Hi I am newbie to pulumi, I would like to understand couple of things : 1. How secure is it to use pulumi in production with single user ? 2. pulumi doesn’t have 2fa enabled to enhance extra level of security, is it something in plan ? 3. What’s the best practice to maintain the pulumi code, can I maintain pulumi code in git repo and deploy it through jenkins ? 4. Is pulumi also best suited for reading infra details ? Let’s say I want to figure out the cost incurred by s3 resources on AWS account ?

Hi 👋 (not a Pulumi employee, but I hope I’m able to help you out somewhat) 1. You can have organizations with multiple users: https://www.pulumi.com/docs/intro/console/accounts-and-organizations/organizations/ that way you can have multiple people update a stack and you have insight into who did what 2. I’ll leave that to the Pulumi team 🙂 3. Absolutely! It’s definitely a best practice to keep the Pulumi code in a version control system. I have my pulumi code in the same repo as the serverless apps that code deploys. In my case I use CircleCI, but you can see an example here: https://github.com/retgits/acme-serverless-payment (the Pulumi code is in the pulumi folder) 4. Pulumi allows you to search the data of all sorts of AWS resources, I’m not sure though if it can access the data needed to figure out cost (which in S3 case would be a combination of storage, which you could definitely find out, and egress traffic)

Thanks @green-morning-1318 would multiple user work with community edition version ?

I don’t think it is to be honest (https://www.pulumi.com/pricing/)

Hi @some-football-23966 I am not sure what you mean about 2fa? There is currently no remote execution model for Pulumi so it needs to be controlled by the user themselves. what usecase do you believe we need to cover here? Paul

hey @broad-dog-22463 considering that a user needs to first create account and use tokens to execute all the workload, I intend to figure if somehow my account or laptop gets unintended access through a user, the person might end up mess with my account

ah I see what you mean - so the Pulumi SaaS only has the state - as long as you follow good practice, then it won't have access to your pulumi secrets or your code so no-one can actually delete your cloud resources via the Pulumi SaaS - they need the pulumi CLI to do that

alright, so just because reasons I explained, that somehow person get access to the account, the person can setup his/her pulumi CLI with my token or credentials

Pulumi doesn't store any credentials to your cloud cloud provider. YEs, you are correct that if someone gets access to your pulumi account then they can use your pulumi access token but that simply means they can store their cloud state in your pulumi account It 100% doesn't mean they can deploy to your cloud

Alright got it

I will raise it with the team 🙂

Thanks. I would highly appreciate if you can route to best coding practices for pulumi in terms of creating folder structure / naming convention etc.

But please rest assured, Pulumi doesn't store any of our data that can compromise either your cloud crendtials or your cloud resources - you can ensure you store any configuration options as secrets 🙂 https://www.pulumi.com/docs/intro/concepts/programming-model/#secrets

The main thing which I liked about pulumi is I can write code like a developer and I don’t have to learn much of the new things like DSL etc. So if you can answer few of these questions as well, it will really help in taking the call : 1. in case pulumi is down, I won’t be able to use pulumi to manage my account, right ? what’s the SLA for pulumi to be up ? 2. as pulumi doesn’t store code, what’s the best practice to create readable folder strucuture for pulumi code base ? 3. Can I run pulumi code using normal python / node commands instead of pulumi up ? The usecase if where I just to read the configurations of cloud rather than deploying it ? Is it even possible. ? 4. In case I use s3 as state backend instead of pulumi.com, what would I lose ?

1. <finding that out for you now> 2. It all depends on what you are trying to achieve - we suggest it's software so it can be structured as you would structure your software. We have a reference example https://github.com/pulumi/examples/tree/master/aws-stackreference-architecture 3. There is, at this point in time, no SDK for Pulumi to be embedded in your application. It is under investigation that users want that issue - we have various issues open in Pulumi/pulumi repo for this 4. If you use the open source state backends then the primary thing you loose is concurrency / locking. This is provided by default by the SaaS. Other than that, you need to manage your own backups / versioning etc

Thanks @broad-dog-22463 point 3 is a bigger use case. I want to use pulumi more freely and openly like aws sdk or any third party sdk. Until or unless necessary I don’t want to run pulumi up or we can have pulumi up written in python code itself so that I don’t have to be dependent on CLI. There are lot of usecases which are just plain get calls for aws resources, like reading s3, ecs state, current cost attribution, reading current infrastructure and then duplicating it in same or different env etc.

so you can mock your cloud and not have to do any pulumi up and write your code and test it as normal

Consider a developer developing an application with no restrictions. pulumi up seems to be the only way to run pulumi code, which in my consideration a limitation. It’s bit against the whole idea of having pulumi as framework which can understand regular programming language and code

but it's the same way as with other tools right? I mean kubectl commands, terraform commands, arm template deployments

That’s what these guys haven’t solved. They are just deployment centric, while you have the whole power to solve all non-deployment use cases too.

WRT to the SLA - this is what I was quoted from the SaaS team: '“The Pulumi service is operated with a high bar for availability. Financially-backed SLAs are available as part of our Team and Enterprise offerings for organizations that need tighter guarantees around service availability.”"

people using java/node/python already has best practices defined and can just utilise puluni within the stack as one of the super crazy library to solve for infra automatio

@some-football-23966 one thing that we do enabled is CI / CD workflows - we believed that was a higher priority to solve https://www.pulumi.com/docs/guides/continuous-delivery/

cool. 🙂 I just feel IaaC is not just about deployment but about management as well 🙂

the workflow we provider 100% enables management as well 🙂

Is it possible today to get s3 costing attribution using pulumi ?

and I also worked for HashiCorp before that so I do understand this space luckily 🙂

yeah I do understand you are way better in this than me. 🙂 Terraform and pulumi, I am inclined toward pulumi too

no not better at all

But one question why do you think that’s not possible ?

we have currently got no interaction from Pulumi to the cost APIs directly

okk, if I talk about I want to read a Kafka cluster which wasn’t deployed by pulumi before can I read the infra and deploy duplicate version of it using pulumi ?

AWS*

Got it. Any documentation of that would be helpful

There's even a video 🙂

Consider that I don’t have any existing IaC, in that case how is it possible ? In case infra is deployed using imperative approach using shell or manual steps ?

you would use the IDs that the Pulumi API expects and use those in the Pulumi code as part of the CustomResourceOptions