The aws:connect/instance:Instance resource, part of the Pulumi AWS provider, provisions an Amazon Connect instance: the container for contact center operations, including identity management, call routing, and agent workspace configuration. This guide focuses on two capabilities: identity management modes and call routing enablement.
Amazon Connect instances can integrate with AWS Directory Service or external SAML providers for authentication. The examples are intentionally small. Combine them with your own contact flows, queues, and routing profiles. Note that AWS enforces a limit of 100 combined instance creations and deletions every 30 days.
Create a Connect-managed instance with call routing
Most contact centers start with a Connect-managed instance that handles user authentication internally, enabling both inbound and outbound calling.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
identityManagementType: "CONNECT_MANAGED",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
tags: {
hello: "world",
},
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
identity_management_type="CONNECT_MANAGED",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True,
tags={
"hello": "world",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
IdentityManagementType: pulumi.String("CONNECT_MANAGED"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
Tags: pulumi.StringMap{
"hello": pulumi.String("world"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
IdentityManagementType = "CONNECT_MANAGED",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
Tags =
{
{ "hello", "world" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.identityManagementType("CONNECT_MANAGED")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.tags(Map.of("hello", "world"))
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
identityManagementType: CONNECT_MANAGED
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
tags:
hello: world
When you set identityManagementType to CONNECT_MANAGED, Amazon Connect creates its own user directory. The inboundCallsEnabled and outboundCallsEnabled properties control whether the instance can receive and place calls. The instanceAlias provides a friendly name for the instance URL.
Integrate with existing Active Directory for authentication
Organizations with established Active Directory infrastructure can connect their instance to existing user directories.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
directoryId: testAwsDirectoryServiceDirectory.id,
identityManagementType: "EXISTING_DIRECTORY",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
directory_id=test_aws_directory_service_directory["id"],
identity_management_type="EXISTING_DIRECTORY",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
DirectoryId: pulumi.Any(testAwsDirectoryServiceDirectory.Id),
IdentityManagementType: pulumi.String("EXISTING_DIRECTORY"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
DirectoryId = testAwsDirectoryServiceDirectory.Id,
IdentityManagementType = "EXISTING_DIRECTORY",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.directoryId(testAwsDirectoryServiceDirectory.id())
.identityManagementType("EXISTING_DIRECTORY")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
directoryId: ${testAwsDirectoryServiceDirectory.id}
identityManagementType: EXISTING_DIRECTORY
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
Setting identityManagementType to EXISTING_DIRECTORY and providing a directoryId links the Connect instance to an AWS Directory Service directory. Agents authenticate using their Active Directory credentials rather than Connect-managed accounts.
Enable SAML-based single sign-on
Enterprises using identity providers like Okta or Azure AD can configure SAML authentication for single sign-on.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.connect.Instance("test", {
identityManagementType: "SAML",
inboundCallsEnabled: true,
instanceAlias: "friendly-name-connect",
outboundCallsEnabled: true,
});
import pulumi
import pulumi_aws as aws
test = aws.connect.Instance("test",
identity_management_type="SAML",
inbound_calls_enabled=True,
instance_alias="friendly-name-connect",
outbound_calls_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/connect"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := connect.NewInstance(ctx, "test", &connect.InstanceArgs{
IdentityManagementType: pulumi.String("SAML"),
InboundCallsEnabled: pulumi.Bool(true),
InstanceAlias: pulumi.String("friendly-name-connect"),
OutboundCallsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Connect.Instance("test", new()
{
IdentityManagementType = "SAML",
InboundCallsEnabled = true,
InstanceAlias = "friendly-name-connect",
OutboundCallsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.connect.Instance;
import com.pulumi.aws.connect.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Instance("test", InstanceArgs.builder()
.identityManagementType("SAML")
.inboundCallsEnabled(true)
.instanceAlias("friendly-name-connect")
.outboundCallsEnabled(true)
.build());
}
}
resources:
test:
type: aws:connect:Instance
properties:
identityManagementType: SAML
inboundCallsEnabled: true
instanceAlias: friendly-name-connect
outboundCallsEnabled: true
The SAML identity management type integrates with external identity providers. You configure the SAML provider separately; this resource establishes the Connect instance’s authentication mode.
Beyond these examples
These snippets focus on specific instance-level features: identity management (Connect-managed, Active Directory, SAML) and call routing enablement (inbound and outbound). They’re intentionally minimal rather than full contact center deployments.
The examples may reference pre-existing infrastructure such as AWS Directory Service directories (for EXISTING_DIRECTORY mode) and SAML identity providers (for SAML mode). They focus on configuring the instance rather than provisioning authentication infrastructure.
To keep things focused, common instance patterns are omitted, including:
- Contact flow logging (contactFlowLogsEnabled)
- Contact Lens analytics (contactLensEnabled)
- Multi-party conferencing (multiPartyConferenceEnabled)
- Early media handling (earlyMediaEnabled)
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in contact center modules. See the Connect Instance resource reference for all available configuration options.
Let's create AWS Connect Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Instance Limits & Quotas
Identity Management & Authentication
Connect supports three identity management types:
- CONNECT_MANAGED - Amazon Connect manages user identities internally
- EXISTING_DIRECTORY - Integrates with an existing AWS Directory Service directory
- SAML - Uses SAML 2.0-based authentication
identityManagementType to EXISTING_DIRECTORY and provide your directory’s ID in the directoryId property.identityManagementType to SAML. No directoryId is required for SAML-based authentication.Configuration & Immutability
identityManagementType, directoryId, and instanceAlias. Changing any of these requires recreating the instance.instanceAlias is required if you don’t specify a directoryId. When using EXISTING_DIRECTORY as the identity management type, you must provide directoryId.Features & Defaults
contactFlowLogsEnabled defaults to false. You must explicitly enable this feature if you need contact flow logging for debugging or monitoring.autoResolveBestVoicesEnabled and contactLensEnabled are true, while contactFlowLogsEnabled and multiPartyConferenceEnabled are false. Early media for outbound calls defaults to true if outbound calls are enabled.inboundCallsEnabled and outboundCallsEnabled are required boolean properties. Set them to true to enable the respective calling capabilities.Using a different cloud?
Explore integration guides for other cloud providers: