cloudformation-to-pulumi

作者: pulumi

將 AWS CloudFormation 堆疊或範本轉換、遷移或匯入至 Pulumi 程式。每當使用者想要從 CloudFormation 移轉至…時,載入此技能。

npx skills add https://github.com/pulumi/agent-skills --skill cloudformation-to-pulumi

IMPORTANT: PLAN ADJUSTMENT REQUIRED

If you have already generated a migration plan before loading this skill, you MUST:

  1. Review your existing plan against the workflows and requirements in this skill
  2. Identify any gaps, missing steps, or incorrect assumptions
  3. Update and revise your plan to align with this skill's guidance
  4. Communicate the adjusted plan to the user before proceeding

CRITICAL SUCCESS REQUIREMENTS

The migration output MUST meet all of the following:

  1. Complete Resource Coverage

    • Every CloudFormation resource MUST be represented in the Pulumi program OR explicitly justified in the final report.
  2. CloudFormation Logical ID as Resource Name

    • CRITICAL: Every Pulumi resource MUST use the CloudFormation Logical ID as its resource name.
    • This enables the cdk-importer tool to automatically find import IDs.
    • DO NOT rename resources. Automated import will FAIL if you change the logical IDs.
  3. Successful Deployment

    • The produced Pulumi program must be structurally valid and capable of a successful pulumi preview (assuming proper config).
  4. Zero-Diff Import Validation (if importing existing resources)

    • After import, pulumi preview must show NO updates, replaces, creates, or deletes.
  5. Final Migration Report

    • Always output a formal migration report suitable for a Pull Request.

WHEN INFORMATION IS MISSING

If the user has not provided a CloudFormation template, you MUST fetch it from AWS using the stack name.

MIGRATION WORKFLOW

Follow this workflow exactly and in this order:

1. INFORMATION GATHERING

1.1 Verify AWS Credentials (ESC)

Running AWS commands requires credentials loaded via Pulumi ESC.

  • If the user has already provided an ESC environment, use it.
  • If no ESC environment is specified, ask the user which ESC environment to use before proceeding.

For detailed ESC information: Use skill pulumi-esc.

You MUST confirm the AWS region with the user.

1.2 Get the CloudFormation Template

If user provided a template file: Read the template directly.

If user only provided a stack name: Fetch the template from AWS:

aws cloudformation get-template \
  --region <region> \
  --stack-name <stack-name> \
  --query 'TemplateBody' \
  --output json > template.json

1.3 Build Resource Inventory

List all resources in the stack:

aws cloudformation list-stack-resources \
  --region <region> \
  --stack-name <stack-name> \
  --output json

This provides:

  • LogicalResourceId - Use this as the Pulumi resource name
  • PhysicalResourceId - The actual AWS resource ID
  • ResourceType - The CloudFormation resource type

1.4 Analyze Template Structure

Extract from the template:

  • Parameters and their defaults
  • Mappings
  • Conditions
  • Outputs
  • Resource dependencies (Ref, GetAtt, DependsOn)

2. CODE CONVERSION (CloudFormation → Pulumi)

IMPORTANT: There is NO automated conversion tool for CloudFormation. You MUST convert each resource manually.

2.1 Resource Name Convention (CRITICAL)

Every Pulumi resource MUST use the CloudFormation Logical ID as its name.

// CloudFormation:
// "MyAppBucketABC123": { "Type": "AWS::S3::Bucket", ... }

// Pulumi - CORRECT:
const myAppBucket = new aws.s3.Bucket("MyAppBucketABC123", { ... });

// Pulumi - WRONG (DO NOT do this - import will fail):
const myAppBucket = new aws.s3.Bucket("my-app-bucket", { ... });

This naming convention is REQUIRED because the cdk-importer tool matches resources by name.

2.2 Provider Strategy

⚠️ CRITICAL: ALWAYS USE aws-native BY DEFAULT ⚠️

  • Use aws-native for all resources unless there's a specific reason to use aws.
  • CloudFormation types map directly to aws-native (e.g., AWS::S3::Bucketaws-native.s3.Bucket).
  • Only use aws (classic) when aws-native doesn't support a required feature.

This is MANDATORY for successful imports with cdk-importer. The cdk-importer works by matching CloudFormation resources to Pulumi resources, and CloudFormation maps 1:1 to aws-native. Using the classic aws provider will cause import failures.

2.3 CloudFormation Intrinsic Functions

Map CloudFormation intrinsic functions to Pulumi equivalents:

CloudFormationPulumi Equivalent
!Ref (resource)Resource output (e.g., bucket.id)
!Ref (parameter)Pulumi config
!GetAtt Resource.AttrResource property output
!Sub "..."pulumi.interpolate
!Join [delim, [...]]pulumi.interpolate or .apply()
!If [cond, true, false]Ternary operator
!Equals [a, b]=== comparison
!Select [idx, list]Array indexing with .apply()
!Split [delim, str].apply(v => v.split(...))
Fn::ImportValueStack references or config
Example: !Sub
// CloudFormation: !Sub "arn:aws:s3:::${MyBucket}/*"
// Pulumi:
const bucketArn = pulumi.interpolate`arn:aws:s3:::${myBucket.bucket}/*`;
Example: !GetAtt
// CloudFormation: !GetAtt MyFunction.Arn
// Pulumi:
const functionArn = myFunction.arn;

2.4 CloudFormation Conditions

Convert CloudFormation conditions to TypeScript logic:

// CloudFormation:
// "Conditions": {
//   "CreateProdResources": { "Fn::Equals": [{ "Ref": "Environment" }, "prod"] }
// }

// Pulumi:
const config = new pulumi.Config();
const environment = config.require("environment");
const createProdResources = environment === "prod";

if (createProdResources) {
  // Create production-only resources
}

2.5 CloudFormation Parameters

Convert parameters to Pulumi config:

// CloudFormation:
// "Parameters": {
//   "InstanceType": { "Type": "String", "Default": "t3.micro" }
// }

// Pulumi:
const config = new pulumi.Config();
const instanceType = config.get("instanceType") || "t3.micro";

2.6 CloudFormation Mappings

Convert mappings to TypeScript objects:

// CloudFormation:
// "Mappings": {
//   "RegionMap": {
//     "us-east-1": { "AMI": "ami-12345" },
//     "us-west-2": { "AMI": "ami-67890" }
//   }
// }

// Pulumi:
const regionMap: Record<string, { ami: string }> = {
  "us-east-1": { ami: "ami-12345" },
  "us-west-2": { ami: "ami-67890" },
};
const ami = regionMap[aws.config.region!].ami;

2.7 Custom Resources

CloudFormation Custom Resources (AWS::CloudFormation::CustomResource or Custom::*) require special handling:

  1. Identify the purpose: Read the Lambda function code to understand what it does
  2. Find native replacement: Check if Pulumi has a native resource that provides the same functionality
  3. If no replacement: Document in the migration report that manual implementation is needed

2.8 TypeScript Output Handling

aws-native outputs often include undefined. Avoid ! non-null assertions. Always safely unwrap with .apply():

// WRONG
functionName: lambdaFunction.functionName!,

// CORRECT
functionName: lambdaFunction.functionName.apply(name => name || ""),

3. RESOURCE IMPORT

After conversion, import existing resources to be managed by Pulumi.

3.0 Pre-Import Validation (REQUIRED)

Before proceeding with import, verify your code:

  1. Check Provider Usage: Scan your code to ensure all resources use aws-native
  2. Document Exceptions: Any use of aws (classic) provider must be justified
  3. Verify Resource Names: Confirm all resources use CloudFormation Logical IDs as names

3.1 Automated Import with cdk-importer

Because you used CloudFormation Logical IDs as resource names, you can use the cdk-importer tool to automatically import resources.

Follow cfn-importer.md for detailed import procedures.

3.2 Manual Import for Failed Resources

For resources that fail automatic import:

  1. Follow cloudformation-id-lookup.md to find the import ID format
  2. Use pulumi import:
pulumi import <pulumi-resource-type> <logical-id> <import-id>

3.3 Running Preview After Import

After import, run pulumi preview. There must be:

  • NO updates
  • NO replaces
  • NO creates
  • NO deletes

If there are changes, investigate and update the program until preview is clean.

OUTPUT FORMAT (REQUIRED)

When performing a migration, always produce:

  1. Overview (high-level description)
  2. Migration Plan Summary
  3. Pulumi Code Outputs (TypeScript; organized by file)
  4. Resource Mapping Table:
CloudFormation Logical IDCFN TypePulumi TypeProvider
MyAppBucketABC123AWS::S3::Bucketaws-native.s3.Bucketaws-native
MyLambdaFunction456AWS::Lambda::Functionaws-native.lambda.Functionaws-native
  1. Custom Resources Summary (if any)
  2. Final Migration Report (PR-ready)
  3. Next Steps (import instructions)

FOR DETAILED DOCUMENTATION

Fetch content from official Pulumi documentation:

來自 pulumi 的更多技能

package-usage
pulumi
追蹤 Pulumi 組織中各堆疊使用特定套件及其版本的情況。用於跨堆疊審計,識別過時或未維護的…
official
provider-upgrade
pulumi
提供者升級是一種轉換,而非變更請求。
official
pulumi-arm-to-pulumi
pulumi
將ARM範本、Bicep或現有Azure資源轉換為Pulumi基礎設施程式碼。處理完整的ARM範本轉換為Pulumi(TypeScript、Python、Go、C#、Java或YAML),支援參數、變數、迴圈、條件式及巢狀範本。支援azure-native(完整API覆蓋)與azure(傳統簡化版)兩種提供者;自動為每個資源選擇正確的提供者。將現有已部署的Azure資源匯入Pulumi,並進行零差異驗證...
official
pulumi-automation-api
pulumi
跨多個堆疊與應用程式的 Pulumi 基礎設施操作之程式化編排。支援本地來源(現有 Pulumi 專案)與內嵌來源(嵌入式程式)架構,實現從簡單到複雜多堆疊場景的靈活部署模式。處理具相依性排序的多堆疊編排、平行獨立部署,以及跨堆疊輸出傳遞,以達成協調的基礎設施佈建。提供程式化...
official
pulumi-best-practices
pulumi
撰寫可靠、可維護的 Pulumi 基礎設施程式碼的全面最佳實踐。避免在 apply() 回呼中建立資源;直接將 Output 物件作為輸入傳遞,以保留依賴追蹤與預覽可見性。使用 ComponentResource 類別將相關資源分組為可重複使用的邏輯單元,並透過 parent: this 建立正確的父子層級。從一開始就使用 --secret 標誌或 config.requireSecret() 加密機密資訊,以防止憑證在狀態檔案中洩漏...
official
pulumi-cdk-to-pulumi
pulumi
當使用者想要遷移、轉換、移植、翻譯或移動 AWS CDK 應用程式(包括 CDK 堆疊、建構元件或…)時,載入此技能。
official
pulumi-component
pulumi
可重複使用的基礎架構元件,支援多語言、合理的預設值與組合模式。需具備四個核心要素:繼承 ComponentResource、接受標準參數、為所有子資源設定 parent: this,並在建構函式結尾呼叫 registerOutputs()。Args 介面必須使用 Input<T> 包裝器,避免聯合型別與函式,並保持結構扁平以支援多語言 SDK 生成。僅將必要的輸出暴露為公開屬性;隱藏...
official
pulumi-esc
pulumi
集中式機密、配置及動態憑證管理,適用於Pulumi基礎設施與應用程式。支援透過匯入與分層進行環境組合,並保留 environmentVariables 、 pulumiConfig 及 files 的保留鍵。透過OIDC為AWS、Azure及GCP產生短期憑證;可整合AWS Secrets Manager、Azure Key Vault、HashiCorp Vault及1Password。核心CLI指令包含 pulumi env init 、 pulumi env edit 、 pulumi env open (顯示...
official