From 936b378da40f7aa03f25ba8e06a2cf48e9da0a48 Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 10 Nov 2025 18:38:16 +0000 Subject: [PATCH 1/5] Move 'What is Pulumi Cloud?' Explanation to More Prominent Location in Docs Fixes #16517 --- .../docs/deployments/get-started/_index.md | 2 +- .../deployments/get-started/what-is-it.md | 114 ------------------ content/docs/iac/concepts/_index.md | 44 ++++--- content/docs/iac/concepts/pulumi-cloud.md | 75 ++++++++++++ .../docs/iac/concepts/state-and-backends.md | 4 + layouts/shortcodes/cli-note.html | 2 +- 6 files changed, 107 insertions(+), 134 deletions(-) delete mode 100644 content/docs/deployments/get-started/what-is-it.md create mode 100644 content/docs/iac/concepts/pulumi-cloud.md diff --git a/content/docs/deployments/get-started/_index.md b/content/docs/deployments/get-started/_index.md index 9d3d55e18994..f897205c76c5 100644 --- a/content/docs/deployments/get-started/_index.md +++ b/content/docs/deployments/get-started/_index.md @@ -16,7 +16,7 @@ Pulumi Cloud is a managed service that provides state management, secrets handli ## Is Pulumi Cloud right for you? -New to Pulumi or evaluating your options? Read [Pulumi Cloud and Open Source Pulumi](./what-is-it/) to understand: +New to Pulumi or evaluating your options? Read [Pulumi Cloud and Open Source Pulumi](/docs/iac/concepts/pulumi-cloud/) to understand: - How Pulumi Cloud relates to the open source Pulumi IaC tool - The tradeoffs between using Pulumi Cloud versus self-managed backends diff --git a/content/docs/deployments/get-started/what-is-it.md b/content/docs/deployments/get-started/what-is-it.md deleted file mode 100644 index f814fc0a50d8..000000000000 --- a/content/docs/deployments/get-started/what-is-it.md +++ /dev/null @@ -1,114 +0,0 @@ ---- -title_tag: Pulumi Cloud and Open Source Pulumi -meta_desc: Learn how Pulumi Cloud relates to the open source Pulumi infrastructure as code tool. -title: Pulumi Cloud and Open Source Pulumi -h1: Pulumi Cloud and Open Source Pulumi -meta_image: /images/docs/meta-images/docs-meta.png -menu: - deployments: - name: Pulumi Cloud and Open Source Pulumi - parent: deployments-get-started - weight: 1 - identifier: pulumi-cloud-what-is-it -aliases: - - /docs/deployments/get-started/what-is-it/ - - /docs/pulumi-cloud/get-started/what-is-it/ ---- - -So you've chosen to use Pulumi infrastructure as code, and are now deciding how to manage your state and whether Pulumi Cloud is a good fit? Or you've heard Pulumi is open source but aren't entirely clear on what part is fully open and free, and what is a paid Pulumi product? This page will give you a better understanding about the answers to these questions and everything in between. - -## In Summary - -Pulumi Cloud is a managed service that helps teams adopt collaborative, secure, and robust cloud engineering practices. This includes infrastructure as code, secrets management, and continuous enforcement of cloud policies. Pulumi's flagship infrastructure as code tool is [open source](https://github.com/pulumi) and is how many community members initially learn about Pulumi. The two are related in that Pulumi IaC uses Pulumi Cloud by default to make adopting IaC in your team easier, secure, and reliable out-of-the-box and automatically. - -Pulumi IaC can be used with a so-called "DIY" backend if you prefer, which comes with some tradeoffs outlined below. From an adoption perspective, Pulumi Cloud is the most popular way to use Pulumi, especially within a team -- so if you choose it, you're in good company. - -{{% notes "info" %}} -An analogy to other software you may be familiar with is that, just like Git is fully open source and you can host, secure, and manage repositories yourself, so too can you with hosting your Pulumi infrastructure as code projects and stacks. It is much easier, especially in a team, however, to use Git in conjunction with GitHub, as it features easy security, reliability, and collaboration, as well as powerful features like Pull Requests. A similar dynamic exists with Pulumi and Pulumi Cloud. -{{% /notes %}} - -Pulumi Cloud is a platform of three products: [Pulumi IaC](/product/infrastructure-as-code), the companion to Pulumi open source IaC; [Pulumi ESC](/product/secrets-management), a secrets and configuration solution; and [Pulumi Insights](/product/pulumi-insights), an intelligent cloud inventory, compliance, and management product. Pulumi Cloud is offered as a service (SaaS) as well as a self-hosted edition that you can run anywhere. It features a novel client/server architecture to increase your confidence in using the SaaS. - -## Five Key Areas - -There are five key areas where Pulumi Cloud adds value beyond what is available in the Pulumi IaC open source software: - -* **Instant Collaboration**: provides a common place where developers, security experts, and infrastructure practitioners meet to automate, secure, and manage cloud infrastructure -* **Automatic Security**: ensures security best practices are built-in from the outset -* **Robustness, Performance, and Scalability**: automatically ensures reliability and scalability as your cloud needs grow, minimizing outages and the need to rearchitect your system over time -* **Governance and Extensibility**: guarantees that teammates are following your established practices early and always, with full visibility -* **Cost Effectiveness**: the lowest total cost to maximize return on your cloud investments - -Let's examine each of these areas in more detail. - -### 1/ Instant Collaboration - -The first thing you will notice with Pulumi Cloud is that all of your [projects, stacks, and resources](/docs/deployments/projects-and-stacks/) are easy to see, search, and explore. A complete history is always available, of who has changed what, when, and how, with full resource change diffs, and links to both the source changes that triggered a deployment, as well as forward links to the resources in your cloud consoles. - -All actions taken by teammates on Pulumi Cloud are logged for [full auditability](/docs/administration/security-compliance/audit-logs/). Full deployment logs are also captured and easy to review to facilitate debugging failures. This is particularly useful for automated deployments, as is common with the [Pulumi Automation API](/automation) and [Pulumi Kubernetes Operator](/docs/iac/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/). All deployment history for all time is maintained and organized. - -It is easy to get new teammates onto Pulumi Cloud, especially when [using SAML/SSO](/docs/administration/access-identity/saml/) which automates onboarding, offboarding, and role assignment. From there, you can see the identity of teammates who are making infrastructure changes, and delegate responsibilities to them. - -Pulumi Cloud integrates with [over a dozen CI/CD systems](/docs/iac/using-pulumi/continuous-delivery/), such as GitHub Actions, GitLab Pipelines, Jenkins, etc., and has [a built-in deployment service](/docs/deployments/deployments/) for easy Git-based deployments. The result is that configuring delivery pipelines with Pulumi Cloud is flexible so that if you want to collaborate with teammates using standard Git-driven code flows, like pull requests, code reviews, and branch-driven deployments, you can do so. The Pulumi GitHub App will put previews of your deployments right into the pull request comments, making reviews seamless. - -Pulumi's projects and stacks model facilitates collaboration especially thanks to the IaC tool's configuration model, but Pulumi Cloud goes beyond this by offering Pulumi ESC, a way to group configuration and secrets that frequently change together into composable and versioned environments. This enables Don't Repeat Yourself (DRY) practices that help to secure access to cloud accounts, share sensitive information, and deliberately roll out changes across multiple related projects and stacks. - -Pulumi Cloud also offers short-lived stacks in the form of [Review Stacks](/docs/deployments/deployments/review-stacks/) -- ephemeral environments stood up just for the duration of a Pull Request, making verification of changes much more robust and seamless -- as well as [Time-to-Live (TTL) Stacks](/docs/deployments/deployments/ttl/), which ensure that temporary stacks get automatically cleaned up, enabling more productive engineering workflows without the risk of cloud waste. - -[Pulumi Neo](/docs/ai/), an AI agent built into Pulumi Cloud, collaborates with you to solve a variety of challenges you might encounter. That includes assisting you in debugging cloud deployment failures, helping you to write infrastructure as code, automating infrastructure tasks, and even asking more general questions like "What versions of Kubernetes am I running?", "What is my most expensive, least used resources?", "Who is my most productive teammate?", and more. Pulumi's AI capabilities are even integrated with the Pulumi CLI as well as the Pulumi VSCode Extension so that you can get AI assistance with your local developer experience. - -### 2/ Automatic Security - -Pulumi Cloud has [a rich identity model](/docs/pulumi-cloud/access-management/) that integrates with your security identity provider of choice, whether that is Azure Active Directory, Google Workspace, Okta, or any SAML/SSO provider, to regulate all access to your cloud assets. - -If you manage your IaC state with a DIY approach, you will need to come up with a scheme that works for your organization. It often looks simple at the outset -- perhaps you can just use AWS IAM for the S3 bucket that stores your state -- but large-scale teams rarely want to grant full access to all engineers. In fact, this may be the difference between passing and failing a compliance audit. - -Pulumi Cloud has [a rich RBAC model](/docs/administration/organizations-teams/teams/) that integrates with its projects and stacks; most teams on DIY backends eventually realize they need to build and maintain such a system themselves. Additionally, Pulumi Cloud enables you to [generate short- and long-lived tokens](/docs/administration/access-identity/access-tokens/), optionally with fine-grained permissions, for automation scenarios. This includes easy auditing and revocation of those tokens. - -Pulumi IaC has [a secrets model](/docs/iac/concepts/secrets/) built in which helps to ensure that sensitive information never ends up in a state file in plaintext. This model is limited with DIY backends because you need to leverage less-secure passphrases, or resort to manually managing encryption keys and devising a scheme for creating and managing new ones. If you use Pulumi Cloud, a secure approach is used by default to ensure each organization and stack is encrypted securely. All communications between client and server are also encrypted for an extra layer of security. - -To see an example of what can happen in the real world when improperly managing DIY state, see this [Sysdig blog post](https://sysdig.com/blog/cloud-breach-terraform-data-theft/): it describes how an attacker was able to find a statefile (for Terraform but the same would apply for Pulumi) which contained a secret AWS key that they could use to escalation privileges and take over the entire AWS account. If using Pulumi Cloud, this is stopped by construction for multiple reasons: 1) secrets are encrypted, 2) state files themselves are stored encrypted at rest, and 3) most importantly, state files are not stored in easily accessible locations in S3. - -### 3/ Robustness, Performance, and Scalability - -Pulumi is most robust, performant, and reliable when leveraging Pulumi Cloud as its backend. This is because with a DIY backend like AWS S3, the protocol is limited to blob storage and there is a fundamental limit to how effective this protocol can become. The Pulumi Cloud interface, on the other hand, is a rich REST API that is more transactional in nature. This not only means more robust deployments and failure recovery, but also that fewer bytes need to be sent across the wire compared to the way Pulumi checkpoints its state for DIY backends, improving performance, and ultimately leading to a better experience overall. - -Due to the fragile nature of the blob store protocol, teams often need to manually edit DIY-managed state files, because the blob store protocol cannot recover from failures as seamlessly as Pulumi Cloud’s transactional protocol. This means teams on DIY state backends often have to build supporting solutions to backup and recover state. - -Managing state files by hand in a DIY backend can also cause outages if not handled properly. For example, [Spotify described at KubeCon](https://www.youtube.com/watch?v=ix0Tw8uinWs) how they accidentally deleted nearly all of their production Kubernetes clusters due to a simple merge mistake, when managing the equivalent of Pulumi DIY state files in Terraform. This is an easy mistake with DIY backends, but Pulumi Cloud avoids it entirely by construction because the Pulumi Cloud service carefully handles concurrency, serialization, and safety. - -Pulumi Cloud itself features [a secure, scalable, fault-tolerant, highly-available global architecture](https://www.pulumi.com/security/pulumi-cloud-security-whitepaper.pdf). This results in a level of robustness and scalability that is difficult to replicate when building a custom DIY backend. Numerous organizations use Pulumi Cloud with thousands of end users, hundreds of thousands of stacks, and millions of updates. BMW's scalable and resilient cloud development platform, for example, [was built using Pulumi](/case-studies/bmw/) and supports over 11,000 developers. - -### 4/ Governance and Extensibility - -Pulumi Cloud makes it easier to ensure your team uses the cloud as intended, thanks to policies and enforcement mechanisms not present in DIY backends. - -Pulumi Cloud offers organization-wide policies thanks to Pulumi's policy as code engine, [Pulumi CrossGuard](/crossguard/), allowing you to enforce policies for security, compliance, cost, team practices, and more. This works over your IaC resources -- to block violations from ever getting deployed -- as well as it does to find and fix existing violations in your cloud accounts, no matter how they were provisioned thanks to Pulumi Insights. You can even auto-remediate violations, such as automatically tagging all AWS resources with certain configurable metadata. - -Pulumi Cloud lets you set up [private templates](/docs/idp/developer-portals/templates/) for your organization which allows end users to spin up infrastructure following patterns you have designated for your team, within an [interactive Internal Developer Platform (IDP) experience](/docs/idp/developer-portals/new-project-wizard/). This, in combination with [Pulumi Components](/docs/iac/concepts/resources/components/), can help ensure you are adopting best practices at scale. Many infrastructure teams review their templates and components with their security counterparts to agree on safe patterns they'll use throughout the organization. - -Pulumi Cloud's [drift detection capabilities](/docs/deployments/deployments/drift/) can uncover situations where a manual edit to a cloud resource was made outside of your infrastructure as code specifications, with automatic remediation. Left unchecked, these drift issues can cause surprises, outages, and security incidents. - -Although Pulumi Cloud has numerous workflows out-of-the-box, many teams need custom workflows or integrations, whether for governance or otherwise. For this, all of Pulumi Cloud exposes a [fully documented, programmable REST API](/docs/reference/cloud-rest-api/cloud-rest-api/) that teams can use to extend the system. Additionally, [webhooks can be configured](/docs/deployments/webhooks/) for many event types to trigger custom event-driven workflows such as Slack integrations and more in response to deployments, resource updates, policy violations, and more. - -Pulumi Cloud is an AWS Advanced Partner, implements many compliance specifications and best practices, and undergoes annual SOC 2 Type II audits. For custom DIY backends, you would need to consider these yourself, whereas with Pulumi Cloud, you get this out of the box. - -### 5/ Cost Effectiveness - -Using Pulumi Cloud, you automatically gain all of the above benefits. This means more time to focus on solving your business challenges, versus undifferentiated DIY heavy lifting. - -We have found that teams who use DIY backends require at least one full time engineer for every 10 end users in their team just to manage the DIY backend and build systems, and to ensure it is secure and scalable. They also have to maintain costly onboarding and training programs for using their custom DIY backend. Certain Pulumi capabilities can be exceedingly costly to replicate, like search, AI capabilities, fault tolerance, and the various identity integrations like RBAC. And even with all of that, DIY capabilities typically fall far short of what Pulumi Cloud delivers out of the box (for instance, lacking the full history of who changed what and when). - -To learn more about the hidden costs of going it on your own with a DIY backend, read [this blog post](/blog/hidden-costs-of-infrastructure-management/). To learn more from a team of cloud wizards that ultimately decided to retire their DIY backend in favor of Pulumi Cloud, read [the Starburst case study](/case-studies/starburst/). - -Perhaps the best feature of Pulumi Cloud is that "it just works" so you can get up and running quickly on an architecture you know will work today with minimal setup and forever into the future. - -## Next Steps: Try It Out For Free - -Pulumi Cloud is the easiest way to adopt Pulumi's open source IaC tool at scale, securely, reliably, and collaboratively. - -That said, DIY backends are fully supported, and this article aims to help you make an informed decision about which option best suits your use case. The [state and backends topic](/docs/iac/concepts/state-and-backends/) describes in-depth how Pulumi IaC uses Pulumi Cloud and DIY backends and other architectural considerations. - -A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide). This guide also includes best practices to help you completely adopt the full platform. - -To get started today, [sign up for a free Pulumi Cloud account](https://app.pulumi.com/signup). Pulumi Cloud is free for individuals and small teams, and has advanced capabilities for larger teams and enterprises. diff --git a/content/docs/iac/concepts/_index.md b/content/docs/iac/concepts/_index.md index 6b3c6ce293a2..6d1f22daf990 100644 --- a/content/docs/iac/concepts/_index.md +++ b/content/docs/iac/concepts/_index.md @@ -28,7 +28,7 @@ If this is your first time using Pulumi, you likely want to begin with [the Gett Pulumi is an [infrastructure as code](/what-is/what-is-infrastructure-as-code/) platform that allows you to use familiar programming languages and tools to build, deploy, and manage cloud infrastructure. -Pulumi is free, [open source](https://github.com/pulumi/pulumi), and optionally pairs with the [Pulumi Cloud](https://www.pulumi.com/docs/pulumi-cloud/) to make managing infrastructure secure, reliable, and hassle-free. +Pulumi is free, [open source](https://github.com/pulumi/pulumi), and optionally pairs with [Pulumi Cloud](/docs/iac/concepts/pulumi-cloud/) to make managing infrastructure secure, reliable, and hassle-free. ## Supported languages and SDKs @@ -51,7 +51,7 @@ The Pulumi platform comprises several components: - **Software development kit (SDK)**: Pulumi Software Development Kit (SDK) provides bindings for each type of resource that the provider can manage. This provides the necessary tools and libraries for defining and managing cloud resources on any cloud and with any provider. -- **Command-Line interface (CLI)**: Pulumi is controlled primarily using the command line interface [(CLI)](https://www.pulumi.com/docs/cli/). It works in conjunction with the [Pulumi Cloud](https://www.pulumi.com/docs/pulumi-cloud/) to deploy changes to your cloud apps and infrastructure. It keeps a history of who updated what in your team and when. This CLI has been designed for great inner loop productivity, in addition to continuous integration and delivery scenarios. +- **Command-Line interface (CLI)**: Pulumi is controlled primarily using the command line interface [(CLI)](https://www.pulumi.com/docs/cli/). It works in conjunction with [Pulumi Cloud](/docs/iac/concepts/pulumi-cloud/) to deploy changes to your cloud apps and infrastructure. It keeps a history of who updated what in your team and when. This CLI has been designed for great inner loop productivity, in addition to continuous integration and delivery scenarios. - **Deployment engine** The deployment engine is responsible for computing the set of operations needed to drive the current state of your infrastructure into the desired state expressed by your program. @@ -77,26 +77,34 @@ Finally, the server's resulting IP address and DNS name are exported as stack ou The following topics provide more details on the core concepts of Pulumi and how to use it: - +
-

How Pulumi works

+

How Pulumi works

Learn about how Pulumi performs deployments under the hood.

-

Projects

-

Learn how Pulumi projects are organized and configured.

+

Pulumi Cloud

+

Learn how Pulumi Cloud relates to the open source tool and what it offers for teams.

- +
-

Stacks

-

Learn how to create and deploy stacks.

+

Projects

+

Learn how Pulumi projects are organized and configured.

-

Resources

+

Stacks

+

Learn how to create and deploy stacks.

+
+
+ + +
+
+

Resources

Learn more about how to use and manage resources in your programs.

@@ -104,11 +112,11 @@ The following topics provide more details on the core concepts of Pulumi and how
-

Resource options

+

Resource options

Learn more about how to use and manage resource options in your program.

-

Inputs and outputs

+

Inputs and outputs

Learn how to use resource properties to handle dependencies between resources.

@@ -116,11 +124,11 @@ The following topics provide more details on the core concepts of Pulumi and how
-

Configuration

+

Configuration

Learn how to configure stacks for different deployment scenarios.

-

Secrets

+

Secrets

Learn how to handle sensitive data and how to store secret encrypted settings in Pulumi.

@@ -128,11 +136,11 @@ The following topics provide more details on the core concepts of Pulumi and how
-

Environments (ESC)

+

Environments (ESC)

Learn how to configure your deployment environments with Pulumi ESC.

-

State and backends

+

State and backends

Learn how Pulumi stores state and manages concurrency.

@@ -140,7 +148,7 @@ The following topics provide more details on the core concepts of Pulumi and how
-

Update plans

+

Update plans

Learn about how to constrain your deployments with update plans.

@@ -148,7 +156,7 @@ The following topics provide more details on the core concepts of Pulumi and how
-

Glossary

+

Glossary

Look up definitions to commonly used terms.

diff --git a/content/docs/iac/concepts/pulumi-cloud.md b/content/docs/iac/concepts/pulumi-cloud.md new file mode 100644 index 000000000000..48c6b7257834 --- /dev/null +++ b/content/docs/iac/concepts/pulumi-cloud.md @@ -0,0 +1,75 @@ +--- +title_tag: Pulumi Cloud and Open Source Pulumi +meta_desc: Learn how Pulumi Cloud relates to the open source Pulumi infrastructure as code tool. +title: Pulumi Cloud and Open Source Pulumi +h1: Pulumi Cloud and Open Source Pulumi +meta_image: /images/docs/meta-images/docs-meta.png +menu: + iac: + name: Pulumi Cloud + parent: iac-concepts + weight: 15 + concepts: + weight: 2 +aliases: + - /docs/deployments/get-started/what-is-it/ + - /docs/pulumi-cloud/get-started/what-is-it/ +--- + +Pulumi infrastructure as code is open source. Pulumi Cloud is a managed service that provides state management, team collaboration, and cloud governance features. This page explains how they relate and helps you understand what Pulumi Cloud offers beyond the open source tool. + +## Introduction + +Pulumi Cloud is a managed service that helps teams adopt collaborative, secure, and robust cloud engineering practices. This includes infrastructure as code, secrets management, and continuous enforcement of cloud policies. Pulumi's [open source](https://github.com/pulumi) infrastructure as code tool is how many community members initially learn about Pulumi. The two are related in that Pulumi IaC uses Pulumi Cloud by default to make adopting IaC in your team easier, secure, and reliable automatically. + +Pulumi IaC can also be used with a self-managed backend if you prefer, which comes with some tradeoffs outlined below. + +{{% notes "info" %}} +An analogy to other software you may be familiar with is that, just like Git is fully open source and you can host, secure, and manage repositories yourself, so too can you with hosting your Pulumi infrastructure as code projects and stacks. However, especially in a team setting, using Git in conjunction with GitHub provides built-in security, reliability, and collaboration features like Pull Requests. A similar dynamic exists with Pulumi and Pulumi Cloud. +{{% /notes %}} + +{{% notes "info" %}} +For technical details on how Pulumi manages state and how to configure different backends, see [State and Backends](/docs/iac/concepts/state-and-backends/). +{{% /notes %}} + +Pulumi Cloud is a platform of three products: [Pulumi IaC](/product/infrastructure-as-code), the companion to Pulumi open source IaC; [Pulumi ESC](/product/secrets-management), a secrets and configuration solution; and [Pulumi Insights](/product/pulumi-insights), an intelligent cloud inventory, compliance, and management product. Pulumi Cloud is offered as a service (SaaS) as well as a self-hosted edition that you can run anywhere. It features a client/server architecture to increase your confidence in using the SaaS. + +## Key capabilities + +Pulumi Cloud provides several capabilities beyond what is available in the open source Pulumi IaC tool: + +### State management and collaboration + +Pulumi Cloud provides centralized state management with automatic locking and transactional checkpointing for fault tolerance. [Projects, stacks, and resources](/docs/deployments/projects-and-stacks/) are organized and searchable, with complete deployment history including resource diffs and links to source changes and cloud resources. + +[Audit logs](/docs/administration/security-compliance/audit-logs/) capture all actions taken by team members. Deployment logs are maintained for debugging, particularly useful for automated deployments via the [Pulumi Automation API](/automation) and [Pulumi Kubernetes Operator](/docs/iac/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/). + +Team management integrates with [SAML/SSO providers](/docs/administration/access-identity/saml/) for automated onboarding, offboarding, and role assignment. Pulumi Cloud integrates with [over a dozen CI/CD systems](/docs/iac/using-pulumi/continuous-delivery/) including GitHub Actions, GitLab Pipelines, and Jenkins, plus [a built-in deployment service](/docs/deployments/deployments/) for Git-based workflows. The Pulumi GitHub App provides deployment previews directly in pull request comments. + +[Pulumi ESC](/product/secrets-management/) allows you to group configuration and secrets into composable, versioned environments for sharing across projects and stacks. [Review Stacks](/docs/deployments/deployments/review-stacks/) provide ephemeral environments for pull request validation, while [TTL Stacks](/docs/deployments/deployments/ttl/) automatically clean up temporary infrastructure. + +[Pulumi Neo](/docs/ai/), an AI agent integrated with Pulumi Cloud, assists with debugging failures, writing infrastructure code, and answering questions about your infrastructure. + +### Security and access control + +Pulumi Cloud provides [identity and access management](/docs/pulumi-cloud/access-management/) that integrates with Azure Active Directory, Google Workspace, Okta, and other SAML/SSO providers. [Role-based access control (RBAC)](/docs/administration/organizations-teams/teams/) integrates with projects and stacks, and you can [generate access tokens](/docs/administration/access-identity/access-tokens/) with fine-grained permissions for automation. + +State files are encrypted at rest and in transit. Pulumi's [secrets model](/docs/iac/concepts/secrets/) ensures sensitive information is encrypted in state files. With Pulumi Cloud, each organization and stack is encrypted securely by default, with managed encryption keys. + +### Governance and extensibility + +Pulumi Cloud enables organization-wide policies using [Pulumi CrossGuard](/crossguard/) for security, compliance, and cost enforcement. Policies can block violations at deployment time or find and remediate existing violations through Pulumi Insights, with support for auto-remediation. + +[Private templates](/docs/idp/developer-portals/templates/) and [an Internal Developer Platform experience](/docs/idp/developer-portals/new-project-wizard/) allow you to define approved infrastructure patterns for your organization. [Drift detection](/docs/deployments/deployments/drift/) identifies manual changes made outside of infrastructure as code, with automatic remediation capabilities. + +All Pulumi Cloud functionality is accessible through [a REST API](/docs/reference/cloud-rest-api/cloud-rest-api/) for custom integrations. [Webhooks](/docs/deployments/webhooks/) enable event-driven workflows for deployments, policy violations, and other events. Pulumi Cloud undergoes annual SOC 2 Type II audits and implements compliance best practices. + +## Next steps + +Pulumi Cloud is the easiest way to adopt Pulumi's open source IaC tool at scale, securely, reliably, and collaboratively. + +That said, DIY backends are fully supported, and this article aims to help you make an informed decision about which option best suits your use case. The [state and backends topic](/docs/iac/concepts/state-and-backends/) describes in-depth how Pulumi IaC uses Pulumi Cloud and DIY backends and other architectural considerations. + +A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide). This guide also includes best practices to help you completely adopt the full platform. + +To get started today, [sign up for a free Pulumi Cloud account](https://app.pulumi.com/signup). Pulumi Cloud is free for individuals and small teams, and has advanced capabilities for larger teams and enterprises. diff --git a/content/docs/iac/concepts/state-and-backends.md b/content/docs/iac/concepts/state-and-backends.md index 91d9153ccf3b..063a558c98ba 100644 --- a/content/docs/iac/concepts/state-and-backends.md +++ b/content/docs/iac/concepts/state-and-backends.md @@ -30,6 +30,10 @@ The default experience is to use the hosted Pulumi Cloud, which takes care of th > Pulumi state does not include your cloud credentials. Credentials are kept local to your client — wherever the CLI runs — even when using the managed Pulumi Cloud backend. Pulumi _does_ store configuration and secrets, but encrypts those secrets using your chosen encryption provider. To learn more, see [Configuration and Secrets](/docs/concepts/secrets/). +{{% notes "info" %}} +This page covers the technical details of state management and backend configuration. To understand the benefits and features of Pulumi Cloud versus DIY backends, see [Pulumi Cloud and Open Source Pulumi](/docs/iac/concepts/pulumi-cloud/). +{{% /notes %}} + ## Deciding On a State Backend Pulumi supports two classes of state backends for storing your infrastructure state: diff --git a/layouts/shortcodes/cli-note.html b/layouts/shortcodes/cli-note.html index 0663d85e655e..5a2fcc7386ba 100644 --- a/layouts/shortcodes/cli-note.html +++ b/layouts/shortcodes/cli-note.html @@ -6,7 +6,7 @@
If this is your first time running Pulumi, you will be prompted to log into Pulumi Cloud. This is a free but optional service that makes IaC easy by safely and securely managing state for you. - This guide explains what Pulumi + This guide explains what Pulumi Cloud is and this topic describes alternative Pulumi backend options.
From 03486a76269f0527647b9759f22b10f4e6c68f71 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 18:55:34 +0000 Subject: [PATCH 2/5] Fix shortcode syntax and add trailing newline in pulumi-cloud.md - Update notes shortcode from positional to named parameter syntax - Add missing trailing newline at end of file - Add trailing slash to onboarding guide link for consistency Co-authored-by: Cam Soper --- content/docs/iac/concepts/pulumi-cloud.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/docs/iac/concepts/pulumi-cloud.md b/content/docs/iac/concepts/pulumi-cloud.md index 48c6b7257834..6f1452f89a1b 100644 --- a/content/docs/iac/concepts/pulumi-cloud.md +++ b/content/docs/iac/concepts/pulumi-cloud.md @@ -24,11 +24,11 @@ Pulumi Cloud is a managed service that helps teams adopt collaborative, secure, Pulumi IaC can also be used with a self-managed backend if you prefer, which comes with some tradeoffs outlined below. -{{% notes "info" %}} +{{% notes type="info" %}} An analogy to other software you may be familiar with is that, just like Git is fully open source and you can host, secure, and manage repositories yourself, so too can you with hosting your Pulumi infrastructure as code projects and stacks. However, especially in a team setting, using Git in conjunction with GitHub provides built-in security, reliability, and collaboration features like Pull Requests. A similar dynamic exists with Pulumi and Pulumi Cloud. {{% /notes %}} -{{% notes "info" %}} +{{% notes type="info" %}} For technical details on how Pulumi manages state and how to configure different backends, see [State and Backends](/docs/iac/concepts/state-and-backends/). {{% /notes %}} @@ -70,6 +70,7 @@ Pulumi Cloud is the easiest way to adopt Pulumi's open source IaC tool at scale, That said, DIY backends are fully supported, and this article aims to help you make an informed decision about which option best suits your use case. The [state and backends topic](/docs/iac/concepts/state-and-backends/) describes in-depth how Pulumi IaC uses Pulumi Cloud and DIY backends and other architectural considerations. -A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide). This guide also includes best practices to help you completely adopt the full platform. +A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide/). This guide also includes best practices to help you completely adopt the full platform. To get started today, [sign up for a free Pulumi Cloud account](https://app.pulumi.com/signup). Pulumi Cloud is free for individuals and small teams, and has advanced capabilities for larger teams and enterprises. + From 13d527e9dee9a8e9a2cb1b9b978ad56c8987489b Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 10 Nov 2025 19:04:11 +0000 Subject: [PATCH 3/5] Remove redundant line from Pulumi Cloud documentation --- content/docs/iac/concepts/pulumi-cloud.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/docs/iac/concepts/pulumi-cloud.md b/content/docs/iac/concepts/pulumi-cloud.md index 6f1452f89a1b..3c0ffe39080a 100644 --- a/content/docs/iac/concepts/pulumi-cloud.md +++ b/content/docs/iac/concepts/pulumi-cloud.md @@ -73,4 +73,3 @@ That said, DIY backends are fully supported, and this article aims to help you m A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide/). This guide also includes best practices to help you completely adopt the full platform. To get started today, [sign up for a free Pulumi Cloud account](https://app.pulumi.com/signup). Pulumi Cloud is free for individuals and small teams, and has advanced capabilities for larger teams and enterprises. - From 9f9b619cde4b6076d616558b58d4273cc5bf9996 Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 10 Nov 2025 19:56:59 +0000 Subject: [PATCH 4/5] Update terminology from "Pulumi CrossGuard" to "Pulumi Policies" in governance section --- content/docs/iac/concepts/pulumi-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/iac/concepts/pulumi-cloud.md b/content/docs/iac/concepts/pulumi-cloud.md index 3c0ffe39080a..642cecaa3663 100644 --- a/content/docs/iac/concepts/pulumi-cloud.md +++ b/content/docs/iac/concepts/pulumi-cloud.md @@ -58,7 +58,7 @@ State files are encrypted at rest and in transit. Pulumi's [secrets model](/docs ### Governance and extensibility -Pulumi Cloud enables organization-wide policies using [Pulumi CrossGuard](/crossguard/) for security, compliance, and cost enforcement. Policies can block violations at deployment time or find and remediate existing violations through Pulumi Insights, with support for auto-remediation. +Pulumi Cloud enables organization-wide policies using [Pulumi Policies](/docs/insights/policy/) for security, compliance, and cost enforcement. Policies can block violations at deployment time or find and remediate existing violations using [Pulumi Insights Discovery](/docs/insights/discovery/) with support for auto-remediation. [Private templates](/docs/idp/developer-portals/templates/) and [an Internal Developer Platform experience](/docs/idp/developer-portals/new-project-wizard/) allow you to define approved infrastructure patterns for your organization. [Drift detection](/docs/deployments/deployments/drift/) identifies manual changes made outside of infrastructure as code, with automatic remediation capabilities. From 05e927db2695ed77f41526dea318f656dce6e4de Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 10 Nov 2025 23:08:36 +0000 Subject: [PATCH 5/5] Revise Pulumi Cloud documentation for clarity and structure, enhancing explanations of features and benefits --- content/docs/iac/concepts/pulumi-cloud.md | 94 ++++++++++++++++------- 1 file changed, 67 insertions(+), 27 deletions(-) diff --git a/content/docs/iac/concepts/pulumi-cloud.md b/content/docs/iac/concepts/pulumi-cloud.md index 642cecaa3663..71d510034dfc 100644 --- a/content/docs/iac/concepts/pulumi-cloud.md +++ b/content/docs/iac/concepts/pulumi-cloud.md @@ -16,60 +16,100 @@ aliases: - /docs/pulumi-cloud/get-started/what-is-it/ --- -Pulumi infrastructure as code is open source. Pulumi Cloud is a managed service that provides state management, team collaboration, and cloud governance features. This page explains how they relate and helps you understand what Pulumi Cloud offers beyond the open source tool. +This guide explains how Pulumi Cloud relates to the open source Pulumi infrastructure as code tool. It clarifies which components are open source versus paid products, helps you decide how to manage your state, and evaluates whether Pulumi Cloud fits your needs. ## Introduction -Pulumi Cloud is a managed service that helps teams adopt collaborative, secure, and robust cloud engineering practices. This includes infrastructure as code, secrets management, and continuous enforcement of cloud policies. Pulumi's [open source](https://github.com/pulumi) infrastructure as code tool is how many community members initially learn about Pulumi. The two are related in that Pulumi IaC uses Pulumi Cloud by default to make adopting IaC in your team easier, secure, and reliable automatically. +Pulumi Cloud is a managed service that helps teams adopt collaborative, secure, and robust cloud engineering practices. This includes infrastructure as code, secrets management, and continuous enforcement of cloud policies. Pulumi's flagship infrastructure as code tool is [open source](https://github.com/pulumi) and is how many community members initially learn about Pulumi. The two are related in that Pulumi IaC uses Pulumi Cloud by default to provide secure and reliable team collaboration out-of-the-box. -Pulumi IaC can also be used with a self-managed backend if you prefer, which comes with some tradeoffs outlined below. +Pulumi IaC can be used with a "DIY" backend if you prefer, which comes with some tradeoffs outlined below. From an adoption perspective, Pulumi Cloud is the most popular way to use Pulumi, especially within a team. -{{% notes type="info" %}} -An analogy to other software you may be familiar with is that, just like Git is fully open source and you can host, secure, and manage repositories yourself, so too can you with hosting your Pulumi infrastructure as code projects and stacks. However, especially in a team setting, using Git in conjunction with GitHub provides built-in security, reliability, and collaboration features like Pull Requests. A similar dynamic exists with Pulumi and Pulumi Cloud. -{{% /notes %}} - -{{% notes type="info" %}} -For technical details on how Pulumi manages state and how to configure different backends, see [State and Backends](/docs/iac/concepts/state-and-backends/). +{{% notes "info" %}} +Just as Git is fully open source and you can host, secure, and manage repositories yourself, you can also host your Pulumi infrastructure as code projects and stacks. However, most teams use Git with GitHub for its security, reliability, collaboration features, and capabilities like pull requests. A similar dynamic exists with Pulumi and Pulumi Cloud. {{% /notes %}} Pulumi Cloud is a platform of three products: [Pulumi IaC](/product/infrastructure-as-code), the companion to Pulumi open source IaC; [Pulumi ESC](/product/secrets-management), a secrets and configuration solution; and [Pulumi Insights](/product/pulumi-insights), an intelligent cloud inventory, compliance, and management product. Pulumi Cloud is offered as a service (SaaS) as well as a self-hosted edition that you can run anywhere. It features a client/server architecture to increase your confidence in using the SaaS. -## Key capabilities +## Five key areas + +There are five key areas where Pulumi Cloud adds value beyond what is available in the Pulumi IaC open source software: + +* **Instant Collaboration**: provides a common place where developers, security experts, and infrastructure practitioners meet to automate, secure, and manage cloud infrastructure +* **Automatic Security**: ensures security best practices are built-in from the outset +* **Robustness, Performance, and Scalability**: automatically ensures reliability and scalability as your cloud needs grow, minimizing outages and the need to rearchitect your system over time +* **Governance and Extensibility**: guarantees that teammates are following your established practices early and always, with full visibility +* **Cost Effectiveness**: the lowest total cost to maximize return on your cloud investments + +Let's examine each of these areas in more detail. + +### 1. Instant collaboration + +Pulumi Cloud provides visibility into all of your [projects, stacks, and resources](/docs/deployments/projects-and-stacks/) with search and exploration capabilities. A complete history is always available, of who has changed what, when, and how, with full resource change diffs, and links to both the source changes that triggered a deployment, as well as forward links to the resources in your cloud consoles. + +All actions taken by teammates on Pulumi Cloud are logged for [full auditability](/docs/administration/security-compliance/audit-logs/). Full deployment logs are also captured to facilitate debugging failures. This is particularly useful for automated deployments, as is common with the [Pulumi Automation API](/automation) and [Pulumi Kubernetes Operator](/docs/iac/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/). All deployment history for all time is maintained and organized. + +[SAML/SSO](/docs/administration/access-identity/saml/) automates onboarding, offboarding, and role assignment for new teammates. From there, you can see the identity of teammates who are making infrastructure changes, and delegate responsibilities to them. + +Pulumi Cloud integrates with [over a dozen CI/CD systems](/docs/iac/using-pulumi/continuous-delivery/), such as GitHub Actions, GitLab Pipelines, Jenkins, etc., and has [a built-in deployment service](/docs/deployments/deployments/) for Git-based deployments. The result is that configuring delivery pipelines with Pulumi Cloud is flexible so that if you want to collaborate with teammates using standard Git-driven code flows, like pull requests, code reviews, and branch-driven deployments, you can do so. The Pulumi GitHub App will put previews of your deployments right into the pull request comments, making reviews seamless. + +Pulumi's projects and stacks model facilitates collaboration especially thanks to the IaC tool's configuration model, but Pulumi Cloud goes beyond this by offering Pulumi ESC, a way to group configuration and secrets that frequently change together into composable and versioned environments. This enables Don't Repeat Yourself (DRY) practices that help to secure access to cloud accounts, share sensitive information, and deliberately roll out changes across multiple related projects and stacks. + +Pulumi Cloud also offers short-lived stacks in the form of [Review Stacks](/docs/deployments/deployments/review-stacks/) -- ephemeral environments stood up just for the duration of a Pull Request, making verification of changes much more robust and seamless -- as well as [Time-to-Live (TTL) Stacks](/docs/deployments/deployments/ttl/), which ensure that temporary stacks get automatically cleaned up, enabling more productive engineering workflows without the risk of cloud waste. + +[Pulumi Neo](/docs/ai/), an AI agent built into Pulumi Cloud, collaborates with you to solve a variety of challenges you might encounter. That includes assisting you in debugging cloud deployment failures, helping you to write infrastructure as code, automating infrastructure tasks, and even asking more general questions like "What versions of Kubernetes am I running?", "What is my most expensive, least used resources?", "Who is my most productive teammate?", and more. Pulumi's AI capabilities are even integrated with the Pulumi CLI as well as the Pulumi VSCode Extension so that you can get AI assistance with your local developer experience. + +### 2. Automatic security + +Pulumi Cloud has [a rich identity model](/docs/pulumi-cloud/access-management/) that integrates with your security identity provider of choice, whether that is Azure Active Directory, Google Workspace, Okta, or any SAML/SSO provider, to regulate all access to your cloud assets. + +If you manage your IaC state with a DIY approach, you will need to come up with a scheme that works for your organization. While you can use AWS IAM for the S3 bucket that stores your state, large-scale teams rarely want to grant full access to all engineers. In fact, this may be the difference between passing and failing a compliance audit. + +Pulumi Cloud has [a rich RBAC model](/docs/administration/organizations-teams/teams/) that integrates with its projects and stacks; most teams on DIY backends eventually realize they need to build and maintain such a system themselves. Additionally, Pulumi Cloud enables you to [generate short- and long-lived tokens](/docs/administration/access-identity/access-tokens/), optionally with fine-grained permissions, for automation scenarios. This includes auditing and revocation capabilities for those tokens. + +Pulumi IaC has [a secrets model](/docs/iac/concepts/secrets/) built in which helps to ensure that sensitive information never ends up in a state file in plaintext. This model is limited with DIY backends because you need to leverage less-secure passphrases, or resort to manually managing encryption keys and devising a scheme for creating and managing new ones. If you use Pulumi Cloud, a secure approach is used by default to ensure each organization and stack is encrypted securely. All communications between client and server are also encrypted for an extra layer of security. + +To see an example of what can happen in the real world when improperly managing DIY state, see this [Sysdig blog post](https://sysdig.com/blog/cloud-breach-terraform-data-theft/): it describes how an attacker was able to find a statefile (for Terraform but the same would apply for Pulumi) which contained a secret AWS key that they could use to escalation privileges and take over the entire AWS account. If using Pulumi Cloud, this is stopped by construction for multiple reasons: 1) secrets are encrypted, 2) state files themselves are stored encrypted at rest, and 3) most importantly, state files are not stored in easily accessible locations in S3. + +### 3. Robustness, performance, and scalability + +Pulumi is most robust, performant, and reliable when leveraging Pulumi Cloud as its backend. This is because with a DIY backend like AWS S3, the protocol is limited to blob storage and there is a fundamental limit to how effective this protocol can become. The Pulumi Cloud interface, on the other hand, is a rich REST API that is more transactional in nature. This not only means more robust deployments and failure recovery, but also that fewer bytes need to be sent across the wire compared to the way Pulumi checkpoints its state for DIY backends, improving performance, and ultimately leading to a better experience overall. + +Due to the fragile nature of the blob store protocol, teams often need to manually edit DIY-managed state files, because the blob store protocol cannot recover from failures as seamlessly as Pulumi Cloud’s transactional protocol. This means teams on DIY state backends often have to build supporting solutions to backup and recover state. -Pulumi Cloud provides several capabilities beyond what is available in the open source Pulumi IaC tool: +Managing state files by hand in a DIY backend can also cause outages if not handled properly. For example, [Spotify described at KubeCon](https://www.youtube.com/watch?v=ix0Tw8uinWs) how they accidentally deleted nearly all of their production Kubernetes clusters due to a merge mistake when managing the equivalent of Pulumi DIY state files in Terraform. Pulumi Cloud avoids this issue entirely by construction because the Pulumi Cloud service carefully handles concurrency, serialization, and safety. -### State management and collaboration +Pulumi Cloud itself features [a secure, scalable, fault-tolerant, highly-available global architecture](https://www.pulumi.com/security/pulumi-cloud-security-whitepaper.pdf). This results in a level of robustness and scalability that is difficult to replicate when building a custom DIY backend. Numerous organizations use Pulumi Cloud with thousands of end users, hundreds of thousands of stacks, and millions of updates. BMW's scalable and resilient cloud development platform, for example, [was built using Pulumi](/case-studies/bmw/) and supports over 11,000 developers. -Pulumi Cloud provides centralized state management with automatic locking and transactional checkpointing for fault tolerance. [Projects, stacks, and resources](/docs/deployments/projects-and-stacks/) are organized and searchable, with complete deployment history including resource diffs and links to source changes and cloud resources. +### 4. Governance and extensibility -[Audit logs](/docs/administration/security-compliance/audit-logs/) capture all actions taken by team members. Deployment logs are maintained for debugging, particularly useful for automated deployments via the [Pulumi Automation API](/automation) and [Pulumi Kubernetes Operator](/docs/iac/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/). +Pulumi Cloud makes it easier to ensure your team uses the cloud as intended, thanks to policies and enforcement mechanisms not present in DIY backends. -Team management integrates with [SAML/SSO providers](/docs/administration/access-identity/saml/) for automated onboarding, offboarding, and role assignment. Pulumi Cloud integrates with [over a dozen CI/CD systems](/docs/iac/using-pulumi/continuous-delivery/) including GitHub Actions, GitLab Pipelines, and Jenkins, plus [a built-in deployment service](/docs/deployments/deployments/) for Git-based workflows. The Pulumi GitHub App provides deployment previews directly in pull request comments. +Pulumi Cloud offers organization-wide policies thanks to Pulumi's policy as code engine, [Pulumi Policies](/docs/insights/policy/), allowing you to enforce policies for security, compliance, cost, team practices, and more. This works over your IaC resources -- to block violations from ever getting deployed -- as well as it does to find and fix existing violations in your cloud accounts, no matter how they were provisioned thanks to Pulumi Insights. You can even auto-remediate violations, such as automatically tagging all AWS resources with certain configurable metadata. -[Pulumi ESC](/product/secrets-management/) allows you to group configuration and secrets into composable, versioned environments for sharing across projects and stacks. [Review Stacks](/docs/deployments/deployments/review-stacks/) provide ephemeral environments for pull request validation, while [TTL Stacks](/docs/deployments/deployments/ttl/) automatically clean up temporary infrastructure. +Pulumi Cloud lets you set up [private templates](/docs/idp/developer-portals/templates/) for your organization which allows end users to spin up infrastructure following patterns you have designated for your team, within an [interactive Internal Developer Platform (IDP) experience](/docs/idp/developer-portals/new-project-wizard/). This, in combination with [Pulumi components](/docs/iac/concepts/resources/components/), can help ensure you are adopting best practices at scale. Many infrastructure teams review their templates and components with their security counterparts to agree on safe patterns they'll use throughout the organization. -[Pulumi Neo](/docs/ai/), an AI agent integrated with Pulumi Cloud, assists with debugging failures, writing infrastructure code, and answering questions about your infrastructure. +Pulumi Cloud's [drift detection capabilities](/docs/deployments/deployments/drift/) can uncover situations where a manual edit to a cloud resource was made outside of your infrastructure as code specifications, with automatic remediation. Left unchecked, these drift issues can cause surprises, outages, and security incidents. -### Security and access control +Although Pulumi Cloud has numerous workflows out-of-the-box, many teams need custom workflows or integrations, whether for governance or otherwise. For this, all of Pulumi Cloud exposes a [fully documented, programmable REST API](/docs/reference/cloud-rest-api/cloud-rest-api/) that teams can use to extend the system. Additionally, [webhooks can be configured](/docs/deployments/webhooks/) for many event types to trigger custom event-driven workflows such as Slack integrations and more in response to deployments, resource updates, policy violations, and more. -Pulumi Cloud provides [identity and access management](/docs/pulumi-cloud/access-management/) that integrates with Azure Active Directory, Google Workspace, Okta, and other SAML/SSO providers. [Role-based access control (RBAC)](/docs/administration/organizations-teams/teams/) integrates with projects and stacks, and you can [generate access tokens](/docs/administration/access-identity/access-tokens/) with fine-grained permissions for automation. +Pulumi Cloud is an AWS Advanced Partner, implements many compliance specifications and best practices, and undergoes annual SOC 2 Type II audits. For custom DIY backends, you would need to consider these yourself, whereas with Pulumi Cloud, you get this out of the box. -State files are encrypted at rest and in transit. Pulumi's [secrets model](/docs/iac/concepts/secrets/) ensures sensitive information is encrypted in state files. With Pulumi Cloud, each organization and stack is encrypted securely by default, with managed encryption keys. +### 5. Cost effectiveness -### Governance and extensibility +Using Pulumi Cloud, you automatically gain all of the above benefits. This means more time to focus on solving your business challenges, versus undifferentiated DIY heavy lifting. -Pulumi Cloud enables organization-wide policies using [Pulumi Policies](/docs/insights/policy/) for security, compliance, and cost enforcement. Policies can block violations at deployment time or find and remediate existing violations using [Pulumi Insights Discovery](/docs/insights/discovery/) with support for auto-remediation. +We have found that teams who use DIY backends require at least one full time engineer for every 10 end users in their team just to manage the DIY backend and build systems, and to ensure it is secure and scalable. They also have to maintain costly onboarding and training programs for using their custom DIY backend. Certain Pulumi capabilities can be exceedingly costly to replicate, like search, AI capabilities, fault tolerance, and the various identity integrations like RBAC. And even with all of that, DIY capabilities typically fall far short of what Pulumi Cloud delivers out of the box (for instance, lacking the full history of who changed what and when). -[Private templates](/docs/idp/developer-portals/templates/) and [an Internal Developer Platform experience](/docs/idp/developer-portals/new-project-wizard/) allow you to define approved infrastructure patterns for your organization. [Drift detection](/docs/deployments/deployments/drift/) identifies manual changes made outside of infrastructure as code, with automatic remediation capabilities. +To learn more about the hidden costs of going it on your own with a DIY backend, read [this blog post](/blog/hidden-costs-of-infrastructure-management/). To learn more from a team of cloud wizards that ultimately decided to retire their DIY backend in favor of Pulumi Cloud, read [the Starburst case study](/case-studies/starburst/). -All Pulumi Cloud functionality is accessible through [a REST API](/docs/reference/cloud-rest-api/cloud-rest-api/) for custom integrations. [Webhooks](/docs/deployments/webhooks/) enable event-driven workflows for deployments, policy violations, and other events. Pulumi Cloud undergoes annual SOC 2 Type II audits and implements compliance best practices. +Pulumi Cloud provides reliable infrastructure management that you can adopt quickly with minimal setup and scale into the future. -## Next steps +## Next steps: Try it out for free -Pulumi Cloud is the easiest way to adopt Pulumi's open source IaC tool at scale, securely, reliably, and collaboratively. +Pulumi Cloud provides a managed approach to adopt Pulumi's open source IaC tool at scale, securely, reliably, and collaboratively. That said, DIY backends are fully supported, and this article aims to help you make an informed decision about which option best suits your use case. The [state and backends topic](/docs/iac/concepts/state-and-backends/) describes in-depth how Pulumi IaC uses Pulumi Cloud and DIY backends and other architectural considerations. -A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide/). This guide also includes best practices to help you completely adopt the full platform. +A complete list of Pulumi Cloud's features and capabilities is available [on the pricing page](/pricing#compare). For more details about adopting Pulumi Cloud in your team, [see the onboarding guide](/docs/deployments/get-started/onboarding-guide). This guide also includes best practices to help you completely adopt the full platform. To get started today, [sign up for a free Pulumi Cloud account](https://app.pulumi.com/signup). Pulumi Cloud is free for individuals and small teams, and has advanced capabilities for larger teams and enterprises.