Hi everyone, Austin here from Panther Labs. We have over 13,000 lines of CloudFormation and I'm very excited to try to replace it with Pulumi! However, all of our deployment/automation infrastructure relies on CloudFormation, and it's not feasible to change that right now (we don't control some of the accounts). Has anyone managed to run Pulumi from within CloudFormation, e.g. as a CFN custom resource? I'm picturing the following migration strategy: 1. Add a custom resource (Python Lambda function) to our CFN stacks which runs Pulumi, storing the statefile in S3 in each account 2. Slowly migrate resources from CFN to Pulumi, deleting them from CFN as we go along 3. Eventually, the CFN stack becomes just a thin wrapper around Pulumi 4. When we're ready, we can remove CFN entirely, move the statefile to the Pulumi web service, and our deployment automation invokes pulumi directly

Hi Austin, I personally wouldn't try to run Pulumi inside of CF - for one, I think you might find that you accidentally delete one or other resource. I'd treat your Pulumi program as two separate entities and gradually migrate resources over. You can use the import command which outputs snippets of code that you can then use going forward

Alternatively, you could use Pulumi to manage Cloudformation stacks, and migrate stacks into Pulumi over time.

Unfortunately, our only entry point to some accounts is through a CloudFormation stack. We do not manage these accounts and have no access to them - our self-hosted customers automatically deploy a CFN stack and we can't easily change that flow.

instead telling Pulumi about the resources and then deleting the resource from CF

This is what I mean - running the Pulumi import in a Lambda function as part of the CFN stack update. Yes, you have to be careful with the order of operations (Pulumi import + CFN delete retention + CFN delete)

Alternatively, you could use Pulumi to manage Cloudformation stacks, and migrate stacks into Pulumi over time

True, but then - how do we get customers (who run their own AWS accounts in which we have no control) to deploy Pulumi? We'd have to get them to set up a new deployment pipeline, which is too much friction

Ahh, I was under the assumption you controlled all the pipelines.

We've got Pulumi running in a lambda container, so you could do that

We've got Pulumi running in a lambda container, so you could do that

Aha, excellent. How do you do this? What Lambda environment are you using - do you bring your own docker image or use the standard Python/Go env?