Pulumi glossary
- Alias
- Audit Log
- Automation API
- Backend
- Checkpoint
- Component
- Config
- Deployment Engine
- Destroy
- Drift Detection
- Dynamic Providers
- Environment
- Environment Definition
- Function Serialization
- Import
- Internal Developer Platform (IDP)
- Language Executor
- Language Host
- MCP Server
- Native language package
- No-Code Stacks
- OIDC
- Organization
- Organization Template
- Outputs
- Packages
- Policy as Code
- Preview
- Private Registry
- Program
- Project
- Project File
- Pulumi Cloud
- Pulumi Deployments
- Pulumi ESC
- Pulumi Insights
- Pulumi Neo
- Pulumi Neo Task
- Pulumi package
- Pulumi Registry
- RBAC
- Refresh
- Resource Args
- Resource Plugin
- Resource Provider
- Resource Search
- Resources
- Review Stacks
- Rotation
- SDK
- Secrets
- Secrets Encryption
- Self-hosted
- Stack
- Stack Output
- Stack Reference
- Stack Tags
- State
- Team
- Token
- Update
- URN
- Webhook
Alias
A resource option that lets a resource keep its identity in state while its URN changes (renaming, moving between parents, or refactoring). Pulumi treats aliased resources as the same resource instead of replacing them.
Audit Log
An immutable record of user and service activity in a Pulumi Cloud organization. Audit logs are available to organization admins and can be exported via the CLI or REST API.
Automation API
A programmable interface for driving Pulumi from your own code instead of the CLI. Use it to embed updates, previews, refreshes, and destroys in applications, custom CLIs, web services, or higher-level platforms.
Backend
The system that stores and serves stack state. Pulumi supports the managed Pulumi Cloud backend (the default) and self-managed backends backed by object storage such as Amazon S3, Azure Blob Storage, Google Cloud Storage, or the local filesystem.
Checkpoint
A snapshot of stack state that Pulumi writes during operations. Checkpoints let the engine compute diffs between desired and actual state, recover from interruptions, and safely tear down resources during a destroy.
Component
A logical grouping of other components and physical cloud resources, authored as a subclass of ComponentResource. Components let you package higher-level abstractions and reuse them across stacks and projects.
Config
Per-stack key-value settings that a Pulumi program reads at runtime. Configuration values are stored as strings but can be parsed as richer types, and they can be marked as secrets so they are encrypted at rest and in transit.
Deployment Engine
The component of Pulumi responsible for computing the operations needed to drive current state into the desired state declared by a program, then executing those operations through resource providers.
Destroy
The operation that tears down all resources managed by a stack. After a successful destroy the stack’s state contains no resources, but the stack itself still exists until you remove it.
Drift Detection
An automated check that compares the actual state of cloud resources with what Pulumi recorded in state. Drift detection runs on a schedule in Pulumi Deployments and surfaces unexpected changes for review or automatic remediation.
Dynamic Providers
A mechanism for plugging arbitrary code directly into the deployment process from inside a program, without authoring a separate provider plugin. Useful for managing resources that no existing provider covers.
Environment
An ESC concept: a versioned, hierarchical collection of configuration values and secrets stored in Pulumi Cloud. Environments can be consumed by Pulumi programs, CLIs, applications, and CI systems through esc open, esc run, file mounts, or direct imports from a stack.
Environment Definition
The YAML document that declares an ESC environment: the values it exposes, the providers it pulls secrets from, the environments it imports, and the credentials it dynamically generates.
Function Serialization
Pulumi’s ability to capture a JavaScript or TypeScript function — including its lexical environment — and ship it to a cloud service (for example, an AWS Lambda or Azure Function) to execute at runtime. Previously referred to as runtime code.
Import
Adopt an existing cloud resource into a stack so Pulumi manages it going forward. You can import individual resources from the CLI or bulk-import many resources at once from a JSON file.
Internal Developer Platform (IDP)
Pulumi’s set of building blocks for platform teams to deliver self-service infrastructure to developers: organization templates, no-code stacks, private registries, and policy enforcement working together as a platform layer on top of Pulumi IaC, ESC, and Cloud.
Internal Developer Platform (IDP)
Language Executor
A small binary named pulumi-language-<language> that the Pulumi CLI launches to run a program in the corresponding language runtime (Node.js, Python, .NET, Go, Java, or YAML). Language executors ship with the CLI.
Language Host
The process started by a language executor that runs your Pulumi program and registers resources with the deployment engine through Pulumi’s RPC protocol.
MCP Server
Pulumi’s Model Context Protocol server, which exposes Pulumi capabilities (registry lookups, deployments, resource search, and more) to MCP-compatible AI clients such as Claude Desktop, Cursor, and Pulumi Neo.
Native language package
A component published to a language-specific package registry (npm, PyPI, NuGet, Maven, and so on) without a Pulumi plugin. Native language packages can only be consumed in the language they were authored in; they do not generate SDKs for other Pulumi-supported languages.
No-Code Stacks
An IDP feature that lets developers create and manage stacks through the Pulumi Cloud UI without writing or running any code, using organization templates configured by platform teams.
OIDC
OpenID Connect. Pulumi Cloud uses OIDC trust relationships to let workloads in CI systems and clouds (GitHub Actions, GitLab CI, AWS, Azure, Google Cloud, and others) authenticate without long-lived credentials. Pulumi can also act as an OIDC issuer for downstream cloud accounts.
Organization
The primary grouping unit in Pulumi Cloud. An organization owns stacks, environments, teams, policy packs, deployment settings, and audit logs, and is where access control and billing are scoped.
Organization Template
A reusable project template scoped to a Pulumi Cloud organization. Platform teams use organization templates to standardize new projects and to power IDP features like no-code stacks.
Outputs
Values produced by resources during an update. Because their concrete values are not known until the resource is created, Pulumi wraps them in an Output<T> type that tracks dependencies and propagates them through apply and all.
Packages
Distributable units of Pulumi code. A Pulumi package is a component or provider paired with a Pulumi plugin so SDKs can be generated for every supported language; a native language package is restricted to its authoring language. Both are installed through pulumi package add or a language package manager.
Policy as Code
Governance rules written as code (in TypeScript, Python, or supported policy languages) that Pulumi enforces against infrastructure. Policies can run during pulumi preview and pulumi up and against resources discovered by Pulumi Insights, regardless of how they were created.
Preview
The dry-run operation that shows the changes Pulumi would make to reach the desired state of a program, without performing them. Previews are the basis for review stacks and CI gating.
Private Registry
An organization-scoped registry inside Pulumi Cloud where platform teams publish internal components and templates for use by other teams in the same organization.
Program
The user-authored code that declares the resources, components, and outputs of a Pulumi stack. Programs are written in general-purpose languages (TypeScript, JavaScript, Python, Go, .NET, Java) or YAML and use packages from the Pulumi Registry and the language ecosystem.
Project
A directory containing a Pulumi.yaml file. The project file declares the program’s name, runtime, and per-stack configuration, and is the unit you operate on with most CLI commands.
Project File
The Pulumi.yaml file at the root of a project. It specifies the runtime, project name, description, template metadata, and optional configuration schemas, plugin requirements, and backend settings.
Pulumi Cloud
The managed SaaS at app.pulumi.com that stores stack state, secrets, environments, deployment settings, policies, audit logs, and Insights data. It is Pulumi’s default backend and the host for collaboration, governance, and automation features.
Pulumi Deployments
A managed remote execution service in Pulumi Cloud that runs Pulumi operations (up, preview, refresh, destroy) on Pulumi-hosted or self-hosted agents. Deployments power Git push-to-deploy, scheduled drift detection, review stacks, and click-to-deploy templates.
Pulumi ESC
Environments, Secrets, and Configuration. A Pulumi Cloud service for centralizing secrets and configuration in versioned, hierarchical environments that Pulumi programs, CLIs, applications, and CI systems can consume safely.
Pulumi Insights
The Insights & Governance product in Pulumi Cloud. It discovers resources across all your cloud accounts (including those Pulumi did not create), provides a searchable graph, and enforces policy as code on top of them.
Pulumi Neo
Pulumi’s AI agent for infrastructure work. Neo takes natural-language requests, plans the changes, and runs Pulumi (and other tooling) to carry them out, either fully managed in the cloud or with local tool execution via the pulumi neo CLI.
Pulumi Neo Task
A single agent invocation in Pulumi Neo. A task captures the request, the agent’s plan and tool calls, and the resulting changes, and can be reviewed and replayed from Pulumi Cloud.
Pulumi package
A component or provider distributed with a Pulumi plugin (source-based or executable) so SDKs can be generated for any supported language. Pulumi packages can be consumed by running pulumi package add or by installing a pre-published SDK from the appropriate package registry.
Pulumi Registry
The public catalog at pulumi.com/registry where Pulumi packages — providers, components, and templates — are published, versioned, and discovered. Programs install packages from the Registry through pulumi package add or the language’s package manager. Distinct from a private registry, which is the organization-scoped counterpart inside Pulumi Cloud.
RBAC
Role-based access control. Pulumi Cloud RBAC lets organization admins assign users and teams to roles whose permissions are defined by reusable permission sets, then scope those roles to specific projects, stacks, environments, or other resources.
Refresh
An operation that reconciles Pulumi’s state with the actual configuration of resources in the cloud. Use it to pick up changes made outside Pulumi or to recover from drift.
Resource Args
The object of inputs passed to a resource’s constructor that determine how the resource is created. Inputs can be plain values or Output values from other resources, which establishes dependencies.
Resource Plugin
A Pulumi plugin that the deployment engine invokes to manage resources of a given provider. Plugins can ship as a native executable or as a source-based package that Pulumi loads through a language host. They implement create, read, update, and delete operations for their resource types and are distributed through the Pulumi Registry.
Resource Provider
The combination of a resource plugin and one or more language SDKs that lets a Pulumi program declare resources of a particular type (for example, AWS, Azure, Kubernetes). Providers are distributed through the Pulumi Registry.
Resource Search
The Pulumi Insights feature for querying every resource Pulumi knows about across IaC stacks and discovered cloud accounts, using a structured search syntax.
Resources
The cloud objects Pulumi creates and tracks. Every resource has a logical name unique within its parent, a URN that uniquely identifies it across the stack, a set of inputs, and a set of outputs.
Review Stacks
A Pulumi Deployments feature that automatically creates a short-lived stack for each pull request, runs a preview (and optionally an update), and posts the results back to the PR for review.
Rotation
An ESC capability for rotating secrets on a schedule or on demand. Rotators replace credentials in the source system and update the environment’s configuration so consumers always receive fresh values.
SDK
Software Development Kit. A language-specific library, typically generated from a Pulumi provider, that lets programs in TypeScript, Python, Go, .NET, Java, or YAML declare and read resources of that provider.
Secrets
Configuration values or program data that Pulumi must encrypt. Marking a value as a secret causes Pulumi to encrypt it at rest in state and configuration, mask it in CLI output, and propagate the secret marking through computations.
Secrets Encryption
The mechanism Pulumi uses to encrypt secret values in stack state and configuration. Pulumi Cloud manages per-stack keys automatically; with self-managed backends you can supply your own KMS provider (AWS KMS, Azure Key Vault, Google Cloud KMS, HashiCorp Vault, or a passphrase).
Self-hosted
A deployment model in which you run Pulumi infrastructure inside your own environment instead of relying on the managed Pulumi Cloud SaaS. Pulumi offers self-hosted Pulumi Cloud (on-prem or in your cloud account) and self-managed state backends backed by object storage.
Stack
An isolated, independently configurable instance of a Pulumi program. Stacks are commonly used to model environments (dev, staging, production), per-developer sandboxes, or per-feature instances.
Stack Output
A value exported from a stack with export (TypeScript), pulumi.export (Python), or the equivalent in other languages. Stack outputs are visible in the CLI and Pulumi Cloud and can be consumed by other stacks through stack references.
Stack Reference
A way for one stack to read the outputs of another stack. Stack references are the recommended pattern for splitting infrastructure into independently deployable layers.
Stack Tags
Name-value metadata attached to a stack. Tags are searchable in Pulumi Cloud and useful for grouping stacks by team, environment, region, or any other dimension. Stack tags are only available on the Pulumi Cloud backend.
State
Pulumi’s record of the resources a stack manages, their inputs and outputs, and the dependencies between them. State is stored by the backend and read by the deployment engine on every operation.
Team
A named group of users inside a Pulumi Cloud organization. Teams are the unit you assign roles and permissions to, and they can also be granted access to specific stacks, environments, and other resources.
Token
A credential used to authenticate to Pulumi Cloud non-interactively. Personal access tokens belong to a user; organization and team access tokens belong to the organization and can be scoped to specific permissions.
Update
The operation, invoked with pulumi up, that computes a desired state from your program and applies the necessary changes to reach it. Updates create, modify, and delete resources, and record the result in stack state.
URN
Uniform Resource Name. The string Pulumi uses to uniquely identify a resource within a stack, derived from the stack, project, parent chain, resource type, and logical name. URNs appear in CLI output and are the keys used by aliases and resource-targeting flags.
Webhook
An HTTP callback Pulumi Cloud sends when something happens — for example, a stack update completes, drift is detected, or an environment changes. Webhooks are scoped to a stack, environment, or organization.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.