/p&gt;
&lt;p&gt;This is where &lt;a href="https://www.pulumi.com/what-is/what-is-platform-engineering/"&gt;Platform Engineering&lt;/a&gt; comes in. It helps developers move faster by creating tools that actually work. A good internal platform lets teams self-serve infrastructure, find documentation, follow best practices, and focus on what they do best: writing useful software.&lt;/p&gt;
&lt;div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;"&gt;
&lt;iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/AUCt28gVR6Y?rel=0?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"&gt;&lt;/iframe&gt;
&lt;/div&gt;
&lt;p&gt;Building a platform isn&amp;rsquo;t about finding one perfect tool. It&amp;rsquo;s about assembling the right pieces, or pillars. These pillars define what every successful internal developer platform needs.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.pulumi.com/blog/series/platform-engineering-pillars/"&gt;This series&lt;/a&gt; explores these key pillars of Platform Engineering, offering a practical guide to building platforms that remove barriers to developer speed. Each pillar addresses a specific challenge organizations face when scaling developer productivity. The first challenge is overcoming infrastructure chaos.&lt;/p&gt;
&lt;img align="right" style="margin: 15px;" width="300px" src="provisioning.png"&gt;
&lt;h3 id="problem-infrastructure-chaos-and-bottlenecks"&gt;&lt;strong&gt;Problem: Infrastructure chaos and bottlenecks&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Developers face many pain points with manual provisioning, which is why &lt;a href="https://www.pulumi.com/what-is/what-is-infrastructure-as-code/"&gt;Infrastructure as Code&lt;/a&gt; has become so essential:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Inconsistent environments&lt;/strong&gt;: Dev, staging, and production drift apart. &amp;ldquo;Works on my machine&amp;rdquo; becomes everyone&amp;rsquo;s excuse.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Slow processes&lt;/strong&gt;: Console clicking and waiting on ops creates bottlenecks. Developers wait days for basic infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Configuration drift&lt;/strong&gt;: Manual configs lead to errors. Quick production fixes become undocumented mysteries that cause problems later.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lack of repeatability&lt;/strong&gt;: Spinning up new environments or replicating existing ones is a complex, time-consuming, and often unreliable process.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That&amp;rsquo;s why provisioning is the first pillar to master if you want to build a successful developer platform.&lt;/p&gt;
&lt;img align="left" style="margin: 15px; margin-right:25px;" width="300px" src="self-service.png"&gt;
&lt;h3 id="problem-dependency-bottlenecks-and-limited-developer-autonomy"&gt;&lt;strong&gt;Problem: Dependency bottlenecks and limited developer autonomy&lt;/strong&gt;&lt;/h3&gt;
&lt;span style="margin-left:-15px"&gt;
Even with automated provisioning, another challenge emerges - developers still struggle when tools are provided without considering usability.
&lt;/span&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Hard to find what you need&lt;/strong&gt;: Developers waste time hunting for the right infrastructure modules. They end up searching docs, bothering colleagues, or rebuilding something that already exists.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Too much complexity&lt;/strong&gt;: Most developers aren&amp;rsquo;t infrastructure experts. Learning all the options and parameters creates hesitation and mistakes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lack of real autonomy&lt;/strong&gt;: Developers have the tools but not the confidence to use them. They still need approvals or fear breaking production.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Inconsistent workflows&lt;/strong&gt;: Teams create their own ways of using infrastructure, making collaboration harder.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By implementing self-service infrastructure provisioning, you transform your platform from a centrally controlled system to a developer-centric environment. You unlock developer autonomy, accelerate development cycles, and free up operations teams to focus on higher-value activities.&lt;/p&gt;
&lt;img align="right" style="margin: 15px;" width="300px" src="developer-workflow.png"&gt;
&lt;h3 id="problem-inefficient-and-fragmented-development-processes"&gt;&lt;strong&gt;Problem: Inefficient and fragmented development processes&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Infrastructure is just one piece of the puzzle. Developers still face daily friction moving code to production.&lt;/p&gt;
&lt;p&gt;A typical developer&amp;rsquo;s day is full of frustrations:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Inconsistent local environments&lt;/strong&gt;: Variations in local setups, dependency conflicts, and operating system differences lead to debugging headaches and wasted time getting started.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Slow CI/CD pipelines&lt;/strong&gt;: Long builds, flaky tests, and mysterious pipeline configs block progress. Developers stare at progress bars instead of writing code.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cumbersome testing and staging setups&lt;/strong&gt;: Provisioning environments for testing and staging can be a manual process. Environments may not accurately mirror production, leading to surprises and integration issues late in the development cycle.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lack of discoverability and reusability&lt;/strong&gt;: Nobody knows what code already exists, so everyone rebuilds it. Duplication becomes the norm.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Developer toil and context switching&lt;/strong&gt;: Developers spend more time on environment setup and troubleshooting than on writing features.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These inefficiencies add up, creating significant friction in the developer workflow. Developers spend more time wrestling with processes and less time focused on building and innovating. A Platform approach can help solve these challenges.&lt;/p&gt;
&lt;img align="left" style="margin: 15px;" width="300px" src="security.png"&gt;
&lt;h3 id="problem-security-as-a-bottleneck-and-source-of-friction"&gt;&lt;strong&gt;Problem: Security as a bottleneck and source of friction&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Speed and efficiency matter, but security can&amp;rsquo;t be compromised. Traditionally, security acts as a gate – a necessary hurdle before releasing software. Platform Engineering aims to transform security from a bottleneck into an enabler.&lt;/p&gt;
&lt;p&gt;For many developers, security feels like a roadblock, leading to common friction points:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Last-minute security&lt;/strong&gt;: Checks happen at the end of development, causing costly rework when issues are found.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Restrictive policies&lt;/strong&gt;: Security rules feel arbitrary and unclear, slowing down deployments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The &amp;ldquo;No&amp;rdquo; department&lt;/strong&gt;: Security teams are seen as blockers who enforce policies without offering solutions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Speed vs. security mindset&lt;/strong&gt;: Everyone believes you must choose between going fast and being secure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security is &amp;ldquo;Someone else&amp;rsquo;s job&amp;rdquo;&lt;/strong&gt;: Developers think security is only the security team&amp;rsquo;s responsibility.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This &amp;ldquo;security as a gate&amp;rdquo; approach not only slows things down but leads to workarounds as developers try to bypass security to meet deadlines.&lt;/p&gt;
&lt;p&gt;By integrating security into your platform, you transform security from a gatekeeper into a built-in feature of the development process. Security becomes an enabler of trust and speed, letting developers innovate with confidence.&lt;/p&gt;
&lt;img align="right" style="margin: 15px;" width="300px" src="observability.png"&gt;
&lt;h3 id="problem-data-overload-without-insights"&gt;&lt;strong&gt;Problem: Data overload without insights&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Developers in modern cloud environments often find themselves in a paradox: they are drowning in data, yet starving for actionable information. Monitoring systems pump out metrics, logs, and traces, but finding what matters feels impossible. An ideal internal developer platform shifts the focus from data collection to actionable insights.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s what developers typically experience:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Tool sprawl&lt;/strong&gt;: Teams use different tools for metrics, logs, and traces. Developers waste time jumping between dashboards and manually connecting the dots.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Alert noise&lt;/strong&gt;: Developers get bombarded with alerts lacking context or clear next steps. Important signals get buried in the noise.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dashboard overload&lt;/strong&gt;: Existing dashboards overwhelm developers with granular metrics that are hard to connect to application behavior.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reactive debugging&lt;/strong&gt;: Troubleshooting becomes a time-consuming fire drill. Developers spend hours sifting through logs to pinpoint issues.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Missing proactive insights&lt;/strong&gt;: Observability is only used for firefighting. Developers lack insights to optimize performance or prevent issues before they affect users.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Disconnected from production&lt;/strong&gt;: Many developers feel blind to how their code actually runs in production, limiting their ability to improve it.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This data flood without clear insights leaves developers reactive rather than proactive, hampering their ability to build reliable applications.&lt;/p&gt;
&lt;p&gt;By improving observability in your platform, you transform it from an operations function into a developer superpower. Developers gain the insights they need to build better applications with greater confidence, using AI to focus on what truly matters.&lt;/p&gt;
&lt;img align="left" style="margin: 15px;" width="300px" src="goverance.png"&gt;
&lt;h3 id="problem-balancing-autonomy-with-control-and-cost-efficiency"&gt;&lt;strong&gt;Problem: Balancing autonomy with control and cost efficiency&lt;/strong&gt;&lt;/h3&gt;
&lt;p&gt;Empowering developers with self-service is essential, but unchecked autonomy leads to chaos. As platform adoption grows, organizations need to maintain control without creating bottlenecks. This is where Governance as Code becomes critical, establishing guardrails while preserving speed.&lt;/p&gt;
&lt;p&gt;Self-service creates new challenges:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Configuration drift&lt;/strong&gt;: In decentralized environments, infrastructure setups diverge from standards, creating security risks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloud cost explosion&lt;/strong&gt;: Without proper controls, self-service can lead to wasted resources and budget overruns. Teams over-provision or forget to clean up unused environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance headaches&lt;/strong&gt;: Meeting regulatory requirements becomes harder when infrastructure is created in an uncontrolled way.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Audit gaps&lt;/strong&gt;: Without clear governance, tracking who created what and when becomes nearly impossible.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Manual governance slows everything&lt;/strong&gt;: If governance relies on approvals and tickets, it defeats the purpose of self-service.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These challenges highlight the need for automated governance that scales with your platform, ensuring control without slowing developers down.&lt;/p&gt;
&lt;p&gt;By implementing Governance as Code, you ensure that self-service doesn&amp;rsquo;t conflict with security, compliance, and cost efficiency. Governance becomes an automated part of your platform, enabling responsible scaling.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;/h2&gt;
&lt;p&gt;These six challenges represent the core obstacles standing between your organization and true developer velocity. When properly addressed, each transforms into a capability that empowers developers and accelerates innovation.&lt;/p&gt;
&lt;p&gt;The upcoming articles in this series will explore each area in depth, with practical strategies and real-world examples to help you build an effective internal developer platform.&lt;/p&gt;
&lt;p&gt;Ready to implement these principles in your organization? Check out &amp;ldquo;Platform Engineering: Recommended Practices for Infrastructure as Code&amp;rdquo;. It provides detailed guidance on building scalable internal developer platforms.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;How to structure infrastructure code for scalability&lt;/li&gt;
&lt;li&gt;Managing development environments with developer stacks and Git branches&lt;/li&gt;
&lt;li&gt;Designing modular and reusable Pulumi projects&lt;/li&gt;
&lt;li&gt;Implementing cross-stack dependencies with stack references&lt;/li&gt;
&lt;li&gt;Setting up RBAC, security, and governance at scale&lt;/li&gt;
&lt;li&gt;Automating infrastructure management with stack orchestration&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;a href="https://info.pulumi.com/ebook/platform-engineering-iac-recommended-practices"&gt;&lt;strong&gt;Get the Free Platform Engineering Ebook →&lt;/strong&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;And don&amp;rsquo;t miss the next article in this series, where we&amp;rsquo;ll explore provisioning as the foundation of your developer platform journey.&lt;/p&gt;</description><author>Adam Gordon Bell</author><category>platform-engineering</category></item></channel></rss>