The aws:connect/instance:Instance resource, part of the Pulumi AWS provider, provisions an Amazon Connect contact center instance with identity management, call routing, and optional analytics features. This guide focuses on two capabilities: identity management options (Connect-managed, Active Directory, SAML) and call routing configuration.
Amazon Connect instances require choosing an identity management approach and enabling call directions. Active Directory integration needs an existing AWS Directory Service directory; SAML integration requires external identity provider configuration. The examples are intentionally small. Combine them with your own user management infrastructure and contact flows.
Create a Connect-managed instance with call routing
Contact centers often start with a Connect-managed instance that handles user authentication internally, enabling both inbound and outbound calling.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
identityManagementType: "CONNECT_MANAGED",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
tags: {
hello: "world",
},
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
identity_management_type="CONNECT_MANAGED",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True,
tags={
"hello": "world",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
IdentityManagementType: pulumi.String("CONNECT_MANAGED"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
Tags: pulumi.StringMap{
"hello": pulumi.String("world"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
IdentityManagementType = "CONNECT_MANAGED",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
Tags =
{
{ "hello", "world" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.identityManagementType("CONNECT_MANAGED")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.tags(Map.of("hello", "world"))
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
identityManagementType: CONNECT_MANAGED
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
tags:
hello: world
The identityManagementType property set to CONNECT_MANAGED tells Amazon Connect to manage users directly rather than integrating with external directories. The instanceAlias provides a friendly name for the contact center. Setting both inboundCallsEnabled and outboundCallsEnabled to true allows agents to receive and place calls.
Integrate with existing Active Directory for authentication
Organizations with established Active Directory infrastructure can connect their existing user directory rather than managing users separately.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
directoryId: testAwsDirectoryServiceDirectory.id,
identityManagementType: "EXISTING_DIRECTORY",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
directory_id=test_aws_directory_service_directory["id"],
identity_management_type="EXISTING_DIRECTORY",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
DirectoryId: pulumi.Any(testAwsDirectoryServiceDirectory.Id),
IdentityManagementType: pulumi.String("EXISTING_DIRECTORY"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
DirectoryId = testAwsDirectoryServiceDirectory.Id,
IdentityManagementType = "EXISTING_DIRECTORY",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.directoryId(testAwsDirectoryServiceDirectory.id())
.identityManagementType("EXISTING_DIRECTORY")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
directoryId: ${testAwsDirectoryServiceDirectory.id}
identityManagementType: EXISTING_DIRECTORY
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
When identityManagementType is EXISTING_DIRECTORY, the directoryId property points to an AWS Directory Service directory that already exists. Amazon Connect authenticates agents against this directory, allowing you to use existing corporate credentials and group memberships.
Enable SAML-based single sign-on
Enterprises using SAML identity providers can integrate Amazon Connect with their existing SSO infrastructure.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
identityManagementType: "SAML",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
identity_management_type="SAML",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
IdentityManagementType: pulumi.String("SAML"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
IdentityManagementType = "SAML",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.identityManagementType("SAML")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
identityManagementType: SAML
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
Setting identityManagementType to SAML configures the instance to authenticate through your SAML identity provider. This requires configuring the SAML provider separately; the instance resource only enables SAML mode and sets up call routing.
Beyond these examples
These snippets focus on specific instance-level features: identity management (Connect-managed, Active Directory, SAML) and call routing enablement. They’re intentionally minimal rather than full contact center deployments.
The examples may reference pre-existing infrastructure such as AWS Directory Service directories (for Active Directory integration) and SAML identity provider configuration (for SAML integration). They focus on configuring the instance rather than provisioning the surrounding authentication infrastructure.
To keep things focused, common instance patterns are omitted, including:
- Contact flow logging (contactFlowLogsEnabled)
- Contact Lens analytics (contactLensEnabled)
- Multi-party conferencing (multiPartyConferenceEnabled)
- Early media and voice optimization settings
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in contact center modules. See the Connect Instance resource reference for all available configuration options.
Let's create AWS Connect Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Instance Limits & Lifecycle
Identity Management & Configuration
You can choose from three options via identityManagementType:
- CONNECT_MANAGED - Amazon Connect manages user identities
- EXISTING_DIRECTORY - Use an existing Active Directory (requires
directoryId) - SAML - Use SAML 2.0-based authentication
directoryId when identityManagementType is set to EXISTING_DIRECTORY. This links your Connect instance to an existing Active Directory.instanceAlias is required if you don’t specify directoryId. It provides a friendly name for your Connect instance.Immutability & Updates
Three properties are immutable and require instance replacement if changed:
identityManagementType(SAML, CONNECT_MANAGED, or EXISTING_DIRECTORY)directoryId(Active Directory identifier)instanceAlias(friendly name)
Features & Capabilities
By default, new instances have:
autoResolveBestVoicesEnabled: truecontactLensEnabled: trueearlyMediaEnabled: true (if outbound calls enabled)contactFlowLogsEnabled: falsemultiPartyConferenceEnabled: false
inboundCallsEnabled and outboundCallsEnabled are required properties, but you can set either to false if you only need one direction. Configure based on your use case.Using a different cloud?
Explore integration guides for other cloud providers: