diff --git a/archetypes/resources/index.md b/archetypes/resources/index.md new file mode 100644 index 000000000000..ffa941adbb5e --- /dev/null +++ b/archetypes/resources/index.md @@ -0,0 +1,52 @@ +--- +title: "{{ replace .Name "-" " " | title }}" +date: {{ .Date }} +draft: false + +# SEO and social +meta_desc: "" +meta_image: meta.png +title_tag: "" + +# Resource library taxonomy +solution_areas: + # - infrastructure-unification + # - security-compliance + # - ai-ready-infrastructure + +content_type: "" + # ecosystem-overview | comparison-guide | solution-guide + +capabilities: + # - ai-and-automation + # - policy-as-code + # - secrets-management + # - multi-cloud + # - kubernetes + # - internal-developer-platforms + # - drift-detection + # - compliance + +funnel_stage: "" + # problem-aware | solution-aware | evaluation + +target_personas: + # - platform-engineer + # - security-compliance-lead + # - devops-engineer + # - engineering-leader + +# Editorial +authors: + - "" +tags: + - "" +featured: false +featured_weight: 0 + +# AEO metadata +last_reviewed: {{ .Date }} +faq: + - question: "" + answer: "" +--- diff --git a/content/resources/_index.md b/content/resources/_index.md new file mode 100644 index 000000000000..53d1ccc5c656 --- /dev/null +++ b/content/resources/_index.md @@ -0,0 +1,7 @@ +--- +title: Resource Library +meta_desc: "Guides, comparisons, and solutions for infrastructure as code, cloud security, compliance, and platform engineering." +type: resources +--- + +Explore in-depth guides comparing infrastructure as code platforms, evaluating cloud security tools, and scaling platform engineering with Pulumi. Whether you're choosing your first IaC tool or migrating from Terraform, these resources help you make informed decisions. diff --git a/content/resources/infrastructure-unification/_index.md b/content/resources/infrastructure-unification/_index.md new file mode 100644 index 000000000000..adcb203cd410 --- /dev/null +++ b/content/resources/infrastructure-unification/_index.md @@ -0,0 +1,59 @@ +--- +title: "Infrastructure Unification" +meta_desc: "Guides, comparisons, and evaluations for unifying cloud infrastructure management across teams, tools, and clouds with Pulumi." +meta_image: /images/docs/meta-images/docs-meta.png +type: resources +tagline: "One platform for all your clouds, tools, and teams" +last_reviewed: 2026-03-11 +related_capabilities: + - ai-and-automation + - multi-cloud + - kubernetes +related_areas: + - security-compliance + - ai-ready-infrastructure +cta: + text: "Get started with Pulumi" + url: "/docs/get-started/" +faq: + - question: "What is infrastructure unification?" + answer: "Infrastructure unification is the practice of managing all cloud resources, regardless of provider or deployment target, through a single platform and workflow. Rather than maintaining separate tools for AWS, Azure, GCP, and Kubernetes, teams use one consistent approach for defining, deploying, and managing infrastructure everywhere." + - question: "Why do teams struggle with multi-cloud infrastructure management?" + answer: "Most organizations accumulate multiple infrastructure tools over time: Terraform for some resources, CloudFormation for AWS-specific workloads, Helm for Kubernetes, and custom scripts for everything else. Each tool has its own language, state management, and workflows. This fragmentation creates knowledge silos, slows deployment velocity, and makes it difficult to enforce consistent policies across environments." + - question: "How does Pulumi help unify infrastructure management?" + answer: "Pulumi lets teams define infrastructure for any cloud provider using general-purpose programming languages like Python, TypeScript, Go, C#, Java, or even HCL and YAML. With support for over 180 providers and native integrations for AWS, Azure, GCP, and Kubernetes, teams can manage everything from a single platform with consistent state management, policy enforcement, and deployment workflows." + - question: "Can I use Pulumi alongside existing Terraform configurations?" + answer: "Yes. Pulumi Cloud can manage Terraform and OpenTofu state directly, and Pulumi Insights provides visibility across resources managed by any IaC tool. Teams can adopt Pulumi incrementally, keeping existing configurations while migrating workloads at their own pace." +--- + +Infrastructure unification is the practice of managing all your cloud resources through a single platform and workflow, regardless of which cloud providers or deployment targets you use. For platform engineering teams supporting dozens or hundreds of developers, unifying infrastructure management eliminates the tool sprawl and knowledge silos that slow delivery. + +## The challenge: infrastructure fragmentation + +If you manage infrastructure across multiple clouds, you've likely experienced this firsthand. AWS workloads run through CloudFormation or Terraform. Kubernetes clusters have their own Helm charts and manifests. Azure resources use ARM templates or a separate Terraform workspace. Each tool brings its own language, state backend, and operational model. + +This fragmentation hits platform teams hardest. A small infrastructure group (typically 2 to 10 engineers) supports 50 to 500+ developers, and every tool boundary creates a context switch. When only one or two people understand each toolchain, knowledge becomes concentrated, reviews become bottlenecks, and deployment velocity collapses. What should take hours takes days. + +The problem compounds at scale. As resource counts grow into the thousands, state management becomes unwieldy, drift goes undetected, and enforcing consistent security policies across disparate tools becomes nearly impossible. + +## How Pulumi addresses infrastructure unification + +Pulumi approaches this problem by letting teams choose their preferred programming language for all infrastructure, across all clouds, in a single platform. + +**Language flexibility across any cloud.** Pulumi supports Python, TypeScript, Go, C#, Java, HCL, and YAML. With over 180 cloud providers, including native support for AWS, Azure, GCP, and Kubernetes, teams can manage every resource from one place. The same language, testing framework, and CI/CD pipeline work whether you're provisioning an S3 bucket, an AKS cluster, or a Cloudflare Worker. + +**Software engineering for infrastructure.** Because Pulumi uses general-purpose languages, teams get the full power of software engineering: loops, conditionals, functions, classes, package managers, unit tests, and IDE support. Reusable components can be shared as libraries across teams, turning proven patterns into organizational standards. + +**AI-native and agent-ready.** AI coding agents already understand Python and TypeScript. Pulumi's language-native approach means infrastructure can participate in the same AI-assisted development workflows as application code, with agents that can preview changes, check policies, and open pull requests in tight feedback loops. [Pulumi Neo](/product/neo/) brings this capability directly into your infrastructure workflow. + +**Unified visibility and governance.** [Pulumi Insights](/product/pulumi-insights/) provides search and visibility across all cloud resources, regardless of which IaC tool manages them. Combined with [Pulumi Policies](/product/pulumi-policies/) for policy as code, teams get consistent governance across every environment. + +For a detailed comparison of the tools available for unifying infrastructure management, see our [Infrastructure as Code Tools Guide](/resources/infrastructure-unification/infrastructure-as-code-tools/). To understand how AI is changing infrastructure automation, explore our [AI Infrastructure Tools Guide](/resources/infrastructure-unification/ai-infrastructure-tools/). + +## Key capabilities + +**Multi-cloud management.** Define and deploy resources across AWS, Azure, GCP, Kubernetes, and 180+ providers from a single program. No need for provider-specific tooling or separate workflows. + +**Kubernetes integration.** Pulumi provides native Kubernetes support with full access to the Kubernetes API, including CRDs. Manage clusters, workloads, and cloud resources together in the same program. + +**AI-powered automation.** Pulumi Neo can analyze existing infrastructure, suggest improvements, enforce policies, and accelerate migrations from tools like Terraform, CloudFormation, and CDK. Teams using Pulumi have reduced infrastructure change cycles from weeks to hours. diff --git a/content/resources/infrastructure-unification/ai-infrastructure-tools/index.md b/content/resources/infrastructure-unification/ai-infrastructure-tools/index.md new file mode 100644 index 000000000000..f80ffb8116ba --- /dev/null +++ b/content/resources/infrastructure-unification/ai-infrastructure-tools/index.md @@ -0,0 +1,583 @@ +--- +title: "Best AI Infrastructure Tools in 2026" +date: 2026-01-27 +draft: false +meta_desc: "Compare the best AI infrastructure tools in 2026. Guide to GPU clouds, MLOps platforms, and AI-powered infrastructure management tools." +meta_image: meta.png +authors: + - asaf-ashirov +tags: + - ai + - infrastructure-as-code + - platform-engineering + - devops +solution_areas: + - infrastructure-unification +content_type: ecosystem-overview +capabilities: + - ai-and-automation +funnel_stage: problem-aware +target_personas: + - platform-engineer + - devops-engineer + - engineering-leader +featured: true +featured_weight: 3 +last_reviewed: 2026-03-05 +--- + +Here's a problem you've probably noticed: AI coding assistants help developers ship application code faster than ever, but platform engineering teams can't keep up. [McKinsey research](https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier) shows generative AI boosts developer productivity by 20–45%. That's great for app teams, but it creates what some call the "velocity trap" - features piling up faster than infrastructure teams can support them. + + + +The market numbers tell the same story from two angles. Analyst projections put infrastructure for AI workloads (GPU clouds, MLOps platforms, specialized compute) at over $300 billion by the early 2030s. Meanwhile, AI applied to DevOps and infrastructure management is one of the fastest-growing segments, with projections suggesting growth from under $1 billion in 2022 to over $20 billion by 2032. Companies are investing in both: running AI workloads and using AI to manage infrastructure. + +This guide covers both categories. Part 1 looks at tools for building and running AI workloads: GPU clouds, MLOps platforms, and hyperscaler AI services. Part 2 examines the more interesting shift: AI-powered tools that manage infrastructure itself, moving from manual provisioning to intelligent automation. + +If you're scaling ML workloads or trying to bring AI into your platform engineering workflows, you'll find what you need here. + +## AI infrastructure tools overview + +This guide covers the following tools and platforms: + +### Tools for building AI infrastructure + +1. [CoreWeave](#coreweave) - GPU cloud built for AI workloads +1. [Lambda Labs](#lambda-labs) - Simple GPU cloud for research and startups +1. [Modal](#modal) - Serverless GPU compute +1. [Weights & Biases](#weights--biases) - ML experiment tracking and model management +1. [MLflow](#mlflow) - Open-source ML lifecycle platform +1. [Hyperscaler AI platforms](#hyperscaler-ai-platforms) - AWS SageMaker, Google Vertex AI, Azure ML + +### AI-powered infrastructure management tools + +1. [Pulumi Neo](#pulumi-neo) - Agentic AI with policy automation +1. [System Initiative](#system-initiative) - AI-native digital twin approach +1. [Firefly AIaC](#firefly-aiac) - Asset codification and IaC generation +1. [env0 Cloud Compass](#env0-cloud-compass) - Multi-IaC insights and analysis +1. [Spacelift AI](#spacelift-ai) - Run explanation and troubleshooting +1. [Crossplane with Upbound](#crossplane-with-upbound) - Kubernetes-native infrastructure +1. [GitHub Copilot](#github-copilot) - General-purpose code assistance +1. [AWS Application Composer](#aws-application-composer) - Visual serverless builder + +## Quick picks + +If you're short on time: + +**Need enterprise compliance**: Pulumi Neo. It actually executes infrastructure changes (not just suggestions), has pre-built compliance frameworks (CIS, HITRUST, NIST, PCI DSS), and works with your existing Terraform, CloudFormation, or manually created infrastructure. + +**Need serious GPU compute**: CoreWeave. Built for AI workloads from the start, NVIDIA partnership, pricing that beats AWS/GCP/Azure. + +**Want great developer experience for ML**: Modal. Write Python, get GPUs. Pay per second. Surprisingly good. + +**Want open-source MLOps**: MLflow. No vendor lock-in, broad ecosystem support, can self-host or use managed services. + +## What is AI infrastructure? + +The term "AI infrastructure" gets thrown around a lot, but it actually covers two different things: + +**Infrastructure for AI** means the specialized compute, storage, and orchestration you need to train, deploy, and run AI/ML workloads. GPU cloud providers, MLOps platforms, and AI services from AWS/Azure/GCP fall into this bucket. + +Why can't you just use regular cloud infrastructure? Training large language models needs thousands of GPUs working together, with specialized networking to keep communication overhead low. Inference is different again: you need lower latency, efficient batching, and often different GPU types optimized for throughput. General-purpose cloud platforms weren't built for this, which is why specialized tools exist. + +**AI-powered infrastructure management** flips the script. Instead of infrastructure to run AI, these are AI tools that manage infrastructure. They automate provisioning, configuration, and governance - everything from generating infrastructure as code to executing complex provisioning tasks without human intervention. + +Why does this matter? Multi-cloud architectures, containers, and microservices have made infrastructure exponentially more complex. Manual management doesn't scale, and even traditional automation struggles to keep pace. AI-powered tools can understand context and adapt in ways that scripted automation can't. + +Most organizations need both: infrastructure to run their AI applications, and AI tools to manage that infrastructure without drowning in complexity. + +## Part 1: Tools for building AI infrastructure + +These are the platforms you need to actually run AI and ML workloads - GPU clouds for compute, MLOps platforms for managing the ML lifecycle. + +### CoreWeave + +CoreWeave is the GPU cloud you've probably heard about if you follow AI infrastructure news. Unlike AWS or GCP, they built their infrastructure specifically for AI/ML workloads from day one. + +**License**: Proprietary +**Best for**: Large-scale AI training, inference workloads, and teams needing dedicated GPU capacity + +The numbers speak for themselves: a 2025 IPO, a $12 billion partnership with OpenAI, and the recent acquisition of Weights & Biases. CoreWeave runs the infrastructure behind some of the most demanding AI workloads in production. They offer the latest NVIDIA hardware (H100 and H200 GPUs) with pricing that typically beats the hyperscalers. + +**Key strengths**: +- GPU infrastructure designed for AI from the ground up +- Direct NVIDIA partnership with early access to new hardware +- Kubernetes-native architecture +- Handles large-scale distributed training well + +**Considerations**: Newer than AWS/GCP/Azure, so smaller global footprint. Best suited for GPU-heavy workloads, not general cloud computing. + +### Lambda Labs + +Lambda Labs focuses on making GPU access straightforward. You don't need infrastructure expertise to get started - their environments come pre-configured with PyTorch and TensorFlow ready to go. + +**License**: Proprietary +**Best for**: Research teams, startups, and developers who want GPUs without the configuration headache + +On-demand and reserved instances, environments that just work, competitive pricing. Lambda built their reputation on being the approachable option. + +**Key strengths**: +- Straightforward to use (not just claiming simplicity in marketing copy) +- Pre-configured deep learning environments +- Good pricing for on-demand access +- Strong community and learning resources + +**Considerations**: Smaller than CoreWeave or the hyperscalers. You might hit availability issues during peak demand. + +### Modal + +Modal's pitch is straightforward: you write Python functions, they handle the GPUs. No infrastructure configuration, no capacity planning, no idle instances burning money. + +**License**: Proprietary +**Best for**: Developers and data scientists who want to run ML workloads without touching infrastructure + +The serverless model means you decorate a Python function and Modal figures out GPU allocation, scaling, and scheduling. Pay-per-second pricing makes it surprisingly cost-effective for variable workloads where reserved instances would sit idle. + +**Key strengths**: +- Developer experience that actually delivers (not just marketing) +- Serverless GPU compute with automatic scaling +- Pay-per-second means you don't pay for idle time +- Cold starts are fast compared to spinning up containers + +**Considerations**: You give up control over the underlying infrastructure. Not ideal if you need specific hardware configurations or have long-running training jobs that would benefit from reserved capacity. + +### Weights & Biases + +Weights & Biases (W&B) has become the industry standard for ML experiment tracking and model management, with over 200,000 practitioners using the platform. + +**License**: Proprietary with free tier +**Best for**: ML teams who need comprehensive experiment tracking, model versioning, and collaboration capabilities + +W&B provides tools for tracking experiments, visualizing results, and managing the ML lifecycle from development through production. The platform integrates with virtually every major ML framework and cloud provider. + +**Key strengths**: +- Industry-leading experiment tracking and visualization +- Comprehensive model registry and versioning +- Strong collaboration features for ML teams +- Extensive integrations with ML frameworks and tools + +**Considerations**: Can become costly at scale; some teams prefer self-hosted alternatives for data privacy reasons. + +### MLflow + +MLflow is the leading open-source platform for managing the ML lifecycle, offering experiment tracking, model packaging, and deployment capabilities without vendor lock-in. + +**License**: Apache 2.0 (open source) +**Best for**: Teams who want open-source ML lifecycle management with flexibility to self-host or use managed services + +Originally developed by Databricks, MLflow has grown into a comprehensive platform with broad community support. It can run locally, on-premises, or through various managed service providers. + +**Key strengths**: +- Open source with no vendor lock-in +- Comprehensive ML lifecycle management +- Flexible deployment options (local, cloud, managed) +- Strong integration with popular ML frameworks + +**Considerations**: Self-hosted deployments require operational overhead; commercial alternatives may offer better collaboration features. + +### Hyperscaler AI platforms + +The major cloud providers offer comprehensive AI/ML platforms with deep ecosystem integration. While these platforms typically cost more than specialized alternatives, they offer advantages in ecosystem integration, enterprise support, and compliance certifications. + +**AWS SageMaker** provides end-to-end ML capabilities from data preparation through deployment, with tight integration into the AWS ecosystem. SageMaker includes built-in algorithms, notebook instances, training infrastructure, and deployment options including real-time inference endpoints and batch processing. The platform's strength lies in its integration with other AWS services: data stored in S3, processed through AWS Glue, trained on SageMaker, and deployed to Lambda or ECS. Best for organizations already invested in AWS who want a unified ML platform. + +**Google Vertex AI** offers Google's ML infrastructure and tools, including access to TPUs (Tensor Processing Units) that can provide significant performance advantages for certain workloads. Vertex AI integrates with BigQuery for data warehousing, provides AutoML capabilities for teams without deep ML expertise, and offers access to Google's foundation models. The platform benefits from Google's AI research leadership, often making new capabilities available earlier than competitors. Best for teams using Google Cloud or requiring access to Google's AI research capabilities and specialized hardware. + +**Azure Machine Learning** delivers enterprise-grade ML capabilities with strong integration into Microsoft's development tools and enterprise services. Azure ML works seamlessly with Azure DevOps for MLOps pipelines, integrates with Power BI for model insights, and benefits from Microsoft's extensive compliance certifications. The platform also offers strong hybrid and multi-cloud capabilities through Azure Arc. Best for organizations in the Microsoft ecosystem or with specific compliance requirements that benefit from Microsoft's enterprise relationships. + +**Considerations for hyperscaler platforms**: Higher costs compared to specialized providers (often 2-3x for equivalent GPU compute); potential for vendor lock-in as organizations build dependencies on proprietary services; comprehensive ecosystems that work best when fully adopted rather than used piecemeal. However, for organizations already committed to a cloud provider, the reduced operational complexity and unified billing may justify the premium. + +## Part 2: AI-powered infrastructure management tools + +This is where things get interesting. Instead of using infrastructure to run AI, these tools use AI to manage your infrastructure. The shift from "AI generates code suggestions" to "AI executes infrastructure changes" is bigger than it sounds. + +### The shift from code generation to agentic execution + +Before diving into specific tools, it's worth understanding what separates them. The difference between a code assistant and an agentic platform isn't just marketing - it changes how your team works. + +**Code generation tools** like GitHub Copilot suggest infrastructure code based on context. You review the suggestions, maybe modify them, then run the code yourself. The AI helps, but you're still doing the work. + +**Agentic AI platforms** actually execute changes. They understand your infrastructure context, generate appropriate code, and run it - with guardrails you define. The AI handles multi-step workflows, manages dependencies, and enforces policies automatically. You describe what you want; the AI makes it happen. + +Why does this matter? + +| Capability | Code Generation | Agentic Execution | +|------------|-----------------|-------------------| +| Generates infrastructure code | Yes | Yes | +| Understands infrastructure context | Limited | Deep | +| Executes changes | No | Yes | +| Handles multi-step workflows | No | Yes | +| Enforces policies automatically | No | Yes | +| Remediates drift and violations | No | Yes | + +Organizations evaluating AI infrastructure tools should consider where they fall on this spectrum and what level of automation suits their governance requirements and risk tolerance. + +### Pulumi Neo + +[Pulumi Neo](/product/neo/) is Pulumi's agentic AI for infrastructure. Unlike code assistants that suggest snippets for you to review and run, Neo executes complete infrastructure workflows - from understanding what you need to deploying the resources. + +**License**: Proprietary (Pulumi Cloud) +**Best for**: Platform engineering teams who want AI automation with real governance and compliance controls + +What makes Neo different is that it actually understands your infrastructure context: your existing resources, organizational policies, and cloud provider constraints. When you describe what you need, Neo figures out the right resources, generates compliant code, and deploys it - all while respecting your guardrails. + +**Full agentic execution** + +Neo handles end-to-end infrastructure workflows. You describe what you need in natural language, and Neo determines the appropriate resources, generates compliant infrastructure code, and executes the deployment: + +- "Deploy a production-ready Kubernetes cluster on AWS with auto-scaling" +- "Set up a new microservice with proper networking, secrets management, and monitoring" +- "Migrate this application from development to production with appropriate security controls" + +**Policy automation and compliance** + +One of Neo's most distinctive capabilities is its integration with [Pulumi Insights and Governance](/product/insights-governance/), enabling automated policy enforcement and compliance remediation: + +- **Detection to remediation loop**: Neo identifies policy violations across your infrastructure and automatically generates fixes, closing the gap between detection and resolution +- **Pre-built compliance frameworks**: Ready-to-deploy policy packs for CIS benchmarks, HITRUST CSF, NIST SP 800-53, and PCI DSS +- **Shadow IT remediation**: Discovers infrastructure created outside your IaC workflows, imports it into management, and brings it into compliance +- **Batch remediation**: Fix multiple violations across stacks and accounts with natural language commands like "Find and remediate all unencrypted S3 buckets across our AWS accounts" + +**Works with any infrastructure** + +Unlike tools that only manage resources they created, Neo's governance capabilities work with infrastructure regardless of how it was provisioned: + +- Pulumi-managed resources +- Terraform configurations +- CloudFormation stacks +- Manually created cloud resources + +This means organizations can adopt Neo incrementally without migrating their entire infrastructure footprint. A common adoption pattern is to start by using Neo's audit capabilities to discover and assess existing infrastructure, then gradually bring resources under management as teams build confidence with the platform. + +**Progressive autonomy** + +Neo offers configurable trust levels that let organizations expand automation as confidence builds: + +- Start with human-in-the-loop approval for all changes +- Progressively allow autonomous execution for well-defined, low-risk operations +- Maintain strict approval requirements for production changes or sensitive resources + +This progressive model addresses a key enterprise concern: how to adopt AI automation without losing control. Rather than an all-or-nothing approach, organizations can expand Neo's autonomy incrementally, based on demonstrated reliability and organizational comfort with AI-driven changes. + +**The reinforcement cycle** + +One of Neo's unique characteristics is how it improves alongside your infrastructure investment. As organizations adopt more Pulumi capabilities, such as Pulumi IaC for provisioning, Pulumi ESC for secrets and configuration, and Pulumi Policies for governance, Neo gains deeper context about your infrastructure patterns, security requirements, and organizational preferences. + +This creates a reinforcement cycle: investment in the Pulumi platform directly enhances Neo's effectiveness, while Neo reduces the effort required to maintain and expand that investment. Organizations that have built comprehensive policy libraries, for example, find that Neo automatically generates compliant infrastructure without explicit guidance, because it understands and respects those policies by design. + +**IDE and workflow integration** + +Neo integrates into existing developer workflows through multiple channels: + +- **IDE integration**: The Pulumi MCP Server brings Neo capabilities directly into VS Code, Cursor, Windsurf, and other MCP-compatible editors, allowing developers to interact with infrastructure through their familiar development environment +- **Pulumi Cloud**: The native Pulumi Cloud interface provides a comprehensive view of Neo activities, including task history, approval workflows, and remediation progress +- **CI/CD integration**: Neo can be triggered as part of deployment pipelines, enabling automated policy remediation before code reaches production + +**Case studies**: + +- **Werner Enterprises**: Reduced infrastructure provisioning from 3 days to 4 hours, enabling 75% faster feature delivery while maintaining SOC 2 compliance +- **Spear AI**: Reduced Authority to Operate (ATO) timeline from an expected 1.5 years to 3 months by using policy-as-code to demonstrate compliance controls to auditors + +**Key strengths**: +- True agentic execution, not just code generation +- Deep integration with compliance frameworks and policy enforcement +- Works with existing infrastructure regardless of how it was created +- Progressive autonomy model for enterprise adoption +- IDE integration via MCP Server (VS Code, Cursor, Windsurf) plus native Pulumi Cloud access + +**Considerations**: Works best within the Pulumi ecosystem; organizations see increasing value as they invest in Pulumi IaC, ESC, and Policies. + +### System Initiative + +System Initiative takes a novel approach by modeling infrastructure as a real-time digital twin, with AI capabilities built into the modeling layer. + +**License**: Open source (Apache 2.0) +**Best for**: Teams interested in a fundamentally different approach to infrastructure modeling and management + +Rather than generating static configuration files, System Initiative maintains a live model of your infrastructure that updates in real-time. AI assists in understanding and modifying this model. + +**Key strengths**: +- Innovative digital twin approach to infrastructure modeling +- Real-time infrastructure visualization and manipulation +- Open source with community-driven development +- AI-native design rather than AI added to existing tools + +**Considerations**: Newer product with fewer production deployments and case studies; represents a paradigm shift that may require significant workflow changes. + +### Firefly AIaC + +Firefly positions itself as an AI-powered asset management platform that can generate infrastructure as code from existing cloud resources. + +**License**: Proprietary +**Best for**: Teams who need to codify existing cloud infrastructure or generate IaC from natural language descriptions + +Firefly's core strength is "asset codification": discovering existing cloud resources and generating corresponding infrastructure as code. The AI capabilities extend this to natural language IaC generation. + +**Key strengths**: +- Strong asset discovery and codification capabilities +- Natural language to IaC generation +- Multi-cloud support across major providers +- Drift detection and remediation workflows + +**Considerations**: AI features are supplementary to the core asset management platform; less focus on agentic execution compared to policy enforcement. + +### env0 Cloud Compass + +env0's Cloud Compass adds AI capabilities to their infrastructure automation platform, focusing on providing insights and analysis rather than autonomous execution. + +**License**: Proprietary +**Best for**: Teams using multiple IaC tools who want AI-powered insights and analysis + +Cloud Compass provides AI-generated PR summaries, drift cause analysis, and infrastructure insights. The platform supports Terraform, OpenTofu, Pulumi, and other IaC tools. + +**Key strengths**: +- Multi-IaC support (Terraform, OpenTofu, Pulumi, CloudFormation) +- AI-generated pull request summaries and analysis +- Drift detection with AI-powered cause analysis +- Cost estimation and optimization insights + +**Considerations**: AI capabilities focused on analysis and explanation rather than autonomous execution; best as an enhancement to existing workflows. + +### Spacelift AI + +Spacelift integrates AI capabilities focused on explaining and troubleshooting infrastructure runs rather than generating or executing infrastructure code. + +**License**: Proprietary +**Best for**: Teams who want AI assistance understanding complex infrastructure changes and troubleshooting failures + +Spacelift's AI features analyze run outputs, explain what happened during deployments, and provide troubleshooting guidance when things go wrong. + +**Key strengths**: +- AI-powered run explanation and analysis +- Troubleshooting insights for failed deployments +- Integration with multiple IaC tools +- Strong CI/CD integration for GitOps workflows + +**Considerations**: AI capabilities focused on observation and explanation rather than generation or execution; complementary to other tools rather than replacement. + +### Crossplane with Upbound + +Crossplane brings Kubernetes-style declarative management to cloud resources, with Upbound announcing AI-native capabilities for their commercial offering. + +**License**: Apache 2.0 (Crossplane open source); Proprietary (Upbound) +**Best for**: Teams with strong Kubernetes expertise who want to manage cloud resources using Kubernetes patterns + +Crossplane extends Kubernetes with custom resource definitions (CRDs) for cloud resources, enabling teams to use familiar kubectl and GitOps workflows for infrastructure management. + +**Key strengths**: +- Kubernetes-native approach to infrastructure management +- Strong GitOps integration and declarative workflows +- Active open source community +- Upbound 2.0 adds AI-native control plane capabilities + +**Considerations**: Requires Kubernetes expertise; steeper learning curve for teams without Kubernetes background; AI capabilities still emerging in commercial offering. + +### GitHub Copilot + +GitHub Copilot provides AI-powered code suggestions across all languages, including infrastructure as code formats like Terraform HCL, Pulumi programs, and CloudFormation templates. + +**License**: Proprietary (subscription) +**Best for**: Developers who want general-purpose AI code assistance including infrastructure code + +As a general-purpose coding assistant, Copilot helps write infrastructure code faster but lacks deep infrastructure context. It doesn't understand your cloud environment, existing resources, or organizational policies. + +**Key strengths**: +- Excellent code completion and suggestion capabilities +- Broad language and framework support +- Strong IDE integration (VS Code, JetBrains, etc.) +- Widely adopted with extensive training data + +**Considerations**: Generic AI without infrastructure-specific context; no execution capabilities; limited understanding of cloud provider APIs and constraints; suggestions require careful review for infrastructure correctness. + +### AWS Application Composer + +AWS Application Composer provides a visual interface for building serverless applications, with AI-assisted suggestions for AWS services and configurations. + +**License**: Proprietary (AWS) +**Best for**: Teams building AWS serverless applications who prefer visual development + +Application Composer generates CloudFormation templates through a drag-and-drop interface with AI-powered suggestions for service configurations. + +**Key strengths**: +- Visual development experience for serverless applications +- Direct integration with AWS services +- AI suggestions for service configuration +- Generates CloudFormation templates + +**Considerations**: AWS-only with no multi-cloud support; limited to CloudFormation output; best suited for serverless architectures rather than general infrastructure. + +## Comparison tables + +### Infrastructure for AI tools + +| Tool | Category | Key Strength | Limitation | Pricing | Best For | +|------|----------|--------------|------------|---------|----------| +| CoreWeave | GPU Cloud | Purpose-built GPU infrastructure, NVIDIA partnership | Focused on GPU workloads | Per-GPU-hour | Large-scale AI training | +| Lambda Labs | GPU Cloud | Developer simplicity, pre-configured environments | Smaller scale | Per-GPU-hour | Research teams, startups | +| Modal | Serverless GPU | Developer experience, pay-per-second | Less infrastructure control | Pay-per-use | Variable ML workloads | +| Weights & Biases | MLOps | Industry-standard experiment tracking | Can be costly at scale | Free tier + paid | ML team collaboration | +| MLflow | MLOps | Open source, no vendor lock-in | Operational overhead if self-hosted | Free (self-hosted) | Flexible ML lifecycle | +| AWS SageMaker | Hyperscaler | AWS ecosystem integration | Higher cost, lock-in potential | Per-use | AWS-native organizations | +| Google Vertex AI | Hyperscaler | Google AI capabilities, TPU access | Lock-in potential | Per-use | Google Cloud users | +| Azure ML | Hyperscaler | Microsoft integration, enterprise features | Lock-in potential | Per-use | Microsoft ecosystem | + +### AI-powered infrastructure management tools + +| Tool | Approach | Key Strength | Limitation | Pricing | Best For | +|------|----------|--------------|------------|---------|----------| +| Pulumi Neo | Agentic AI | Full execution + policy automation | Best within Pulumi ecosystem | Pulumi Cloud tiers | Enterprise platform teams | +| System Initiative | Digital Twin | Real-time infrastructure modeling | Newer product, fewer case studies | Open source + commercial | Teams seeking new paradigms | +| Firefly AIaC | Asset Management | Asset codification, IaC generation | AI supplementary to core platform | Proprietary | Codifying existing infrastructure | +| env0 Cloud Compass | Multi-IaC Platform | Multi-tool support, PR analysis | Analysis-focused, not execution | Proprietary | Multi-IaC environments | +| Spacelift AI | CI/CD Platform | Run explanation, troubleshooting | Observation-focused | Proprietary | GitOps workflows | +| Crossplane/Upbound | Kubernetes-native | K8s patterns for infrastructure | Requires K8s expertise | Open source + commercial | Kubernetes-native teams | +| GitHub Copilot | Code Assistant | Broad language support, IDE integration | No infrastructure context | Subscription | General code assistance | +| AWS Composer | Visual Builder | Visual serverless development | AWS-only, CloudFormation-only | Included with AWS | AWS serverless apps | + +## How to choose the right tool + +No tool is universally "best." Your choice depends on what you're actually trying to do: + +### Cloud strategy + +**Multi-cloud or cloud-agnostic requirements**: Tools like Pulumi Neo, Firefly, and env0 support multiple cloud providers. Avoid AWS-only tools like Application Composer if multi-cloud is a requirement. + +**Single cloud commitment**: If you're committed to one provider, hyperscaler-native tools may offer deeper integration. AWS SageMaker for AI workloads or AWS-native governance tools can simplify operations. + +### Team expertise + +**Strong programming background**: Teams comfortable with TypeScript, Python, or Go may prefer tools that leverage these skills, like Pulumi Neo or writing custom policies in familiar languages. + +**Kubernetes expertise**: Teams with deep Kubernetes knowledge may find Crossplane's approach natural. Without that background, the learning curve can be steep. + +**Prefer visual or low-code approaches**: AWS Application Composer or env0's visual workflows may better suit teams who prefer graphical interfaces. + +### Security and compliance requirements + +**Regulated industries**: Pulumi Neo's pre-built compliance frameworks (HITRUST, PCI DSS, NIST) provide significant value for healthcare, financial services, and government organizations. + +**Policy enforcement priority**: If preventing non-compliant deployments is critical, look for tools with preventative policy enforcement, not just detection. + +**Audit requirements**: Consider tools that provide comprehensive audit trails and can demonstrate compliance controls to auditors. + +### Existing infrastructure + +**Greenfield projects**: Any tool can work well for new infrastructure. Consider long-term strategic fit. + +**Brownfield environments**: Pulumi Neo's ability to work with Terraform, CloudFormation, and manually created resources makes it suitable for organizations with existing infrastructure investments. + +**Mixed IaC tools**: Platforms like env0 that support multiple IaC frameworks may suit organizations with diverse tooling. + +### Budget considerations + +**Open source preference**: MLflow for MLOps, Crossplane for Kubernetes-native infrastructure management, and self-hosted options provide cost-effective starting points. + +**Enterprise requirements**: Commercial offerings like Pulumi Cloud, env0, or Spacelift provide support, SLAs, and advanced features that may justify costs for production workloads. + +### Implementation approach + +**Start with visibility**: Before adopting any AI infrastructure tool, ensure you have visibility into your current infrastructure state. Tools that offer discovery and assessment capabilities help you understand what you're working with before making changes. + +**Pilot with low-risk workloads**: When evaluating agentic AI tools, start with development or staging environments where the cost of mistakes is low. This lets your team build familiarity and confidence before expanding to production. + +**Define success metrics**: Establish clear metrics for evaluating AI infrastructure tools. Common metrics include time-to-provision for new resources, policy violation rates, mean time to remediation for compliance issues, and developer satisfaction with infrastructure workflows. + +**Plan for integration**: Consider how new tools will integrate with your existing CI/CD pipelines, monitoring systems, and communication tools. The best AI infrastructure tool is one your team will actually use, which often means meeting developers where they already work. + +## Key trends and future outlook + +Here's where the market is heading: + +### From copilots to agents + +The shift from "AI suggests code" to "AI executes changes" is already happening. It's not just a feature upgrade — it changes how governance works. When AI can act, you need clear boundaries for what it's allowed to do. + +Practically, this means different workflows. Code generation tools need a human to review and run every suggestion. Agentic tools handle routine tasks on their own, so engineers can focus on harder problems. The teams getting real value have figured out which tasks to delegate to AI and which still need human judgment. + +### Progressive autonomy + +Enterprise adoption of agentic AI follows a trust-building pattern. Organizations start with human-in-the-loop approval for all AI-generated changes, then progressively expand autonomy as confidence builds. Tools that support this graduated approach will see stronger enterprise adoption. + +This pattern mirrors how organizations have historically adopted automation: starting with visibility, moving to recommendations, then to automated execution with approval, and finally to fully autonomous operation for well-understood scenarios. The key difference with AI is the breadth of tasks that can move through this progression, as AI can handle novel situations that would require explicit programming in traditional automation. + +### Policy as the control plane + +As AI takes on more infrastructure tasks, policy frameworks become the primary mechanism for maintaining governance. The most effective AI infrastructure tools integrate deeply with policy engines, treating governance as an enabler rather than a constraint. + +This represents a philosophical shift in how organizations think about governance. Rather than slowing down deployments with manual review processes, policies become guardrails that enable faster automation. When AI understands and respects policies automatically, organizations can safely expand the scope of automated operations without compromising security or compliance. + +### MCP standardization + +The Model Context Protocol (MCP) is emerging as a standard for AI tool integration, enabling AI assistants to interact with infrastructure tools through consistent interfaces. This standardization may accelerate the integration of AI capabilities across the infrastructure toolchain. + +For infrastructure teams, MCP means that AI assistants in development environments can directly interact with infrastructure management tools, cloud provider APIs, and governance systems. This creates opportunities for more seamless workflows where developers can manage infrastructure without leaving their IDE, with AI handling the translation between natural language intent and infrastructure operations. + +### Consolidation and platform convergence + +The AI infrastructure market is experiencing rapid consolidation, as evidenced by acquisitions like CoreWeave's purchase of Weights & Biases and NVIDIA's acquisition of Run:ai. This suggests the market is moving toward integrated platforms that span the AI infrastructure stack, from compute through MLOps to governance. + +For organizations evaluating tools today, this trend suggests prioritizing platforms with clear strategic direction and strong ecosystem integration over point solutions that may become acquisition targets or face competitive pressure from larger platforms. + +## Frequently asked questions + +### What is the best AI agent for cloud infrastructure management? + +For organizations seeking true agentic AI capabilities with enterprise governance, Pulumi Neo currently offers the most complete solution. It provides full execution capabilities (not just code generation), deep policy integration, and works with existing infrastructure regardless of how it was provisioned. For teams who prefer Kubernetes-native patterns, Crossplane with Upbound's emerging AI capabilities is worth evaluating. + +### How can I use generative AI to manage cloud infrastructure? + +Start by identifying repetitive infrastructure tasks that consume significant time. Common high-value use cases include: + +**Code generation**: AI tools can help with generating infrastructure code from natural language descriptions. This accelerates development but requires careful review, as generic AI assistants may not understand your organizational standards or cloud provider constraints. + +**Documentation and explanation**: AI excels at explaining complex configurations, documenting existing infrastructure, and helping team members understand unfamiliar systems. This can significantly reduce onboarding time for new team members. + +**Troubleshooting**: When deployments fail, AI can analyze error messages, logs, and configuration to suggest likely causes and solutions. This is particularly valuable for complex issues spanning multiple services. + +**Security and compliance**: AI can scan infrastructure configurations for security issues, policy violations, and compliance gaps. The most advanced tools not only detect issues but generate remediation code. + +**Full automation**: For more advanced automation, agentic platforms like Pulumi Neo can execute complete provisioning workflows while maintaining governance controls. This represents the most transformative use of AI in infrastructure management, but requires thoughtful adoption to maintain appropriate oversight. + +### What is agentic AI for infrastructure? + +Agentic AI for infrastructure refers to AI systems that can autonomously execute infrastructure management tasks, not just generate code suggestions. Unlike code assistants that require human execution of generated code, agentic AI platforms understand infrastructure context, respect organizational policies, and can perform multi-step workflows like provisioning resources, configuring networking, and applying security controls. The key distinction is action: agentic AI acts on your behalf within defined boundaries. + +### How do AI agents improve DevOps workflows? + +AI agents accelerate DevOps workflows by automating repetitive tasks, reducing context-switching, and catching issues earlier. Teams using AI infrastructure tools report significant improvements in provisioning speed, reduced policy violations through automated enforcement, and faster remediation of compliance issues. The time savings compound as AI handles routine work, freeing engineers for higher-value activities. + +### What is the difference between AI code generation and agentic execution? + +AI code generation tools suggest infrastructure code that humans review and execute manually. Agentic execution goes further: the AI understands your infrastructure context, generates appropriate code, and executes changes while respecting policies and governance requirements. Code generation is like having a knowledgeable colleague suggest approaches; agentic execution is like having that colleague also implement the changes with appropriate oversight. + +### Can AI generate Terraform or Pulumi scripts? + +Yes. Most AI coding assistants (GitHub Copilot, Claude, ChatGPT) can generate Terraform HCL, Pulumi programs in various languages, CloudFormation templates, and other IaC formats. However, the quality varies significantly. Generic AI assistants lack infrastructure context and may generate syntactically correct but operationally problematic code. Infrastructure-specific tools like Pulumi Neo generate code with awareness of your existing resources, organizational policies, and cloud provider constraints. + +### Can AI help with infrastructure compliance and policy automation? + +Yes, and this is one of the most valuable applications of AI in infrastructure management. Tools like Pulumi Neo can automatically detect policy violations across your infrastructure (including resources created outside your IaC workflows), generate compliant remediation code, and execute fixes with appropriate approvals. Pre-built compliance frameworks for standards like CIS, HITRUST, NIST, and PCI DSS accelerate compliance programs that would otherwise require significant manual effort. + +### Are AI infrastructure tools secure for enterprise use? + +Enterprise-grade AI infrastructure tools incorporate several security measures: role-based access controls, audit logging of all AI actions, policy enforcement that prevents non-compliant changes, and human-in-the-loop approval workflows for sensitive operations. The key is choosing tools designed for enterprise use rather than adapting consumer AI assistants. Look for SOC 2 compliance, data residency options, and configurable autonomy levels that let you maintain appropriate oversight. + +### How do I choose between different AI infrastructure tools? + +Consider your specific context: existing cloud providers and IaC tools, team expertise, compliance requirements, and budget. For enterprise platform teams with governance requirements, Pulumi Neo offers the most complete agentic capabilities. For teams focused on MLOps, consider dedicated platforms like Weights & Biases or MLflow. For general code assistance, GitHub Copilot provides broad coverage. Many organizations use multiple tools: a code assistant for day-to-day development plus an agentic platform for production infrastructure management. + +### What are the best tools for machine learning infrastructure? + +For GPU compute, CoreWeave leads for large-scale training while Modal excels for developer experience and variable workloads. For experiment tracking and model management, Weights & Biases is the industry standard, with MLflow as the leading open source alternative. For managing the cloud infrastructure that hosts ML workloads, the same infrastructure management tools apply: Pulumi Neo can provision and govern ML infrastructure with the same capabilities it brings to other cloud resources. + +## Conclusion + +Two categories, two different problems. Tools for running AI workloads (CoreWeave, Lambda Labs, Modal, hyperscaler platforms) solve the compute challenge. Tools that use AI to manage infrastructure (Neo, Firefly, env0, etc.) solve the complexity challenge. + +For GPU workloads, your choice depends on scale. CoreWeave and Lambda Labs for dedicated GPU infrastructure, Modal if you want serverless simplicity, hyperscaler platforms if you're already committed to one cloud. + +For infrastructure management, the real question is how much you want AI to do. Code assistants like Copilot help you write infrastructure code faster, but you're still running it. Platforms like Pulumi Neo actually execute changes, handle compliance, and manage multi-step workflows - with guardrails you control. + +The teams getting the most value treat AI as a force multiplier, not a replacement. AI handles routine provisioning and policy enforcement. Engineers focus on architecture and solving problems that require judgment. + +Want to see what agentic infrastructure management looks like? [Check out Pulumi Neo](/product/neo/). diff --git a/content/blog/infrastructure-as-code-tools/meta.png b/content/resources/infrastructure-unification/ai-infrastructure-tools/meta.png similarity index 100% rename from content/blog/infrastructure-as-code-tools/meta.png rename to content/resources/infrastructure-unification/ai-infrastructure-tools/meta.png diff --git a/content/blog/infrastructure-as-code-tools/index.md b/content/resources/infrastructure-unification/infrastructure-as-code-tools/index.md similarity index 98% rename from content/blog/infrastructure-as-code-tools/index.md rename to content/resources/infrastructure-unification/infrastructure-as-code-tools/index.md index 02a2d8be9def..97392151a80b 100644 --- a/content/blog/infrastructure-as-code-tools/index.md +++ b/content/resources/infrastructure-unification/infrastructure-as-code-tools/index.md @@ -15,6 +15,27 @@ tags: - gcp - kubernetes - devops +aliases: + - /blog/infrastructure-as-code-tools/ +solution_areas: + - infrastructure-unification +content_type: ecosystem-overview +capabilities: + - multi-cloud + - kubernetes +funnel_stage: problem-aware +target_personas: + - platform-engineer + - devops-engineer + - engineering-leader +featured: true +featured_weight: 1 +last_reviewed: 2026-03-05 +faq: + - question: "What are the best infrastructure as code tools?" + answer: "The most effective IaC tools include Pulumi, Terraform, AWS CDK, OpenTofu, Azure Bicep, Google Cloud Deployment Manager, Crossplane, and AWS CloudFormation. Pulumi stands out for supporting general-purpose programming languages like TypeScript, Python, Go, C#, Java, and YAML." + - question: "What is the difference between Pulumi and Terraform?" + answer: "Pulumi uses general-purpose programming languages (TypeScript, Python, Go, C#, Java) while Terraform uses HCL, a domain-specific language. This gives Pulumi advantages in testing, abstraction, IDE support, and code reuse. Both tools support multi-cloud provisioning across AWS, Azure, GCP, and Kubernetes." --- Infrastructure as Code (IaC) has evolved beyond simple automation into a fundamental shift toward applying software engineering practices to infrastructure management. In 2025, leading organizations aren't just provisioning infrastructure—they're treating it as software, complete with testing, version control, code reviews, and continuous integration. diff --git a/content/resources/infrastructure-unification/infrastructure-as-code-tools/meta.png b/content/resources/infrastructure-unification/infrastructure-as-code-tools/meta.png new file mode 100644 index 000000000000..f943fadbed89 Binary files /dev/null and b/content/resources/infrastructure-unification/infrastructure-as-code-tools/meta.png differ diff --git a/content/resources/security-compliance/_index.md b/content/resources/security-compliance/_index.md new file mode 100644 index 000000000000..966789e3325b --- /dev/null +++ b/content/resources/security-compliance/_index.md @@ -0,0 +1,62 @@ +--- +title: "Security & Compliance" +meta_desc: "Guides, comparisons, and evaluations for infrastructure security, policy as code, secrets management, and compliance automation with Pulumi." +meta_image: /images/docs/meta-images/docs-meta.png +type: resources +tagline: "Enforce security policies and meet compliance requirements without slowing engineering" +last_reviewed: 2026-03-11 +related_capabilities: + - policy-as-code + - secrets-management + - drift-detection + - compliance +related_areas: + - infrastructure-unification + - ai-ready-infrastructure +cta: + text: "Explore Pulumi ESC" + url: "/product/esc/" +faq: + - question: "How does policy as code work for infrastructure?" + answer: "Policy as code lets teams define security, compliance, and cost rules as code that runs automatically during infrastructure deployments. Instead of relying on manual reviews or post-deployment audits, policies are evaluated before resources are created or modified. Pulumi CrossGuard supports writing policies in Python, TypeScript, Go, or OPA Rego, enforcing them across all deployments." + - question: "What is infrastructure drift and how do you detect it?" + answer: "Infrastructure drift occurs when the actual state of deployed resources diverges from what is defined in code, often due to manual changes, emergency fixes, or out-of-band modifications. Drift detection tools compare the desired state in your IaC definitions against the live state in your cloud provider, flagging discrepancies that could introduce security vulnerabilities or compliance violations." + - question: "How does Pulumi help with secrets management?" + answer: "Pulumi ESC (Environments, Secrets, and Configuration) provides centralized secrets management with dynamic credential generation, composable environments, and automatic rotation. It integrates with existing secrets stores like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault, giving teams a single interface for managing secrets across all environments and applications." + - question: "Can Pulumi help with SOC 2 and other compliance frameworks?" + answer: "Yes. Pulumi's combination of policy as code (CrossGuard), audit logging, secrets management (ESC), and drift detection provides the infrastructure automation foundation for meeting SOC 2, HIPAA, ISO 27001, and FedRAMP requirements. Policies can encode specific compliance rules and enforce them automatically on every deployment." +--- + +Infrastructure security and compliance is about enforcing security policies, detecting configuration drift, meeting audit requirements, and ensuring infrastructure changes don't introduce vulnerabilities, all without slowing down engineering velocity. For organizations operating under SOC 2, HIPAA, or other compliance frameworks, automating these controls is not optional. + +## The challenge: security at the speed of deployment + +Security and compliance teams face a fundamental tension. Engineering teams need to move fast: deploying multiple times per day, spinning up new environments, and iterating on infrastructure alongside application code. But every change is a potential security risk, and every resource must meet organizational and regulatory standards. + +Manual security reviews can't keep pace with modern deployment velocity. When policy checks happen after deployment, violations are expensive to remediate. When checks happen before deployment through manual approval gates, they become the bottleneck that teams work around rather than through. + +The challenge compounds with scale. As organizations grow to thousands of cloud resources across multiple accounts and providers, maintaining visibility into what's deployed, who changed it, and whether it complies with policy becomes increasingly difficult. Configuration drift from manual hotfixes and emergency changes creates gaps between what's defined in code and what's actually running. + +This is Pulumi's biggest content gap despite Security & Compliance being a major driver of platform adoption. Organizations evaluating infrastructure platforms consistently cite policy enforcement, secrets management, and compliance automation as critical requirements. + +## How Pulumi addresses security and compliance + +Pulumi provides an integrated approach to infrastructure security, combining policy as code, secrets management, drift detection, and audit capabilities into the same platform used for infrastructure deployment. + +**Policy as code with CrossGuard.** [Pulumi CrossGuard](/docs/iac/packages/crossguard/) lets teams write security and compliance rules in Python, TypeScript, Go, or OPA Rego. Policies run automatically during `pulumi preview` and `pulumi up`, catching violations before resources are created. Rules can enforce anything from "S3 buckets must have encryption enabled" to "no public endpoints without WAF" to cost guardrails on instance sizes. + +**Centralized secrets with Pulumi ESC.** [Pulumi ESC](/product/esc/) (Environments, Secrets, and Configuration) provides dynamic credential generation, composable environments, and automatic rotation. Rather than scattering secrets across multiple vault systems, ESC gives teams a single interface that integrates with AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, 1Password, and more. Dynamic credentials are generated on demand and automatically expire, eliminating long-lived secrets. + +**AI-powered security operations.** Pulumi Neo can analyze infrastructure configurations for security issues, suggest policy improvements, and help enforce compliance standards. Because Pulumi uses general-purpose programming languages that AI agents understand natively, security automation can participate in the same AI-assisted workflows as application development. + +**Audit logging and visibility.** Every infrastructure change flows through Pulumi Cloud with full audit trails: who made the change, what changed, when, and whether it passed policy checks. [Pulumi Insights](/product/pulumi-insights/) provides search and visibility across all cloud resources, making it possible to answer questions like "which resources are publicly accessible?" or "which deployments occurred outside business hours?" + +For a comprehensive look at secrets management solutions, see our [Secrets Management Tools Guide](/resources/security-compliance/secrets-management-tools-guide/). + +## Key capabilities + +**Policy as code.** Define and enforce security rules that run automatically on every deployment. Write policies in the same languages your team already knows, and apply them consistently across all cloud providers and environments. + +**Secrets management.** Centralize secrets, generate dynamic credentials, compose environments from reusable configurations, and rotate credentials automatically. Pulumi ESC eliminates secrets sprawl while integrating with your existing vault infrastructure. + +**Compliance automation.** Encode compliance framework requirements as automated policies. SOC 2 controls, HIPAA safeguards, and FedRAMP requirements become enforceable rules that run on every deployment, reducing audit preparation from weeks to hours. Customers like Spear AI have achieved 6x faster Authorization to Operate using Pulumi's compliance capabilities. diff --git a/content/blog/secrets-management-tools-guide/index.md b/content/resources/security-compliance/secrets-management-tools-guide/index.md similarity index 97% rename from content/blog/secrets-management-tools-guide/index.md rename to content/resources/security-compliance/secrets-management-tools-guide/index.md index 589db09f4e2a..c30fd607765b 100644 --- a/content/blog/secrets-management-tools-guide/index.md +++ b/content/resources/security-compliance/secrets-management-tools-guide/index.md @@ -1,5 +1,5 @@ --- -title: "Secrets Management Tools: The Complete 2025 Guide" +title: "Secrets Management Tools: The Complete 2026 Guide" date: 2025-07-24 draft: false meta_desc: "Compare secrets management tools and find the best solution for your infrastructure with expert analysis and recommendations." @@ -13,6 +13,26 @@ tags: - devops - configuration-as-code - pulumi-esc +aliases: + - /blog/secrets-management-tools-guide/ +solution_areas: + - security-compliance +content_type: ecosystem-overview +capabilities: + - secrets-management +funnel_stage: problem-aware +target_personas: + - security-compliance-lead + - devops-engineer + - platform-engineer +featured: true +featured_weight: 2 +last_reviewed: 2026-03-05 +faq: + - question: "What are the best secrets management tools?" + answer: "The leading secrets management tools include Pulumi ESC, HashiCorp Vault, Doppler, Infisical, CyberArk Conjur, and cloud-native options like AWS Secrets Manager, Azure Key Vault, and Google Secret Manager. The best choice depends on your infrastructure complexity and whether you need secrets orchestration or just secure storage." + - question: "What is secrets orchestration?" + answer: "Secrets orchestration goes beyond storing secrets securely. It manages the flow of secrets across your entire infrastructure, dynamically composing configurations from multiple sources, enforcing access policies, and ensuring the right secrets reach the right services at the right time." --- Every modern application depends on secrets to function: database passwords, API keys, certificates, and configuration values that enable secure communication between services. But here's the challenge: as your infrastructure grows, managing these secrets becomes exponentially more complex. diff --git a/content/blog/secrets-management-tools-guide/meta.png b/content/resources/security-compliance/secrets-management-tools-guide/meta.png similarity index 100% rename from content/blog/secrets-management-tools-guide/meta.png rename to content/resources/security-compliance/secrets-management-tools-guide/meta.png diff --git a/content/resources/topics/_index.md b/content/resources/topics/_index.md new file mode 100644 index 000000000000..ef3a399d8fc9 --- /dev/null +++ b/content/resources/topics/_index.md @@ -0,0 +1,7 @@ +--- +title: Topics +meta_desc: "Browse resource library content by topic: secrets management, multi-cloud, Kubernetes, policy as code, AI and automation, and more." +type: resources +--- + +Topics group guides by capability so you can find content across solution areas. Topic pages are added as we publish more guides in each area. diff --git a/data/resources/labels.yaml b/data/resources/labels.yaml new file mode 100644 index 000000000000..9f7172ab8a4e --- /dev/null +++ b/data/resources/labels.yaml @@ -0,0 +1,30 @@ +solution_areas: + infrastructure-unification: "Infrastructure Unification" + security-compliance: "Security & Compliance" + ai-ready-infrastructure: "AI-Ready Infrastructure" + +capabilities: + ai-and-automation: "AI and Automation" + policy-as-code: "Policy as Code" + secrets-management: "Secrets Management" + multi-cloud: "Multi-Cloud" + kubernetes: "Kubernetes" + internal-developer-platforms: "Internal Developer Platforms" + drift-detection: "Drift Detection" + compliance: "Compliance" + +# User-facing topic names (capability slugs → display labels for topic pages and badges) +topics: + ai-and-automation: "AI and Automation" + policy-as-code: "Policy as Code" + secrets-management: "Secrets Management" + multi-cloud: "Multi-Cloud" + kubernetes: "Kubernetes" + internal-developer-platforms: "Internal Developer Platforms" + drift-detection: "Drift Detection" + compliance: "Compliance" + +content_types: + ecosystem-overview: "Ecosystem Overview" + comparison-guide: "Comparison Guide" + solution-guide: "Solution Guide" diff --git a/layouts/index.txtfull.txt b/layouts/index.txtfull.txt index a3d2eda28b35..749ddcf0730a 100644 --- a/layouts/index.txtfull.txt +++ b/layouts/index.txtfull.txt @@ -96,7 +96,27 @@ This file provides a curated guide to Pulumi's documentation, organized by produ {{- end }} {{- end }} -## Resources +## Resource Library +{{ $resourceSections := where (where $.Site.Pages "Section" "resources") "Kind" "section" }} +{{- range $resourceSections }} + {{- if ne .Title "Resource Library" }} + {{- $categorySlug := index (split (strings.TrimSuffix "/" .RelPermalink) "/") (sub (len (split (strings.TrimSuffix "/" .RelPermalink) "/")) 1) }} + {{- $allResources := where (where $.Site.Pages "Type" "resources") "Kind" "page" }} + {{- $articles := where $allResources ".Params.solution_areas" "intersect" (slice $categorySlug) }} + {{- if $articles }} + +### {{ .Title }} +- [{{ .Title }}]({{ .Permalink }}): {{ .Params.meta_desc | default .Title | plainify }} + {{- range $articles }} + {{- if and (not .Params.llms_exclude) (ne .Title "") }} + - [{{ .Title }}]({{ .Permalink }}): {{ .Params.meta_desc | default .Title | plainify }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +## Blog & Media ### Recent Blog Posts {{- $blogPages := where $.Site.Pages "Section" "blog" }} diff --git a/layouts/partials/resources/category-card.html b/layouts/partials/resources/category-card.html new file mode 100644 index 000000000000..f95bc5c6c17b --- /dev/null +++ b/layouts/partials/resources/category-card.html @@ -0,0 +1,25 @@ +{{ $page := .Page }} +{{ $labels := .Labels }} + +{{/* Count articles in this category */}} +{{ $parts := split (strings.TrimSuffix "/" $page.RelPermalink) "/" }} +{{ $categorySlug := index $parts (sub (len $parts) 1) }} +{{ $allResources := where (where $.Page.Site.Pages "Type" "resources") "Kind" "page" }} +{{ $articles := where $allResources ".Params.solution_areas" "intersect" (slice $categorySlug) }} +{{ $count := len $articles }} + + +
+

+ {{ $page.Title }} +

+ {{ if $count }} + + {{ $count }} {{ if eq $count 1 }}guide{{ else }}guides{{ end }} + + {{ end }} +
+ {{ with $page.Params.tagline }} +

{{ . }}

+ {{ end }} + diff --git a/layouts/partials/resources/category-page.html b/layouts/partials/resources/category-page.html new file mode 100644 index 000000000000..a1da10a8561d --- /dev/null +++ b/layouts/partials/resources/category-page.html @@ -0,0 +1,128 @@ +{{ $labels := $.Site.Data.resources.labels }} + +{{/* Extract the category slug from the URL path */}} +{{ $parts := split (strings.TrimSuffix "/" .RelPermalink) "/" }} +{{ $categorySlug := index $parts (sub (len $parts) 1) }} + +{{/* Query articles by frontmatter solution_areas (not just directory children) */}} +{{ $allResources := where (where $.Site.Pages "Type" "resources") "Kind" "page" }} +{{ $articles := where $allResources ".Params.solution_areas" "intersect" (slice $categorySlug) }} + +
+
+ + {{/* Breadcrumb */}} + + + {{/* Header */}} +
+

{{ .Title }}

+ {{ with .Params.tagline }} +

{{ . }}

+ {{ end }} +
+ + {{/* Pillar content */}} + {{ with .Content }} +
+ {{ . }} +
+ {{ end }} + + {{/* Article grid */}} + {{ if $articles }} +
+

Guides in this area

+
+ {{ range sort $articles ".Params.featured_weight" "desc" }} + {{ partial "resources/resource-card.html" (dict "Page" . "Labels" $labels "HideParentArea" $categorySlug) }} + {{ end }} +
+
+ {{ end }} + + {{/* FAQ */}} + {{ with .Params.faq }} +
+

Frequently asked questions

+ {{ range . }} + {{ if and .question .answer }} +
+

{{ .question }}

+

{{ .answer | markdownify }}

+
+ {{ end }} + {{ end }} +
+ {{ end }} + + {{/* Explore more */}} +
+

Explore more

+
+ {{/* Related capabilities */}} + {{ with .Params.related_capabilities }} +
+

Related topics

+
+ {{ range . }} + {{ $topicLabel := index $labels.topics . | default (index $labels.capabilities .) | default (replace . "-" " " | title) }} + {{ $topicPage := $.Site.GetPage (printf "/resources/topics/%s" .) }} + {{ if $topicPage }} + + {{ $topicLabel }} + + {{ else }} + + {{ $topicLabel }} + + {{ end }} + {{ end }} +
+
+ {{ end }} + + {{/* Related solution areas */}} + {{ with $.Params.related_areas }} +
+

Other solution areas

+
+ {{ range . }} + {{ $areaLabel := index $labels.solution_areas . | default (replace . "-" " " | title) }} + {{ $areaPage := $.Site.GetPage (printf "/resources/%s" .) }} + {{ if $areaPage }} + + {{ $areaLabel }} + + {{ else }} + {{ $areaLabel }} + {{ end }} + {{ end }} +
+
+ {{ end }} +
+
+ + {{/* CTA */}} + {{ with .Params.cta }} +
+

Ready to get started?

+

See how Pulumi can help your team.

+ + {{ .text }} + +
+ {{ end }} +
+
diff --git a/layouts/partials/resources/hub-page.html b/layouts/partials/resources/hub-page.html new file mode 100644 index 000000000000..a5da26cb990a --- /dev/null +++ b/layouts/partials/resources/hub-page.html @@ -0,0 +1,77 @@ +{{ $labels := $.Site.Data.resources.labels }} +{{ $allResources := where (where $.Site.Pages "Type" "resources") "Kind" "page" }} + +
+
+ {{ with .Content }} +
+ {{ . }} +
+ {{ end }} + + {{/* Browse by Solution Area */}} + {{ $activeSections := slice }} + {{ range .Sections }} + {{ $childPages := where .Pages "Kind" "page" }} + {{ if $childPages }} + {{ $activeSections = $activeSections | append . }} + {{ end }} + {{ end }} + + {{ if $activeSections }} +
+

Browse by solution area

+
+ {{ range $activeSections }} + {{ partial "resources/category-card.html" (dict "Page" . "Labels" $labels) }} + {{ end }} +
+
+ {{ end }} + + {{/* Browse by Topic (collect topic subsections that exist) */}} + {{ $topicPages := slice }} + {{ range .Sections }} + {{ if and .File (eq .File.ContentBaseName "topics") }} + {{ range .Sections }} + {{ $topicPages = $topicPages | append . }} + {{ end }} + {{ end }} + {{ end }} + {{ if $topicPages }} +
+

Browse by topic

+
+ {{ range $topicPages }} + {{ partial "resources/topic-card.html" (dict "Page" . "Labels" $labels) }} + {{ end }} +
+
+ {{ end }} + + {{/* Featured Articles */}} + {{ $featured := where $allResources ".Params.featured" true }} + {{ if $featured }} +
+

Featured guides

+
+ {{ range sort $featured ".Params.featured_weight" "desc" }} + {{ partial "resources/resource-card.html" (dict "Page" . "Labels" $labels) }} + {{ end }} +
+
+ {{ end }} + + {{/* All Articles */}} + {{ if $allResources }} +
+

All guides

+
+ {{ range sort $allResources ".Date" "desc" }} + {{ partial "resources/resource-card.html" (dict "Page" . "Labels" $labels) }} + {{ end }} +
+
+ {{ end }} +
+
diff --git a/layouts/partials/resources/resource-card.html b/layouts/partials/resources/resource-card.html new file mode 100644 index 000000000000..fe42ced8652b --- /dev/null +++ b/layouts/partials/resources/resource-card.html @@ -0,0 +1,71 @@ +{{ $page := . }} +{{ $labels := dict }} +{{ $hideParentArea := "" }} + +{{/* Support both direct page context and dict context with Labels/HideParentArea */}} +{{ if reflect.IsMap . }} + {{ $page = .Page }} + {{ with .Labels }} + {{ $labels = . }} + {{ end }} + {{ with .HideParentArea }} + {{ $hideParentArea = . }} + {{ end }} +{{ end }} + +{{/* Fall back to site data if no labels passed */}} +{{ if not $labels.solution_areas }} + {{ $labels = $page.Site.Data.resources.labels }} +{{ end }} + +
+ {{ with $page.Params.content_type }} + {{ $badgeColor := "bg-violet-100 text-violet-700" }} + {{ if eq . "comparison-guide" }} + {{ $badgeColor = "bg-blue-100 text-blue-700" }} + {{ else if eq . "solution-guide" }} + {{ $badgeColor = "bg-green-100 text-green-700" }} + {{ end }} + + {{ index $labels.content_types . | default (replace . "-" " " | title) }} + + {{ end }} + +

+ {{ $page.Title }} +

+

+ {{ $page.Params.meta_desc }} +

+ +
+ {{ range $page.Params.solution_areas }} + {{ if ne . $hideParentArea }} + {{ $areaLabel := index $labels.solution_areas . | default (replace . "-" " " | title) }} + {{ $areaPage := $page.Site.GetPage (printf "/resources/%s" .) }} + {{ if $areaPage }} + + {{ $areaLabel }} + + {{ else }} + + {{ $areaLabel }} + + {{ end }} + {{ end }} + {{ end }} + {{ range $page.Params.capabilities }} + {{ $capLabel := index $labels.topics . | default (index $labels.capabilities .) | default (replace . "-" " " | title) }} + {{ $topicPage := $page.Site.GetPage (printf "/resources/topics/%s" .) }} + {{ if $topicPage }} + + {{ $capLabel }} + + {{ else }} + + {{ $capLabel }} + + {{ end }} + {{ end }} +
+
diff --git a/layouts/partials/resources/topic-card.html b/layouts/partials/resources/topic-card.html new file mode 100644 index 000000000000..5378ef536929 --- /dev/null +++ b/layouts/partials/resources/topic-card.html @@ -0,0 +1,24 @@ +{{ $page := .Page }} +{{ $labels := .Labels }} + +{{/* Count articles tagged with this topic (capability) */}} +{{ $topicSlug := $page.File.ContentBaseName }} +{{ $allResources := where (where $page.Site.Pages "Type" "resources") "Kind" "page" }} +{{ $articles := where $allResources ".Params.capabilities" "intersect" (slice $topicSlug) }} +{{ $count := len $articles }} + + +
+

+ {{ $page.Title }} +

+ {{ if $count }} + + {{ $count }} {{ if eq $count 1 }}guide{{ else }}guides{{ end }} + + {{ end }} +
+ {{ with $page.Params.tagline }} +

{{ . }}

+ {{ end }} + diff --git a/layouts/partials/resources/topic-page.html b/layouts/partials/resources/topic-page.html new file mode 100644 index 000000000000..58a1e6572118 --- /dev/null +++ b/layouts/partials/resources/topic-page.html @@ -0,0 +1,122 @@ +{{ $labels := $.Site.Data.resources.labels }} + +{{/* Topic slug from the page (e.g. secrets-management) */}} +{{ $topicSlug := .File.ContentBaseName }} + +{{/* Query articles by frontmatter capabilities */}} +{{ $allResources := where (where $.Site.Pages "Type" "resources") "Kind" "page" }} +{{ $articles := where $allResources ".Params.capabilities" "intersect" (slice $topicSlug) }} + +
+
+ + {{/* Breadcrumb */}} + + + {{/* Header */}} +
+

{{ .Title }}

+ {{ with .Params.tagline }} +

{{ . }}

+ {{ end }} +
+ + {{/* Cluster content */}} + {{ with .Content }} +
+ {{ . }} +
+ {{ end }} + + {{/* Article grid */}} + {{ if $articles }} +
+

Guides in this topic

+
+ {{ range sort $articles ".Params.featured_weight" "desc" }} + {{ partial "resources/resource-card.html" (dict "Page" . "Labels" $labels) }} + {{ end }} +
+
+ {{ end }} + + {{/* Part of (solution areas these articles belong to) */}} + {{ $areaSlugs := slice }} + {{ range $articles }} + {{ range .Params.solution_areas }} + {{ $areaSlugs = $areaSlugs | append . }} + {{ end }} + {{ end }} + {{ $areaSlugs = $areaSlugs | sort | uniq }} + {{ if $areaSlugs }} +
+

Part of

+
+ {{ range $areaSlugs }} + {{ $areaLabel := index $labels.solution_areas . | default (replace . "-" " " | title) }} + {{ $areaPage := $.Site.GetPage (printf "/resources/%s" .) }} + {{ if $areaPage }} + + {{ $areaLabel }} + + {{ else }} + + {{ $areaLabel }} + + {{ end }} + {{ end }} +
+
+ {{ end }} + + {{/* FAQ */}} + {{ with .Params.faq }} +
+

Frequently asked questions

+ {{ range . }} + {{ if and .question .answer }} +
+

{{ .question }}

+

{{ .answer | markdownify }}

+
+ {{ end }} + {{ end }} +
+ {{ end }} + + {{/* CTA */}} + {{ with .Params.cta }} +
+

Ready to get started?

+

See how Pulumi can help your team.

+ + {{ .text }} + +
+ {{ else }} +
+

Ready to get started?

+

Sign up for Pulumi Cloud and start building.

+ + Create free account + +
+ {{ end }} +
+
diff --git a/layouts/partials/schema/collectors/breadcrumb-entity.html b/layouts/partials/schema/collectors/breadcrumb-entity.html index f6d8996e5e24..df78424c1054 100644 --- a/layouts/partials/schema/collectors/breadcrumb-entity.html +++ b/layouts/partials/schema/collectors/breadcrumb-entity.html @@ -129,6 +129,26 @@ {{/* End of IaC Clouds section additional nesting */}} {{ end }} +{{ else if eq .Type "resources" }} + {{ $position = add $position 1 }} + {{ $breadcrumbs = $breadcrumbs | append (dict + "@type" "ListItem" + "position" $position + "name" "Resource Library" + "item" "https://www.pulumi.com/resources/" + ) }} + + {{/* Add category level for articles nested in a solution area */}} + {{ if and .Parent (not .Parent.IsHome) }} + {{ $position = add $position 1 }} + {{ $breadcrumbs = $breadcrumbs | append (dict + "@type" "ListItem" + "position" $position + "name" .Parent.Title + "item" .Parent.Permalink + ) }} + {{ end }} + {{ else if eq .Section "product" }} {{ $position = add $position 1 }} {{ $breadcrumbs = $breadcrumbs | append (dict diff --git a/layouts/partials/schema/collectors/main-entity.html b/layouts/partials/schema/collectors/main-entity.html index 3e26ebdf5869..477bebb586ef 100644 --- a/layouts/partials/schema/collectors/main-entity.html +++ b/layouts/partials/schema/collectors/main-entity.html @@ -65,6 +65,10 @@ {{/* Product pages get SoftwareApplication schema */}} {{ $entity = partial "schema/collectors/product-entity.html" . }} + {{ else if and (eq .Type "resources") .IsPage }} + {{/* Resource library article pages get Article schema */}} + {{ $entity = partial "schema/collectors/resource-entity.html" . }} + {{ else if eq .Section "case-studies" }} {{/* Case studies get Article schema */}} {{ $entity = partial "schema/collectors/article-entity.html" . }} diff --git a/layouts/partials/schema/collectors/resource-entity.html b/layouts/partials/schema/collectors/resource-entity.html new file mode 100644 index 000000000000..50062248689a --- /dev/null +++ b/layouts/partials/schema/collectors/resource-entity.html @@ -0,0 +1,143 @@ +{{/* Returns Article entity for resource library pages in @graph */}} + +{{/* Get content for analysis */}} +{{ $content := .Content | plainify }} +{{ $wordCount := $content | countwords }} +{{ if not $wordCount }} + {{ $wordCount = 500 }} +{{ end }} + +{{/* Build Article entity */}} +{{ $schema := dict + "@type" "Article" + "@id" "#main-content" + "headline" .Title + "url" .Permalink + "wordCount" $wordCount + "inLanguage" "en-US" +}} + +{{/* Add articleSection from content_type */}} +{{ with .Params.content_type }} + {{ $schema = merge $schema (dict "articleSection" (replace . "-" " " | title)) }} +{{ end }} + +{{/* Add dates - use last_reviewed for dateModified when available */}} +{{ $publishDate := .PublishDate }} +{{ $modifiedDate := .Lastmod }} + +{{ if or (not $publishDate) (eq ($publishDate.Format "2006-01-02") "0001-01-01") }} + {{ if and .GitInfo .GitInfo.AuthorDate }} + {{ $publishDate = .GitInfo.AuthorDate }} + {{ else }} + {{ $publishDate = now }} + {{ end }} +{{ end }} + +{{/* Prefer last_reviewed for dateModified (freshness signal for AEO) */}} +{{ with .Params.last_reviewed }} + {{ $modifiedDate = time . }} +{{ else }} + {{ if or (not $modifiedDate) (eq ($modifiedDate.Format "2006-01-02") "0001-01-01") }} + {{ if and $.GitInfo $.GitInfo.AuthorDate }} + {{ $modifiedDate = $.GitInfo.AuthorDate }} + {{ else }} + {{ $modifiedDate = $publishDate }} + {{ end }} + {{ end }} +{{ end }} + +{{ $schema = merge $schema (dict + "datePublished" ($publishDate.Format "2006-01-02T15:04:05Z07:00") + "dateModified" ($modifiedDate.Format "2006-01-02T15:04:05Z07:00") +) }} + +{{/* Add description */}} +{{ with (or .Params.meta_desc .Summary) }} + {{ $schema = merge $schema (dict "description" .) }} +{{ end }} + +{{/* Add image */}} +{{ $image := "" }} +{{ if .Params.meta_image }} + {{ $baseURL := .Permalink }} + {{ if not (strings.HasSuffix $baseURL "/") }} + {{ $baseURL = printf "%s/" $baseURL }} + {{ end }} + {{ $imagePath := .Params.meta_image }} + {{ if strings.HasPrefix $imagePath "/" }} + {{ $imagePath = strings.TrimPrefix "/" $imagePath }} + {{ end }} + {{ $image = printf "%s%s" $baseURL $imagePath }} +{{ else }} + {{ $image = "https://www.pulumi.com/images/docs/meta-images/docs-meta.png" }} +{{ end }} +{{ $schema = merge $schema (dict "image" $image) }} + +{{/* Add keywords from tags + capabilities */}} +{{ $keywords := slice }} +{{ with .Params.tags }} + {{ range . }} + {{ $keywords = $keywords | append . }} + {{ end }} +{{ end }} +{{ with .Params.capabilities }} + {{ range . }} + {{ $keywords = $keywords | append (replace . "-" " ") }} + {{ end }} +{{ end }} +{{ if $keywords }} + {{ $schema = merge $schema (dict "keywords" (delimit ($keywords | uniq) ", ")) }} +{{ end }} + +{{/* Add authors */}} +{{ $authors := slice }} +{{ with .Params.authors }} + {{ range . }} + {{ $authorData := index $.Site.Data.team.team . }} + {{ if $authorData }} + {{ $authorEntity := dict + "@type" "Person" + "@id" (printf "https://www.pulumi.com/authors/%s/#person" $authorData.id) + "name" $authorData.name + "url" (printf "https://www.pulumi.com/authors/%s/" $authorData.id) + "worksFor" (dict "@id" "https://www.pulumi.com/#organization") + }} + {{ $authors = $authors | append $authorEntity }} + {{ else }} + {{ $authorEntity := dict + "@type" "Person" + "@id" (printf "https://www.pulumi.com/authors/%s/#person" (. | urlize)) + "name" (replace . "-" " " | title) + "url" (printf "https://www.pulumi.com/authors/%s/" (. | urlize)) + "worksFor" (dict "@id" "https://www.pulumi.com/#organization") + }} + {{ $authors = $authors | append $authorEntity }} + {{ end }} + {{ end }} +{{ else }} + {{ $authors = $authors | append (dict + "@type" "Person" + "name" "Pulumi Team" + "worksFor" (dict "@id" "https://www.pulumi.com/#organization") + ) }} +{{ end }} +{{ if $authors }} + {{ $schema = merge $schema (dict "author" $authors) }} +{{ end }} + +{{/* Add publisher reference */}} +{{ $schema = merge $schema (dict + "publisher" (dict "@id" "https://www.pulumi.com/#organization") +) }} + +{{/* Add article body (truncated for schema) */}} +{{ $articleBody := $content | truncate 5000 }} +{{ $schema = merge $schema (dict "articleBody" $articleBody) }} + +{{/* Add mainEntityOfPage reference */}} +{{ $schema = merge $schema (dict + "mainEntityOfPage" (dict "@id" (printf "%s#webpage" .Permalink)) +) }} + +{{ return $schema }} diff --git a/layouts/partials/schema/graph-builder.html b/layouts/partials/schema/graph-builder.html index 2cbcd3731065..d7487d77b797 100644 --- a/layouts/partials/schema/graph-builder.html +++ b/layouts/partials/schema/graph-builder.html @@ -171,6 +171,63 @@ {{ $graph = $graph | append $software }} {{ end }} +{{/* Add CollectionPage schema for resource library category pages */}} +{{ if and (eq .Type "resources") (not .IsPage) (not .IsHome) .Parent (not .Parent.IsHome) }} + {{ $categorySlug := index (split (strings.TrimSuffix "/" .RelPermalink) "/") (sub (len (split (strings.TrimSuffix "/" .RelPermalink) "/")) 1) }} + {{ $allResources := where (where $.Site.Pages "Type" "resources") "Kind" "page" }} + {{ $articles := where $allResources ".Params.solution_areas" "intersect" (slice $categorySlug) }} + + {{ $collectionItems := slice }} + {{ range $articles }} + {{ $collectionItems = $collectionItems | append (dict + "@type" "ListItem" + "url" .Permalink + "name" .Title + ) }} + {{ end }} + + {{ $collectionSchema := dict + "@type" "CollectionPage" + "@id" "#collection" + "name" .Title + "url" .Permalink + "description" (or .Params.meta_desc .Title) + "publisher" (dict "@id" "https://www.pulumi.com/#organization") + }} + {{ if $collectionItems }} + {{ $collectionSchema = merge $collectionSchema (dict "hasPart" $collectionItems) }} + {{ end }} + {{ $graph = $graph | append $collectionSchema }} +{{ end }} + +{{/* Add FAQPage schema for resource library pages with frontmatter faq (articles AND category pages) */}} +{{ if and (eq .Type "resources") .Params.faq }} + {{ $faqQuestions := slice }} + {{ range .Params.faq }} + {{ if and .question .answer }} + {{ $qa := dict + "@type" "Question" + "name" .question + "acceptedAnswer" (dict + "@type" "Answer" + "text" .answer + ) + }} + {{ $faqQuestions = $faqQuestions | append $qa }} + {{ end }} + {{ end }} + {{ if $faqQuestions }} + {{ $faqSchema := dict + "@type" "FAQPage" + "mainEntity" $faqQuestions + "url" .Permalink + "name" (printf "%s - FAQ" .Title) + "publisher" (dict "@id" "https://www.pulumi.com/#organization") + }} + {{ $graph = $graph | append $faqSchema }} + {{ end }} +{{ end }} + {{/* Add video schema if page contains YouTube videos */}} {{ if not .IsHome }} {{ $videoEntity := partial "schema/collectors/video-entity.html" . }} diff --git a/layouts/resources/list.html b/layouts/resources/list.html new file mode 100644 index 000000000000..8371c228c25f --- /dev/null +++ b/layouts/resources/list.html @@ -0,0 +1,15 @@ +{{ define "hero" }} + {{ if and .Parent .Parent.IsHome }} + {{ partial "hero" (dict "title" .Params.title) }} + {{ end }} +{{ end }} + +{{ define "main" }} + {{ if and .Parent .Parent.IsHome }} + {{ partial "resources/hub-page.html" . }} + {{ else if and .Parent .Parent.File (eq .Parent.File.ContentBaseName "topics") }} + {{ partial "resources/topic-page.html" . }} + {{ else }} + {{ partial "resources/category-page.html" . }} + {{ end }} +{{ end }} diff --git a/layouts/resources/single.html b/layouts/resources/single.html new file mode 100644 index 000000000000..db3faf8c80e3 --- /dev/null +++ b/layouts/resources/single.html @@ -0,0 +1,245 @@ +{{ define "hero" }} + {{ $labels := $.Site.Data.resources.labels }} +
+
+ + + + +
+ {{ if and (.Params.h1) (not .Params.notitle) }} +

+ {{ .Params.h1 }} +

+ {{ else if and (ne .Title "") (not .Params.notitle) }} +

+ {{ .Title }} +

+ {{ end }} +

+ {{ .Params.meta_desc }} +

+ + +
+ {{ with .Date }} + {{ if not .IsZero }} + Published {{ .Format "January 2, 2006" }} + {{ end }} + {{ end }} + {{ with $.Params.last_reviewed }} + Updated {{ (time .).Format "January 2, 2006" }} + {{ end }} +
+ + + {{ if .Params.authors }} +
+ {{ partial "blog/authors.html" (dict "context" . "authors" .Params.authors) }} +
+ {{ end }} + + +
+ {{ range .Params.solution_areas }} + {{ $areaLabel := index $labels.solution_areas . | default (replace . "-" " " | title) }} + {{ $areaPage := $.Site.GetPage (printf "/resources/%s" .) }} + {{ if $areaPage }} + + {{ $areaLabel }} + + {{ else }} + + {{ $areaLabel }} + + {{ end }} + {{ end }} + {{ range .Params.capabilities }} + {{ $topicLabel := index $labels.topics . | default (index $labels.capabilities .) | default (replace . "-" " " | title) }} + {{ $topicPage := $.Site.GetPage (printf "/resources/topics/%s" .) }} + {{ if $topicPage }} + + {{ $topicLabel }} + + {{ else }} + + {{ $topicLabel }} + + {{ end }} + {{ end }} +
+
+
+
+{{ end }} + +{{ define "main" }} +
+
+
+ +
+
+ {{ .Content }} +
+ + + {{ with .Params.faq }} +
+

Frequently asked questions

+ {{ range . }} + {{ if and .question .answer }} +
+

{{ .question }}

+

{{ .answer | markdownify }}

+
+ {{ end }} + {{ end }} +
+ {{ end }} + + +
+

Ready to get started?

+

Sign up for Pulumi Cloud and start building.

+ + Create free account + +
+
+ + + +
+
+
+ + +{{ end }}