GitLab-managed Pulumi State

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Add a Pulumi state backend in GitLab.

Problem to solve

Today, users can use GitLab-managed Terraform/OpenTofu State to have GitLab be a Terraform/OpenTofu state backend. This makes it:

1. Easy for groups to collaborate on infrastructure projects.
   • Permissions are linked to GitLab group membership. No need to sync membership across multiple services (e.g. Terraform Cloud, Spacelift, CSP account for object store backends).
2. Easy to integrate with GitLab CI/CD for automated deployments.
   • Can use the GitLab CI/CD job token to authenticate.
   • Can see which pipeline job last updated the state (along with the entire deployment history if used with GitLab environments).

Terraform/OpenTofu, however, becomes difficult to use for services using a highly partitioned deployment strategy. This is when a service is split into many identically wired cells (e.g. region-1.cell-1, region-1.cell-2) and deployed to in a staggered fashion to reduce the blast radius of a bad deployment. GitLab.com's instance-level runners are an example of this (split into several blue-green deployment partitions, up to 6 currently).

In these situations, it becomes cumbersome to manage HCL/OTL or JSON files for 10s to 100s of stacks even with HCL/OTL variables + loop expression features. This more complicated wiring is easier to do with a full programming language which can also leverage the language's existing toolchain (e.g. language servers, type checkers, linters) for easier development.

Ideally the CDK for Terraform (CDKTF) is the solution for this. HashiCorp, however, no longer seems to be actively maintaining CDKTF as Node.js version support (issue) and pre-built provider versions (issue) have fallen behind with no remediation.

2025-Dec-10: CDKTF has been deprecated.

Pulumi is now the main contender in the programming language driven infrastructure as code (IaC) space besides the AWS CDK (tied to AWS CloudFormation). Their Any Terraform Provider (in public beta) seems like it will fill the void left by CDKTF.

Proposal

Add a Pulumi state backend in GitLab that has parity with GitLab-managed Terraform/OpenTofu state (e.g. encryption, locking, CI/CD + MR + UI integration).

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sidney (Systems Administrator)
• Allison (Application Ops)
• Ingrid (Infrastructure Operator)

Feature Usage Metrics

• Number of managed Pulumi states.
• Calls to Pulumi state APIs.

Does this feature require an audit event?

Yes.