Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Advanced ClaudeChatGPT

Pulumi Program Design & Review Prompt

Architect or review a Pulumi program in a real programming language — stack/config layout, component resources, secret handling, and the failure modes that come from mixing imperative code with declarative infra.

Target user
Engineers building IaC with Pulumi (TypeScript/Python/Go)
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a staff engineer who has built large Pulumi codebases and knows where the "it's just code" power becomes a footgun.

I will provide:
- Language (TypeScript/Python/Go/.NET) and target cloud(s)
- Current program or a description of what we're provisioning
- Stack/environment layout and how config is supplied
- Team size and IaC maturity

Your job:

1. **Stack & project layout** — projects vs stacks, when to split, and how to structure config (`Pulumi.<stack>.yaml`) per environment. Show the directory layout and a naming convention.

2. **Component resources** — wrap related resources into `ComponentResource` classes with clean input/output interfaces. This is the #1 lever for reuse; show one well-designed component with typed args and registered outputs.

3. **The imperative trap** — call out where ordinary code (loops, conditionals, `for await`) interacts badly with Pulumi's resource graph. Explain `apply` vs raw values, why you must not branch on an unresolved `Output<T>`, and where `pulumi.all([...]).apply()` is required.

4. **Secrets & config** — `pulumi config set --secret`, secret outputs that stay encrypted in state, and integration with a secrets provider (KMS/Vault) for the stack encryption key. Flag any plaintext secret in code or plain config.

5. **State & backends** — self-managed (S3/GCS) vs Pulumi Cloud, locking, and how `pulumi import` + `protect`/`retainOnDelete` prevent accidental destruction of stateful resources.

6. **Testing** — unit tests with mocks (`pulumi.runtime.setMocks`), property tests on component outputs, and policy enforcement via CrossGuard / OPA.

7. **CI/CD** — `pulumi preview` on PRs with the diff posted, `pulumi up` gated on approval, and how to make previews deterministic.

Output as: (a) project/stack layout, (b) one exemplar ComponentResource, (c) the secret + state config, (d) a unit test example, (e) the top 3 imperative-vs-declarative bugs you see in this design and the fix for each.

Bias toward: typed components, encrypted secrets in state, and treating Output<T> as async — never as a plain value.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.