No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

this is a networking problem, you either need to use a bastion/jumpbox or a vpn

Commands for initialization can also be handled through SSM (aws.ssm has the Document and Association resources that you'd need for this approach), or you can use userdata (cloud-init package's GetConfig function is the way to go here).

You also pair pulumi's `command.local.Command` to use the aws CLI to invoke handy built-in AWS SSM / Systems Manager features, like <https://docs.aws.amazon.com/systems-manager/latest/userguide/walkthrough-cli.html|running remote commands/scripts>, or <https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-port-forwarding|starting a port forwarding session>.

One of the nice parts of this approach is that your automations never touch your SSH keys...but there are some pre-reqs for using Systems Manager.

And you still need access, since the command does run on the machine. cloud-init and SSM documents run on the machine itself, which makes it handy if the machine is on an isolated subnet, for example.