I have a few hundred EC2 servers running (currently not part of a Pulumi stack). How do I do patch management across those servers? I am looking for an alternative to AWS Systems Manager. I also am looking for a way to execute other commands in these instances at scale (updating firewall rules for example). Is Pulumi a good tool to use for this use case?

For this, you would need to import these into Pulumi management so that Pulumi is aware of the state of these

after I import them in the stack, how do I go about executing commands across all of them? Is pulumi a good tool to do this?

Do you do immutable servers or immutable config? I personally don't see Pulumi being that tool, but maybe I am wrong. I am using SSM Ansible Playbooks to update certain instance config. But you wanted to stray away from SSM.

I would agree with @chilly-hairdresser-56259 here

Thanks for your pointers!