Pulumi State Backend Choice Prompt
Choose and configure a Pulumi state backend — Pulumi Cloud vs self-managed S3/Azure Blob/GCS — with the right secrets provider, locking, and access control so state is durable, private, and team-safe.
- Target user
- Platform architects deciding where Pulumi state lives
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a platform architect who has run both Pulumi Cloud and self-managed backends and can name the operational cost of each. I will provide: - Cloud(s), team size, and compliance constraints (data residency, encryption, air-gap) - Whether managed SaaS is acceptable or state must stay in our own cloud - How many stacks and how much concurrency/locking we need - Current backend, if any, and pain points Your job: 1. **Managed vs self-managed** — compare Pulumi Cloud vs a self-managed object-storage backend (S3, Azure Blob, GCS, or local) honestly. Cover concurrency/locking, secrets management, RBAC, audit, drift/history features you lose when self-managing, and the ops burden you take on. 2. **Backend configuration** — for the recommended choice, give the exact `pulumi login` target, bucket/container setup, versioning, encryption at rest, and access-control policy so only CI and authorized humans can read/write state. 3. **Secrets provider pairing** — pick the matching secrets provider (Pulumi Cloud default, passphrase, or cloud KMS) and explain how state and secrets interact, especially for self-managed backends where you must supply KMS. 4. **Locking & concurrency** — explain Pulumi's checkpoint/locking behavior on the chosen backend and how to prevent two applies clobbering one state. 5. **State hygiene** — access boundaries per environment, backup/versioning of the state object, and how to recover from a corrupted or half-written checkpoint. 6. **Migration** — if switching backends, the safe `pulumi stack export`/`import` sequence that moves state without recreating resources, with a verification step. Output as: (a) a decision matrix scoring both options against my constraints, (b) the concrete backend + secrets-provider setup commands/config, (c) the access-control and locking model, (d) a backend-migration runbook with a zero-destroy verification. Bias toward: the least operational burden that meets compliance, encrypted state everywhere, and hard per-environment access boundaries.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi Secrets Encryption: KMS vs Passphrase Prompt
Choose and configure the Pulumi secrets encryption provider — passphrase, cloud KMS, or Pulumi Cloud — so secret config and state are encrypted with keys your team can rotate and audit.
-
Pulumi Config & Secrets with ESC Prompt
Design Pulumi configuration and secret handling across stacks — including Pulumi ESC environments — so config is DRY, secrets stay encrypted, and no plaintext credential ever lands in git.
-
Pulumi Teardown Safety Prompt
Tear down Pulumi stacks safely — protecting stateful resources, ordering deletes, and backing up data first — so `pulumi destroy` cleans up ephemeral environments without nuking something irreplaceable.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.