cloudformation-to-pulumi

작성자: pulumi

AWS CloudFormation 스택이나 템플릿을 Pulumi 프로그램으로 변환, 마이그레이션 또는 가져옵니다. 사용자가 CloudFormation에서 이동하려고 할 때 이 스킬을 로드하세요.

npx skills add https://github.com/pulumi/agent-skills --skill cloudformation-to-pulumi

IMPORTANT: PLAN ADJUSTMENT REQUIRED

If you have already generated a migration plan before loading this skill, you MUST:

  1. Review your existing plan against the workflows and requirements in this skill
  2. Identify any gaps, missing steps, or incorrect assumptions
  3. Update and revise your plan to align with this skill's guidance
  4. Communicate the adjusted plan to the user before proceeding

CRITICAL SUCCESS REQUIREMENTS

The migration output MUST meet all of the following:

  1. Complete Resource Coverage

    • Every CloudFormation resource MUST be represented in the Pulumi program OR explicitly justified in the final report.
  2. CloudFormation Logical ID as Resource Name

    • CRITICAL: Every Pulumi resource MUST use the CloudFormation Logical ID as its resource name.
    • This enables the cdk-importer tool to automatically find import IDs.
    • DO NOT rename resources. Automated import will FAIL if you change the logical IDs.
  3. Successful Deployment

    • The produced Pulumi program must be structurally valid and capable of a successful pulumi preview (assuming proper config).
  4. Zero-Diff Import Validation (if importing existing resources)

    • After import, pulumi preview must show NO updates, replaces, creates, or deletes.
  5. Final Migration Report

    • Always output a formal migration report suitable for a Pull Request.

WHEN INFORMATION IS MISSING

If the user has not provided a CloudFormation template, you MUST fetch it from AWS using the stack name.

MIGRATION WORKFLOW

Follow this workflow exactly and in this order:

1. INFORMATION GATHERING

1.1 Verify AWS Credentials (ESC)

Running AWS commands requires credentials loaded via Pulumi ESC.

  • If the user has already provided an ESC environment, use it.
  • If no ESC environment is specified, ask the user which ESC environment to use before proceeding.

For detailed ESC information: Use skill pulumi-esc.

You MUST confirm the AWS region with the user.

1.2 Get the CloudFormation Template

If user provided a template file: Read the template directly.

If user only provided a stack name: Fetch the template from AWS:

aws cloudformation get-template \
  --region <region> \
  --stack-name <stack-name> \
  --query 'TemplateBody' \
  --output json > template.json

1.3 Build Resource Inventory

List all resources in the stack:

aws cloudformation list-stack-resources \
  --region <region> \
  --stack-name <stack-name> \
  --output json

This provides:

  • LogicalResourceId - Use this as the Pulumi resource name
  • PhysicalResourceId - The actual AWS resource ID
  • ResourceType - The CloudFormation resource type

1.4 Analyze Template Structure

Extract from the template:

  • Parameters and their defaults
  • Mappings
  • Conditions
  • Outputs
  • Resource dependencies (Ref, GetAtt, DependsOn)

2. CODE CONVERSION (CloudFormation → Pulumi)

IMPORTANT: There is NO automated conversion tool for CloudFormation. You MUST convert each resource manually.

2.1 Resource Name Convention (CRITICAL)

Every Pulumi resource MUST use the CloudFormation Logical ID as its name.

// CloudFormation:
// "MyAppBucketABC123": { "Type": "AWS::S3::Bucket", ... }

// Pulumi - CORRECT:
const myAppBucket = new aws.s3.Bucket("MyAppBucketABC123", { ... });

// Pulumi - WRONG (DO NOT do this - import will fail):
const myAppBucket = new aws.s3.Bucket("my-app-bucket", { ... });

This naming convention is REQUIRED because the cdk-importer tool matches resources by name.

2.2 Provider Strategy

⚠️ CRITICAL: ALWAYS USE aws-native BY DEFAULT ⚠️

  • Use aws-native for all resources unless there's a specific reason to use aws.
  • CloudFormation types map directly to aws-native (e.g., AWS::S3::Bucketaws-native.s3.Bucket).
  • Only use aws (classic) when aws-native doesn't support a required feature.

This is MANDATORY for successful imports with cdk-importer. The cdk-importer works by matching CloudFormation resources to Pulumi resources, and CloudFormation maps 1:1 to aws-native. Using the classic aws provider will cause import failures.

2.3 CloudFormation Intrinsic Functions

Map CloudFormation intrinsic functions to Pulumi equivalents:

CloudFormationPulumi Equivalent
!Ref (resource)Resource output (e.g., bucket.id)
!Ref (parameter)Pulumi config
!GetAtt Resource.AttrResource property output
!Sub "..."pulumi.interpolate
!Join [delim, [...]]pulumi.interpolate or .apply()
!If [cond, true, false]Ternary operator
!Equals [a, b]=== comparison
!Select [idx, list]Array indexing with .apply()
!Split [delim, str].apply(v => v.split(...))
Fn::ImportValueStack references or config
Example: !Sub
// CloudFormation: !Sub "arn:aws:s3:::${MyBucket}/*"
// Pulumi:
const bucketArn = pulumi.interpolate`arn:aws:s3:::${myBucket.bucket}/*`;
Example: !GetAtt
// CloudFormation: !GetAtt MyFunction.Arn
// Pulumi:
const functionArn = myFunction.arn;

2.4 CloudFormation Conditions

Convert CloudFormation conditions to TypeScript logic:

// CloudFormation:
// "Conditions": {
//   "CreateProdResources": { "Fn::Equals": [{ "Ref": "Environment" }, "prod"] }
// }

// Pulumi:
const config = new pulumi.Config();
const environment = config.require("environment");
const createProdResources = environment === "prod";

if (createProdResources) {
  // Create production-only resources
}

2.5 CloudFormation Parameters

Convert parameters to Pulumi config:

// CloudFormation:
// "Parameters": {
//   "InstanceType": { "Type": "String", "Default": "t3.micro" }
// }

// Pulumi:
const config = new pulumi.Config();
const instanceType = config.get("instanceType") || "t3.micro";

2.6 CloudFormation Mappings

Convert mappings to TypeScript objects:

// CloudFormation:
// "Mappings": {
//   "RegionMap": {
//     "us-east-1": { "AMI": "ami-12345" },
//     "us-west-2": { "AMI": "ami-67890" }
//   }
// }

// Pulumi:
const regionMap: Record<string, { ami: string }> = {
  "us-east-1": { ami: "ami-12345" },
  "us-west-2": { ami: "ami-67890" },
};
const ami = regionMap[aws.config.region!].ami;

2.7 Custom Resources

CloudFormation Custom Resources (AWS::CloudFormation::CustomResource or Custom::*) require special handling:

  1. Identify the purpose: Read the Lambda function code to understand what it does
  2. Find native replacement: Check if Pulumi has a native resource that provides the same functionality
  3. If no replacement: Document in the migration report that manual implementation is needed

2.8 TypeScript Output Handling

aws-native outputs often include undefined. Avoid ! non-null assertions. Always safely unwrap with .apply():

// WRONG
functionName: lambdaFunction.functionName!,

// CORRECT
functionName: lambdaFunction.functionName.apply(name => name || ""),

3. RESOURCE IMPORT

After conversion, import existing resources to be managed by Pulumi.

3.0 Pre-Import Validation (REQUIRED)

Before proceeding with import, verify your code:

  1. Check Provider Usage: Scan your code to ensure all resources use aws-native
  2. Document Exceptions: Any use of aws (classic) provider must be justified
  3. Verify Resource Names: Confirm all resources use CloudFormation Logical IDs as names

3.1 Automated Import with cdk-importer

Because you used CloudFormation Logical IDs as resource names, you can use the cdk-importer tool to automatically import resources.

Follow cfn-importer.md for detailed import procedures.

3.2 Manual Import for Failed Resources

For resources that fail automatic import:

  1. Follow cloudformation-id-lookup.md to find the import ID format
  2. Use pulumi import:
pulumi import <pulumi-resource-type> <logical-id> <import-id>

3.3 Running Preview After Import

After import, run pulumi preview. There must be:

  • NO updates
  • NO replaces
  • NO creates
  • NO deletes

If there are changes, investigate and update the program until preview is clean.

OUTPUT FORMAT (REQUIRED)

When performing a migration, always produce:

  1. Overview (high-level description)
  2. Migration Plan Summary
  3. Pulumi Code Outputs (TypeScript; organized by file)
  4. Resource Mapping Table:
CloudFormation Logical IDCFN TypePulumi TypeProvider
MyAppBucketABC123AWS::S3::Bucketaws-native.s3.Bucketaws-native
MyLambdaFunction456AWS::Lambda::Functionaws-native.lambda.Functionaws-native
  1. Custom Resources Summary (if any)
  2. Final Migration Report (PR-ready)
  3. Next Steps (import instructions)

FOR DETAILED DOCUMENTATION

Fetch content from official Pulumi documentation:

pulumi의 다른 스킬

package-usage
pulumi
Pulumi 조직 내 여러 스택에서 특정 패키지를 어떤 버전으로 사용하는지 추적합니다. 스택 간 감사, 오래되었거나 유지 관리되지 않는 패키지 식별에 사용됩니다.
official
provider-upgrade
pulumi
공급자 업그레이드는 변경 요청이 아닌 번역입니다.
official
pulumi-arm-to-pulumi
pulumi
ARM 템플릿, Bicep 또는 기존 Azure 리소스를 Pulumi 인프라 코드로 변환합니다. 매개변수, 변수, 루프, 조건문 및 중첩 템플릿을 지원하는 완전한 ARM 템플릿 변환을 Pulumi(TypeScript, Python, Go, C#, Java 또는 YAML)로 처리합니다. azure-native(전체 API 지원) 및 azure(클래식, 단순화) 공급자를 모두 지원하며, 각 리소스에 적합한 공급자를 자동으로 선택합니다. 기존에 배포된 Azure 리소스를 제로-차이 검증과 함께 Pulumi로 가져옵니다...
official
pulumi-automation-api
pulumi
Pulumi 인프라 운영을 여러 스택과 애플리케이션에 걸쳐 프로그래밍 방식으로 조정합니다. 로컬 소스(기존 Pulumi 프로젝트)와 인라인 소스(내장 프로그램) 아키텍처를 모두 지원하여 단순한 시나리오부터 복잡한 다중 스택 시나리오까지 유연한 배포 패턴을 가능하게 합니다. 종속성 순서 지정, 병렬 독립 배포, 조정된 인프라 프로비저닝을 위한 스택 간 출력 전달을 통해 다중 스택 조정을 처리합니다. 프로그래밍 방식의...
official
pulumi-best-practices
pulumi
신뢰할 수 있고 유지보수 가능한 Pulumi 인프라 코드를 작성하기 위한 종합적인 모범 사례. apply() 콜백 내에서 리소스를 생성하지 말고, Output 객체를 입력으로 직접 전달하여 종속성 추적 및 미리보기 가시성을 유지하세요. ComponentResource 클래스를 사용하여 관련 리소스를 재사용 가능한 논리적 단위로 그룹화하고, parent: this를 통해 적절한 부모-자식 계층 구조를 설정하세요. --secret 플래그 또는 config.requireSecret()를 사용하여 처음부터 비밀을 암호화하고, 상태 파일에서 자격 증명 유출을 방지하세요...
official
pulumi-cdk-to-pulumi
pulumi
사용자가 AWS CDK 애플리케이션(CDK 스택, 구조, 또는 포함)을 마이그레이션, 변환, 포팅, 번역 또는 이동하려고 할 때 이 스킬을 로드하세요.
official
pulumi-component
pulumi
재사용 가능한 인프라 구성 요소로, 다중 언어 지원, 합리적인 기본값, 구성 패턴을 제공합니다. 네 가지 핵심 요소가 필요합니다: ComponentResource 확장, 표준 매개변수 수락, 모든 자식에 parent: this 설정, 생성자 끝에서 registerOutputs() 호출. Args 인터페이스는 Input<T> 래퍼를 사용해야 하며, 유니온 타입과 함수를 피하고, 다중 언어 SDK 생성을 지원하기 위해 구조를 평탄하게 유지해야 합니다. 필수 출력만 공용 속성으로 노출하고, 나머지는 숨깁니다.
official
pulumi-esc
pulumi
중앙 집중식 비밀, 구성 및 동적 자격 증명 관리를 제공하여 Pulumi 인프라와 애플리케이션을 지원합니다. 가져오기 및 계층화를 통한 환경 구성을 지원하며, environmentVariables, pulumiConfig 및 files에 대한 예약 키가 있습니다. AWS, Azure, GCP용 OIDC를 통해 단기 자격 증명을 생성하며, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault 및 1Password와 통합됩니다. 핵심 CLI 명령어로는 pulumi env init, pulumi env edit, pulumi env open(공개...)이 있습니다.
official