pulumi-arm-to-pulumi

作者: pulumi

將ARM範本、Bicep或現有Azure資源轉換為Pulumi基礎設施程式碼。處理完整的ARM範本轉換為Pulumi(TypeScript、Python、Go、C#、Java或YAML),支援參數、變數、迴圈、條件式及巢狀範本。支援azure-native(完整API覆蓋)與azure(傳統簡化版)兩種提供者;自動為每個資源選擇正確的提供者。將現有已部署的Azure資源匯入Pulumi,並進行零差異驗證...

npx skills add https://github.com/pulumi/agent-skills --skill pulumi-arm-to-pulumi

IMPORTANT: PLAN ADJUSTMENT REQUIRED

If you have already generated a migration plan before loading this skill, you MUST:

  1. Review your existing plan against the workflows and requirements in this skill
  2. Identify any gaps, missing steps, or incorrect assumptions
  3. Update and revise your plan to align with this skill's guidance
  4. Communicate the adjusted plan to the user before proceeding

CRITICAL SUCCESS REQUIREMENTS

The migration output MUST meet all of the following:

  1. Complete Resource Coverage

    • Every ARM template resource MUST:
      • Be represented in the Pulumi program OR
      • Be explicitly justified in the final report.
  2. Successful Deployment

    • The produced Pulumi program must be structurally valid and capable of a successful pulumi preview (assuming proper config).
  3. Zero-Diff Import Validation (if importing existing resources)

    • After import, pulumi preview must show:
      • NO updates
      • NO replaces
      • NO creates
      • NO deletes
    • Any diffs must be resolved using the Preview Resolution Workflow. See arm-import.md.
  4. Final Migration Report

    • Always output a formal migration report suitable for a Pull Request.
    • Include:
      • ARM → Pulumi resource mapping
      • Provider decisions (azure-native vs azure)
      • Behavioral differences
      • Missing or manually required steps
      • Validation instructions

WHEN INFORMATION IS MISSING

If a user-provided ARM template is incomplete, ambiguous, or missing artifacts, ask targeted questions before generating Pulumi code.

If there is ambiguity on how to handle a specific resource property on import, ask targeted questions before altering Pulumi code.

MIGRATION WORKFLOW

Follow this workflow exactly and in this order:

1. INFORMATION GATHERING

1.1 Verify Azure Credentials

Running Azure CLI commands (e.g., az resource list, az resource show). Requires initial login using ESC and az login

  • If the user has already provided an ESC environment, use it.
  • If no ESC environment is specified, ask the user which ESC environment to use before proceeding with Azure CLI commands.

Setting up Azure CLI using ESC:

  • ESC environments can provide Azure credentials through environment variables or Azure CLI configuration
  • Login to Azure using ESC to provide credentials, e.g: pulumi env run {org}/{project}/{environment} -- bash -c 'az login --service-principal -u "$ARM_CLIENT_ID" --tenant "$ARM_TENANT_ID" --federated-token "$ARM_OIDC_TOKEN"'. ESC is not required after establishing the session
  • Verify credentials are working: az account show
  • Confirm subscription: az account list --query "[].{Name:name, SubscriptionId:id, IsDefault:isDefault}" -o table

For detailed ESC information: Load the pulumi-esc skill by calling the tool "Skill" with name = "pulumi-esc"

1.2 Analyze ARM Template Structure

ARM templates do not have the concept of "stacks" like CloudFormation. Read the ARM template JSON file directly:

# View template structure
cat template.json | jq '.resources[] | {type: .type, name: .name}'

# View parameters
cat template.json | jq '.parameters'

# View variables
cat template.json | jq '.variables'

Extract:

  • Resource types and names
  • Parameters and their default values
  • Variables and expressions
  • Dependencies (dependsOn arrays)
  • Nested templates or linked templates
  • Copy loops (iteration constructs)
  • Conditional deployments (condition property)

Documentation: ARM Template Structure

1.3 Build Resource Inventory (if importing existing resources)

If the ARM template has already been deployed and you're importing existing resources:

# List all resources in a resource group
az resource list \
  --resource-group <resource-group-name> \
  --output json

# Get specific resource details
az resource show \
  --ids <resource-id> \
  --output json

# Query specific properties using JMESPath
az resource show \
  --ids <resource-id> \
  --query "{name:name, location:location, properties:properties}" \
  --output json

Documentation: Azure CLI Documentation

2. CODE CONVERSION (ARM → PULUMI)

IMPORTANT: ARM to Pulumi conversion requires manual translation. There is NO automated conversion tool for ARM templates. You are responsible for the complete conversion.

Key Conversion Principles

  1. Provider Strategy:

    • Default: Use @pulumi/azure-native for full Azure Resource Manager API coverage
    • Fallback: Use @pulumi/azure (classic provider) when azure-native doesn't support specific features or when you need simplified abstractions

    Documentation:

  2. Language Support:

    • TypeScript/JavaScript: Most common, excellent IDE support
    • Python: Great for data teams and ML workflows
    • C#: Natural fit for .NET teams
    • Go: High performance, strong typing
    • Java: Enterprise Java teams
    • YAML: Simple declarative approach
    • Choose based on user preference or existing codebase
  3. Complete Coverage:

    • Convert ALL resources in the ARM template
    • Preserve all conditionals, loops, and dependencies
    • Maintain parameter and variable logic

Follow conversion patterns in arm-conversion-patterns.md.

arm-conversion-patterns.md provides:

  • Parameters, variables, and outputs mapping
  • Copy loops, conditionals, and dependsOn translation
  • Nested templates → ComponentResource
  • Azure Classic provider examples (VNet, App Service)
  • TypeScript output handling and common pitfalls

3. RESOURCE IMPORT (EXISTING RESOURCES) - OPTIONAL

After conversion, you can optionally import existing resources to be managed by Pulumi. If the user does not request this, suggest it as a follow-up step to conversion.

CRITICAL: When the user requests importing existing Azure resources into Pulumi, see arm-import.md for detailed import procedures and zero-diff validation workflows.

arm-import.md provides:

  • Inline import ID patterns and examples
  • Azure Resource ID format conventions
  • Child resource handling (e.g., WebAppApplicationSettings)
  • Preview Resolution Workflow for achieving zero-diff after import
  • Step-by-step debugging for property conflicts

Key Import Principles

  1. Inline Import Approach:

    • Use import resource option with Azure Resource IDs
    • No separate import tool (unlike pulumi-cdk-importer)
  2. Azure Resource IDs:

    • Follow predictable pattern: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
    • Can be generated by convention or queried via Azure CLI
  3. Zero-Diff Validation:

    • Run pulumi preview after import
    • Resolve all diffs using Preview Resolution Workflow
    • Goal: NO updates, replaces, creates, or deletes

4. PULUMI CONFIGURATION

Set up stack configuration matching ARM template parameters:

# Set Azure region
pulumi config set azure-native:location eastus --stack dev

# Set application parameters
pulumi config set storageAccountName mystorageaccount --stack dev

# Set secret parameters
pulumi config set --secret adminPassword MyS3cr3tP@ssw0rd --stack dev

5. VALIDATION

After achieving zero diff in preview (if importing), validate the migration:

  1. Review all exports:

    pulumi stack output
    
  2. Verify resource relationships:

    pulumi stack graph
    
  3. Test application functionality (if applicable)

  4. Document any manual steps required post-migration

WORKING WITH THE USER

If the user asks for help planning or performing an ARM to Pulumi migration, use the information above to guide the user through the conversion and import process.

FOR DETAILED DOCUMENTATION

When the user wants additional information, use the web-fetch tool to get content from the official Pulumi documentation:

Microsoft Azure Documentation:

OUTPUT FORMAT (REQUIRED)

When performing a migration, always produce:

  1. Overview (high-level description)
  2. Migration Plan Summary
    • ARM template resources identified
    • Conversion strategy (language, providers)
    • Import approach (if applicable)
  3. Pulumi Code Outputs (organized by file)
    • Main program file
    • Component resources (if any)
    • Configuration instructions
  4. Resource Mapping Table (ARM → Pulumi)
    • ARM resource type → Pulumi resource type
    • ARM resource name → Pulumi logical name
    • Import ID (if importing)
  5. Preview Resolution Notes (if importing)
    • Diffs encountered
    • Resolution strategy applied
    • Properties ignored vs. added
  6. Final Migration Report (PR-ready)
    • Summary of changes
    • Testing instructions
    • Known limitations
    • Next steps
  7. Configuration Setup
    • Required config values
    • Example pulumi config set commands

Keep code syntactically valid and clearly separated by files.

來自 pulumi 的更多技能

cloudformation-to-pulumi
pulumi
將 AWS CloudFormation 堆疊或範本轉換、遷移或匯入至 Pulumi 程式。每當使用者想要從 CloudFormation 移轉至…時,載入此技能。
official
package-usage
pulumi
追蹤 Pulumi 組織中各堆疊使用特定套件及其版本的情況。用於跨堆疊審計,識別過時或未維護的…
official
provider-upgrade
pulumi
提供者升級是一種轉換,而非變更請求。
official
pulumi-automation-api
pulumi
跨多個堆疊與應用程式的 Pulumi 基礎設施操作之程式化編排。支援本地來源(現有 Pulumi 專案)與內嵌來源(嵌入式程式)架構,實現從簡單到複雜多堆疊場景的靈活部署模式。處理具相依性排序的多堆疊編排、平行獨立部署,以及跨堆疊輸出傳遞,以達成協調的基礎設施佈建。提供程式化...
official
pulumi-best-practices
pulumi
撰寫可靠、可維護的 Pulumi 基礎設施程式碼的全面最佳實踐。避免在 apply() 回呼中建立資源;直接將 Output 物件作為輸入傳遞,以保留依賴追蹤與預覽可見性。使用 ComponentResource 類別將相關資源分組為可重複使用的邏輯單元,並透過 parent: this 建立正確的父子層級。從一開始就使用 --secret 標誌或 config.requireSecret() 加密機密資訊,以防止憑證在狀態檔案中洩漏...
official
pulumi-cdk-to-pulumi
pulumi
當使用者想要遷移、轉換、移植、翻譯或移動 AWS CDK 應用程式(包括 CDK 堆疊、建構元件或…)時,載入此技能。
official
pulumi-component
pulumi
可重複使用的基礎架構元件,支援多語言、合理的預設值與組合模式。需具備四個核心要素:繼承 ComponentResource、接受標準參數、為所有子資源設定 parent: this,並在建構函式結尾呼叫 registerOutputs()。Args 介面必須使用 Input<T> 包裝器,避免聯合型別與函式,並保持結構扁平以支援多語言 SDK 生成。僅將必要的輸出暴露為公開屬性;隱藏...
official
pulumi-esc
pulumi
集中式機密、配置及動態憑證管理,適用於Pulumi基礎設施與應用程式。支援透過匯入與分層進行環境組合,並保留 environmentVariables 、 pulumiConfig 及 files 的保留鍵。透過OIDC為AWS、Azure及GCP產生短期憑證;可整合AWS Secrets Manager、Azure Key Vault、HashiCorp Vault及1Password。核心CLI指令包含 pulumi env init 、 pulumi env edit 、 pulumi env open (顯示...
official