I'm a bit confused about Pulumi's role in "refreshing" resources : for example updating a Lambda, its LambdaLayer or redeploying an API Gateway Isn't that what a CI/CD system is supposed to do ? Where does Pululmi's role stop here ? In my case, I'd like Pulumi to configure Machine Learning services like SageMaker, which involve complex, intertwined configuration (S3 bucket for training data, S3 bucket for outputs, etc.) Should I also use a hashing system in order to determine wether Pulumi should refresh resources, same as the hash uses for Lambda ?

If you deploy all resources from Pulumi, you shouldn't need refresh. Pulumi takes care of updating resources when definitions change. CI/CD would call Pulumi to do so e.g. when code changes in the repo.

When you deploy with pulumi it creates resources you can see at the pulumi.com app or review in json with the

pulumi stack export

command. Ideally, you never modify resources outside of Pulumi deployments, but sometimes, especially during development, you may need to delete or modify a resource in a cloud platform. Pulumi has no way of knowing that happened when things are modified outside of deployments, so

pulumi refresh

exists to allow your stack's state to sync up with the provider. It does NOT import resources pulumi didn't create, or keep track of every setting. It does really help in the rare cases that Pulumi's record of its resources state drift from what its records indicate.

When the source code of a Lambda changes (because of a commit on Git), it's not exactly a "resource change" per se : the infrastructure is the same, it's just the contents that changed Likewise, if I have training data for ML on a bucket, if the data changes then I need to rerun my ML job on it. I'm wondering if content changes are still within Pulumi's jurisdiction in terms of CI or if Pulumi's only meant for configuration changes (infra)