Pulumi 最佳实践指南：46条规则提升基础设施即代码性能与可靠性

pulumi by pproenca/dot-skills

109 周安装量

95 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/pproenca/dot-skills --skill pulumi

自动化云服务开发运维

🇨🇳中文介绍

Pulumi 最佳实践

面向 AI 代理和 LLM 的 Pulumi 基础设施即代码全面性能和可靠性指南。包含 8 个类别共 46 条规则，按影响优先级排序，以指导自动化重构和代码生成。

何时应用

在以下情况下参考这些指南：

编写新的 Pulumi 基础设施代码时
设计可复用的组件抽象时
配置密钥和敏感值时
组织堆栈和跨堆栈引用时
为基础设施设置 CI/CD 流水线时

按优先级划分的规则类别

优先级	类别	影响	前缀
1	状态管理与后端	关键	`pstate-`
2	资源图优化	关键	`graph-`
3	组件设计	高

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

1. 状态管理与后端 (关键)

pstate-backend-selection - 为生产堆栈使用托管后端
pstate-checkpoint-skipping - 为大型堆栈启用检查点跳过
pstate-stack-size - 保持堆栈资源数在 500 个以下
pstate-refresh-targeting - 使用目标刷新而非全栈刷新
pstate-export-import - 使用状态导出/导入进行迁移
pstate-import-existing - 在管理前导入现有资源

2. 资源图优化 (关键)

graph-parallel-resources - 构建资源以实现最大并行度
graph-output-dependencies - 使用输出来表达真实的依赖关系
graph-explicit-depends - 仅对外部依赖使用 dependsOn
graph-avoid-apply-side-effects - 避免在 apply 函数中产生副作用
graph-conditional-resources - 在资源级别使用条件逻辑
graph-stack-references-minimal - 最小化堆栈引用深度

3. 组件设计 (高)

pcomp-component-resources - 使用 ComponentResource 实现可复用的抽象
pcomp-parent-child - 将父选项传递给子资源
pcomp-unique-naming - 使用名称前缀模式确保资源名称唯一
pcomp-register-outputs - 显式注册组件输出
pcomp-multi-language - 设计支持多语言使用的组件
pcomp-transformations - 使用转换处理横切关注点

4. 密钥与配置 (高)

secrets-use-secret-config - 对敏感值使用密钥配置
secrets-avoid-state-exposure - 防止密钥在状态中泄露
secrets-external-providers - 在生产环境中使用外部密钥管理器
secrets-generate-random - 使用随机提供程序生成密钥
secrets-provider-rotation - 团队成员离开时轮换密钥提供程序
secrets-environment-isolation - 按环境隔离密钥

5. 堆栈组织 (中高)

stack-separation-by-lifecycle - 按部署生命周期分离堆栈
stack-references-parameterized - 参数化堆栈引用
stack-output-minimal - 仅导出必需的输出
stack-naming-conventions - 使用一致的堆栈命名约定

6. 资源选项与生命周期 (中)

lifecycle-protect-stateful - 保护有状态资源
lifecycle-delete-before-replace - 对唯一约束使用 deleteBeforeReplace
lifecycle-retain-on-delete - 对共享资源使用 retainOnDelete
lifecycle-ignore-changes - 对由外部管理的属性使用 ignoreChanges
lifecycle-replace-on-changes - 对不可变依赖使用 replaceOnChanges
lifecycle-aliases - 使用别名安全地重命名资源
lifecycle-custom-timeouts - 为长时间运行的资源设置自定义超时

7. 测试与验证 (中)

test-unit-mocking - 使用模拟进行快速单元测试
test-property-policies - 使用策略即代码进行属性测试
test-integration-ephemeral - 使用临时堆栈进行集成测试
test-preview-assertions - 在部署前对预览结果进行断言
test-stack-reference-mocking - 在单元测试中模拟堆栈引用

8. 自动化与 CI/CD (低中)

auto-automation-api-workflows - 对复杂工作流使用 Automation API
auto-inline-programs - 对动态基础设施使用内联程序
auto-ci-cd-preview - 在 PR 检查中运行预览
auto-deployments-api - 对 GitOps 使用 Pulumi Deployments
auto-review-stacks - 对 PR 环境使用评审堆栈
auto-drift-detection - 为生产环境启用漂移检测

阅读单独的参考文件以获取详细说明和代码示例：

章节定义 - 类别结构和影响级别
规则模板 - 用于添加新规则的模板

获取包含所有规则详情的完整指南：AGENTS.md

2026 年 1 月 20 日

🇺🇸English

Pulumi Best Practices

Comprehensive performance and reliability guide for Pulumi infrastructure as code, designed for AI agents and LLMs. Contains 46 rules across 8 categories, prioritized by impact to guide automated refactoring and code generation.

When to Apply

Reference these guidelines when:

Writing new Pulumi infrastructure code
Designing component abstractions for reuse
Configuring secrets and sensitive values
Organizing stacks and cross-stack references
Setting up CI/CD pipelines for infrastructure

Rule Categories by Priority

Priority	Category	Impact	Prefix
1	State Management and Backend	CRITICAL	`pstate-`
2	Resource Graph Optimization	CRITICAL	`graph-`
3	Component Design	HIGH	`pcomp-`
4	Secrets and Configuration	HIGH	`secrets-`
5	Stack Organization	MEDIUM-HIGH	`stack-`
6	Resource Options and Lifecycle	MEDIUM	`lifecycle-`
7	Testing and Validation	MEDIUM	`test-`
8	Automation and CI/CD	LOW-MEDIUM	`auto-`

Quick Reference

1. State Management and Backend (CRITICAL)

pstate-backend-selection - Use managed backend for production stacks
pstate-checkpoint-skipping - Enable checkpoint skipping for large stacks
pstate-stack-size - Keep stacks under 500 resources
pstate-refresh-targeting - Use targeted refresh instead of full stack
pstate-export-import - Use state export/import for migrations
pstate-import-existing - Import existing resources before managing

2. Resource Graph Optimization (CRITICAL)

graph-parallel-resources - Structure resources for maximum parallelism
graph-output-dependencies - Use outputs to express true dependencies
graph-explicit-depends - Use dependsOn only for external dependencies
graph-avoid-apply-side-effects - Avoid side effects in apply functions
graph-conditional-resources - Use conditional logic at resource level
graph-stack-references-minimal - Minimize stack reference depth

3. Component Design (HIGH)

pcomp-component-resources - Use ComponentResource for reusable abstractions
pcomp-parent-child - Pass parent option to child resources
pcomp-unique-naming - Use name prefix pattern for unique resource names
pcomp-register-outputs - Register component outputs explicitly
pcomp-multi-language - Design components for multi-language consumption
pcomp-transformations - Use transformations for cross-cutting concerns

4. Secrets and Configuration (HIGH)

secrets-use-secret-config - Use secret config for sensitive values
secrets-avoid-state-exposure - Prevent secret leakage in state
secrets-external-providers - Use external secret managers for production
secrets-generate-random - Generate secrets with random provider
secrets-provider-rotation - Rotate secrets provider when team members leave
secrets-environment-isolation - Isolate secrets by environment

5. Stack Organization (MEDIUM-HIGH)

stack-separation-by-lifecycle - Separate stacks by deployment lifecycle
stack-references-parameterized - Parameterize stack references
stack-output-minimal - Export only required outputs
stack-naming-conventions - Use consistent stack naming convention

6. Resource Options and Lifecycle (MEDIUM)

lifecycle-protect-stateful - Protect stateful resources
lifecycle-delete-before-replace - Use deleteBeforeReplace for unique constraints
lifecycle-retain-on-delete - Use retainOnDelete for shared resources
lifecycle-ignore-changes - Use ignoreChanges for externally managed properties
lifecycle-replace-on-changes - Use replaceOnChanges for immutable dependencies
lifecycle-aliases - Use aliases for safe resource renaming
lifecycle-custom-timeouts - Set custom timeouts for long-running resources

7. Testing and Validation (MEDIUM)

test-unit-mocking - Use mocks for fast unit tests
test-property-policies - Use policy as code for property testing
test-integration-ephemeral - Use ephemeral stacks for integration tests
test-preview-assertions - Assert on preview results before deployment
test-stack-reference-mocking - Mock stack references in unit tests

8. Automation and CI/CD (LOW-MEDIUM)

auto-automation-api-workflows - Use Automation API for complex workflows
auto-inline-programs - Use inline programs for dynamic infrastructure
auto-ci-cd-preview - Run preview in PR checks
auto-deployments-api - Use Pulumi Deployments for GitOps
auto-review-stacks - Use review stacks for PR environments
auto-drift-detection - Enable drift detection for production

How to Use

Read individual reference files for detailed explanations and code examples:

Section definitions - Category structure and impact levels
Rule template - Template for adding new rules

Full Compiled Document

For the complete guide with all rules expanded: AGENTS.md

Weekly Installs

Repository

pproenca/dot-skills

GitHub Stars

First Seen

Jan 20, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli80

opencode78

codex77

claude-code75

cursor73

github-copilot72

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

133,300 周安装