pulumi-cdk-to-pulumi

작성자: pulumi

사용자가 AWS CDK 애플리케이션(CDK 스택, 구조, 또는 포함)을 마이그레이션, 변환, 포팅, 번역 또는 이동하려고 할 때 이 스킬을 로드하세요.

npx skills add https://github.com/pulumi/agent-skills --skill pulumi-cdk-to-pulumi

CRITICAL SUCCESS REQUIREMENTS

The migration output MUST meet all of the following:

  1. Complete Resource Coverage

    • Every CloudFormation resource synthesized by CDK MUST:
      • Be represented in the Pulumi program OR
      • Be explicitly justified in the final report.
  2. Successful Deployment

    • The produced Pulumi program must be structurally valid and capable of a successful pulumi up (assuming proper config).
  3. Final Migration Report

    • Always output a formal migration report suitable for a Pull Request.
    • Include:
      • CDK → Pulumi resource mapping
      • Provider decisions (aws-native vs aws)
      • Behavioral differences
      • Missing or manually required steps
      • Validation instructions

WHEN INFORMATION IS MISSING

If a user-provided CDK project is incomplete, ambiguous, or missing artifacts (such as cdk.out), ask targeted questions before generating Pulumi code.

MIGRATION WORKFLOW

Follow this workflow exactly and in this order:

1. INFORMATION GATHERING

1.1 Verify AWS Credentials (ESC)

Running AWS commands (e.g., aws cloudformation list-stack-resources) and CDK commands (e.g. cdk synth) requires credentials loaded via Pulumi ESC.

  • If the user has already provided an ESC environment, use it.
  • If no ESC environment is specified, ask the user which ESC environment to use before proceeding with AWS commands.

You MUST confirm the AWS region with the user. The cdk synth results may be incorrect if ran with the wrong AWS Region.

1.2 Synthesize CDK

Run/inspect:

npx cdk synth --quiet
  • ALWAYS run synth with --quiet to prevent the template from being output on stdout.

If failing, inspect cdk.json or package.json for custom synth behavior.

1.3 Identify CDK Stacks & Environments

Read cdk.out/manifest.json:

jq '.artifacts | to_entries | map(select(.value.type == "aws:cloudformation:stack") | {displayName: .key, environment: .value.environment}) | .[]' cdk.out/manifest.json

Example output:

{
  "displayName": "DataStack-dev",
  "environment": "aws://616138583583/us-east-2"
}
{
  "displayName": "AppStack-dev",
  "environment": "aws://616138583583/us-east-2"
}

In the Pulumi stack you create you MUST set both the aws:region and aws-native:region config variables. For example:

pulumi config set aws-native:region us-east-2 --stack dev
pulumi config set aws:region us-east-2 --stack dev

1.4 Build Resource Inventory

For each stack:

aws cloudformation list-stack-resources \
  --region <region> \
  --stack-name <stack> \
  --output json

1.5 Analyze CDK Structure

Extract:

  • Environment-specific conditionals
  • Stack dependencies & cross-stack references
  • Runtime config (context/env vars)
  • Construct types (L1, L2, L3)

2. CODE CONVERSION (CDK → PULUMI)

  • Perform the initial conversion using the cdk2pulumi tool. Follow cdk-convert.md to perform the conversion.
  • Read the conversion report and fill in any gaps. For example, if the conversion fails to convert a resource you have to convert it manually yourself.

2.1 Custom Resources Handling

CDK uses Lambda-backed Custom Resources for functionality not available in CloudFormation. In synthesized CloudFormation, these appear as:

  • Resource type: AWS::CloudFormation::CustomResource or Custom::<name>
  • Metadata contains aws:cdk:path with the handler name (e.g., aws-s3/auto-delete-objects-handler)

Default behavior: cdk2pulumi rewrites custom resources to aws-native:cloudformation:CustomResourceEmulator, which invokes the original Lambda. This works but has tradeoffs (Lambda dependency, cold starts, eventual consistency).

Migration strategies by handler type:

HandlerStrategy
aws-certificatemanager/dns-validated-certificate-handlerReplace with aws.acm.Certificate, aws.route53.Record, and aws.acm.CertificateValidation
aws-ec2/restrict-default-security-group-handlerReplace with aws.ec2.DefaultSecurityGroup resource with empty ingress/egress rules
aws-ecr/auto-delete-images-handlerReplace aws-native:ecr:Repository with aws.ecr.Repository with forceDelete: true
aws-s3/auto-delete-objects-handlerReplace aws-native:s3:Bucket with aws.s3.Bucket with forceDestroy: true
aws-s3/notifications-resource-handlerReplace with aws.s3.BucketNotification
aws-logs/log-retention-handlerReplace with aws.cloudwatch.LogGroup with explicit retentionInDays
aws-iam/oidc-handlerReplace with aws.iam.OpenIdConnectProvider
aws-route53/delete-existing-record-set-handlerReplace with aws.route53.Record with allowOverwrite: true
aws-dynamodb/replica-handlerReplace with aws.dynamodb.TableReplica

Cross-account/region handlers:

  • aws-cloudfront/edge-function → Use aws.lambda.Function with region: "us-east-1"
  • aws-route53/cross-account-zone-delegation-handler → Use separate aws provider with cross-account role assumption

Graceful degradation for unknown handlers:

  1. Keep the CustomResourceEmulator (default behavior)
  2. Document the custom resource in the migration report with:
    • Original handler name and purpose (if discernible from CDK path)
    • Note that it uses Lambda invocation at runtime
    • Recommend user review for potential native replacement

2.2 Provider Strategy

  • Default: Use aws-native whenever the resource type is available.
  • Fallback: Use aws when aws-native does not support equivalent features.

2.3 Assets & Bundling

CDK uses Assets and Bundling to handle deployment artifacts. These are processed by the CDK CLI before CloudFormation deployment and appear in the cdk.out directory alongside *.assets.json metadata files. CloudFormation templates contain hard-coded references to asset locations (S3 bucket/key or ECR repo/tag).

# Inspect asset definitions
jq '.files, .dockerImages' cdk.out/*.assets.json

Migration strategies by asset type:

Asset TypeDetectionPulumi Migration
Docker ImagedockerImages in assets.jsonUse docker-build.Image to build and push. Replace hard-coded ECR URI with image output.
File with build commandfiles with executable fieldFlag to user - build command needs setup in Pulumi
Static filefiles without executable, no bundling in CDK sourceUse pulumi.FileArchive or pulumi.FileAsset
Bundled filefiles without executable, but CDK source uses bundlingFlag to user - bundling needs setup in Pulumi

Detecting Bundling in CDK Source:

Check the CDK source code for bundling constructs (NodejsFunction, PythonFunction, GoFunction, or resources using the bundling option). If bundling is used, the build step needs to be replicated in Pulumi for ongoing development - otherwise source changes would require manually re-running cdk synth.

When bundling is detected, inform the user:

Build Step Detected: This CDK application uses <BUNDLING_TYPE> which builds deployable artifacts during synthesis. This build step needs to be replicated in Pulumi for ongoing development.

Options:

  1. CI/CD Pipeline (Recommended): Move the build step to your CI pipeline and reference the pre-built artifact in Pulumi
  2. Pulumi Command Provider: Use command.local.Command to run the build command during pulumi up
  3. Pre-build Script: Create a build script that runs before pulumi up and outputs to a known location

Each option has tradeoffs around caching, reproducibility, and deployment speed. For production workloads, option 1 is typically preferred.

2.4 TypeScript Handling for aws-native

aws-native outputs often include undefined. Avoid ! non-null assertions. Always safely unwrap with .apply():

// ❌ WRONG - Will cause TypeScript errors
functionName: lambdaFunction.functionName!,

// ✅ CORRECT - Handle undefined safely
functionName: lambdaFunction.functionName.apply(name => name || ""),

2.5 Environment Logic Preservation

Carry forward all conditional behaviors:

if (currentEnv.createVpc) {
  // create resources
} else {
  const vpcId = pulumi.output(currentEnv.vpcId);
}

3. Resource Import (optional)

After conversion you can optionally import the existing resources to now be managed by Pulumi. If the user does not request this you should suggest this as a follow up step to conversion.

  • Always start with automated import using the cdk-importer tool. Follow cdk-importer.md to perform the automated import.
  • For any resources that fail to import with the automated tool, import them manually.

If you need to manually import resources:

3.1 Running preview after import

After performing an import you need to run pulumi preview to ensure there are no changes. No changes means:

  • NO updates
  • NO replaces
  • NO creates
  • NO deletes

If there are changes you must investigate and update the program until there are no changes.

Working with the User

If the user asks for help planning or performing a CDK to Pulumi migration use the information above to guide the user towards the automated migration approach.

For Detailed Documentation

When the user wants to deviate from the recommended path detailed above, use the web-fetch tool to get content from the official Pulumi documentation -> https://www.pulumi.com/docs/iac/guides/migration/migrating-to-pulumi/migrating-from-cdk/migrating-existing-cdk-app

This documentation covers topics:

  • Migration Strategy
    • Convert vs. Rewrite
    • Import vs. Rehydrate
    • Best Practices
  • Handling Multiple CDK Stacks
  • Handling CDK Stages
  • Code organization
  • Converting CDK Constructs
  • Execution Strategies
    • Automated Migration (recommended)
    • Manual Migration

OUTPUT FORMAT (REQUIRED)

When performing a migration, always produce:

  1. Overview (high-level description)
  2. Migration Plan Summary
  3. Pulumi Code Outputs (TypeScript; structured by file)
  4. Resource Mapping Table (CDK → Pulumi)
  5. Custom Resources Summary (if any):
    • Handlers migrated to native Pulumi resources
    • Handlers kept as CustomResourceEmulator with rationale
    • Any handlers requiring user attention
  6. Assets & Bundling Summary (if any):
    • Migrated: Assets successfully converted (e.g., Docker images → docker-build.Image, static files → pulumi.FileArchive)
    • Requires attention: Assets with bundling steps, options presented, and decision if made
  7. Final Migration Report (PR-ready)
  8. Next Steps (optional refactors)

Keep code syntactically valid and clearly separated by files.

pulumi의 다른 스킬

cloudformation-to-pulumi
pulumi
AWS CloudFormation 스택이나 템플릿을 Pulumi 프로그램으로 변환, 마이그레이션 또는 가져옵니다. 사용자가 CloudFormation에서 이동하려고 할 때 이 스킬을 로드하세요.
official
package-usage
pulumi
Pulumi 조직 내 여러 스택에서 특정 패키지를 어떤 버전으로 사용하는지 추적합니다. 스택 간 감사, 오래되었거나 유지 관리되지 않는 패키지 식별에 사용됩니다.
official
provider-upgrade
pulumi
공급자 업그레이드는 변경 요청이 아닌 번역입니다.
official
pulumi-arm-to-pulumi
pulumi
ARM 템플릿, Bicep 또는 기존 Azure 리소스를 Pulumi 인프라 코드로 변환합니다. 매개변수, 변수, 루프, 조건문 및 중첩 템플릿을 지원하는 완전한 ARM 템플릿 변환을 Pulumi(TypeScript, Python, Go, C#, Java 또는 YAML)로 처리합니다. azure-native(전체 API 지원) 및 azure(클래식, 단순화) 공급자를 모두 지원하며, 각 리소스에 적합한 공급자를 자동으로 선택합니다. 기존에 배포된 Azure 리소스를 제로-차이 검증과 함께 Pulumi로 가져옵니다...
official
pulumi-automation-api
pulumi
Pulumi 인프라 운영을 여러 스택과 애플리케이션에 걸쳐 프로그래밍 방식으로 조정합니다. 로컬 소스(기존 Pulumi 프로젝트)와 인라인 소스(내장 프로그램) 아키텍처를 모두 지원하여 단순한 시나리오부터 복잡한 다중 스택 시나리오까지 유연한 배포 패턴을 가능하게 합니다. 종속성 순서 지정, 병렬 독립 배포, 조정된 인프라 프로비저닝을 위한 스택 간 출력 전달을 통해 다중 스택 조정을 처리합니다. 프로그래밍 방식의...
official
pulumi-best-practices
pulumi
신뢰할 수 있고 유지보수 가능한 Pulumi 인프라 코드를 작성하기 위한 종합적인 모범 사례. apply() 콜백 내에서 리소스를 생성하지 말고, Output 객체를 입력으로 직접 전달하여 종속성 추적 및 미리보기 가시성을 유지하세요. ComponentResource 클래스를 사용하여 관련 리소스를 재사용 가능한 논리적 단위로 그룹화하고, parent: this를 통해 적절한 부모-자식 계층 구조를 설정하세요. --secret 플래그 또는 config.requireSecret()를 사용하여 처음부터 비밀을 암호화하고, 상태 파일에서 자격 증명 유출을 방지하세요...
official
pulumi-component
pulumi
재사용 가능한 인프라 구성 요소로, 다중 언어 지원, 합리적인 기본값, 구성 패턴을 제공합니다. 네 가지 핵심 요소가 필요합니다: ComponentResource 확장, 표준 매개변수 수락, 모든 자식에 parent: this 설정, 생성자 끝에서 registerOutputs() 호출. Args 인터페이스는 Input<T> 래퍼를 사용해야 하며, 유니온 타입과 함수를 피하고, 다중 언어 SDK 생성을 지원하기 위해 구조를 평탄하게 유지해야 합니다. 필수 출력만 공용 속성으로 노출하고, 나머지는 숨깁니다.
official
pulumi-esc
pulumi
중앙 집중식 비밀, 구성 및 동적 자격 증명 관리를 제공하여 Pulumi 인프라와 애플리케이션을 지원합니다. 가져오기 및 계층화를 통한 환경 구성을 지원하며, environmentVariables, pulumiConfig 및 files에 대한 예약 키가 있습니다. AWS, Azure, GCP용 OIDC를 통해 단기 자격 증명을 생성하며, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault 및 1Password와 통합됩니다. 핵심 CLI 명령어로는 pulumi env init, pulumi env edit, pulumi env open(공개...)이 있습니다.
official