Pulumi CI/CD & AWS Code Services
To incorporate updating Pulumi stacks into an AWS Code Services-managed CI/CD system, you’ll want to use CodeBuild. Pulumi needs to execute a built program in order to determine the desired state of cloud resources, and CodeBuild provides a compute environment to do just that.
If you are using CodePipeline, you can then create a new pipeline stage which triggers the CodeBuild project. Allowing you to update a Pulumi stack wherever it makes sense in your existing pipeline.
To update a Pulumi stack as part of a CodeBuild project, you’ll need to add an environment variable
PULUMI_ACCESS_TOKEN. This is required to authenticate with pulumi.com in order to perform
an update. You can create a new Pulumi access token specifically for your CloudBuild project on
your Pulumi Account page.
Because of the sensitive nature of the access token, it is recommended that the Pulumi access token be stored in Amazon’s Systems Manager (SSM) Parameter Store. This allows you to keep the value secret, while providing auditable access to CodeBuild.
When Pulumi runs, it needs credentials in order to make any changes to AWS resources. When
pulumi up is running on the CloudBuild machine, it will default to using the credentials of
the AWS CodeBuild Service role defined in the CodeBuild project.
In order for Pulumi to successfully update the stack, the running CodeBuild service role needs to have IAM policies sufficient for updating the resources referenced by the Pulumi program. This can be done by defining new IAM policies and attaching them to the CloudBuild project’s service role.
For more information on how to manage the IAM policies used in CodeBuild, see Amazon’s documentation.
With the CloudBuild project created, you then just need to add two files to your repository:
The following is a minimal
buildspec.yml, which describes the steps CodeBuild should perform when
building your project. This includes downloading and installing the Pulumi CLI and then running a
script specific to building and updating your stack.
- curl -fsSL https://get.pulumi.com/ | sh
- export PATH=$PATH:$HOME/.pulumi/bin
update_pulumi_stack.sh is the minimal set of steps for updating a Pulumi stack.
npm commands to download the dependencies of the Pulumi program, and then builds it.
And then uses the Pulumi CLI to select the stack and perform the update.
You’ll want to modify this script depending on the language used for your program, how it is built, etc.
echo "Updating Pulumi Stack"
# Download dependencies and build
npm run build
# Update the stack
pulumi stack select acme/website-production
pulumi up --yes
That’s it! With the CloudBuild project configured to update your Pulumi stack on-demand, you can now incorporate it into other AWS Code Services products.