Cloudformation To Pulumi
Import existing AWS CloudFormation stacks into Pulumi state and generated programs so solo builders can migrate IaC without tearing down live resources.
Overview
Cloudformation-to-pulumi is an agent skill for the Operate phase that imports AWS CloudFormation stacks into Pulumi state using the Pulumi cdk-importer plugin and ESC-backed credentials.
Install
npx skills add https://github.com/pulumi/agent-skills --skill cloudformation-to-pulumiWhat is this skill?
- Runs `pulumi plugin install tool cdk-importer` and `program import` against a generated Pulumi program directory
- Imports one or more CloudFormation stacks when logical IDs match the program resource names
- Requires Pulumi ESC for AWS credentials and explicit user confirmation of AWS_REGION before import
- Supports optional `--import-file` bulk import output for resources that fail the first pass (defaults to import.json)
- Default agent prompt: migrate a CloudFormation stack or template to Pulumi via the cloudformation-to-pulumi skill
- Required CLI flags: --program-dir and --stack (repeatable or comma-separated stacks)
- Default bulk import path: import.json when --import-file is provided without a value
Adoption & trust: 520 installs on skills.sh; 56 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You still run critical AWS capacity on CloudFormation but want Pulumi programs and state without risky teardown-and-recreate cutovers.
Who is it for?
Solo builders or tiny teams with live CloudFormation stacks, a matching generated Pulumi program, and Pulumi ESC already in use for AWS access.
Skip if: Greenfield apps with no CloudFormation footprint, teams unwilling to confirm ESC environment and AWS region, or migrations where generated resource names do not match CloudFormation logical IDs.
When should I use this skill?
Use $cloudformation-to-pulumi to migrate an AWS CloudFormation stack or template to Pulumi.
What do I get? / Deliverables
After confirming ESC and region, you run cdk-importer program import so existing stack resources land in your Pulumi stack, with an optional import file for anything that fails on the first pass.
- CloudFormation resources imported into the selected Pulumi stack state
- Optional Pulumi bulk import file listing failing resources
Recommended Skills
Journey fit
Stack migration and state import are production infrastructure operations—canonical shelf is Operate when you are maintaining or modernizing what already runs in AWS. Infra is the right subphase because the skill wraps the Pulumi cdk-importer plugin, ESC credentials, and region-correct import commands—not app feature coding.
How it compares
Use for in-place CloudFormation-to-Pulumi state import—not for writing net-new Pulumi components from scratch in chat alone.
Common Questions / FAQ
Who is cloudformation-to-pulumi for?
Indie and solo AWS operators who maintain CloudFormation stacks and want to move governance to Pulumi without reprovisioning every resource by hand.
When should I use cloudformation-to-pulumi?
Use it during Operate/infra when you have stack names and a program-dir ready; also when validating a migration plan in Validate before you freeze production change windows.
Is cloudformation-to-pulumi safe to install?
It drives real AWS import operations with your ESC credentials—review the Security Audits panel on this Prism page and dry-run on non-production stacks first.
SKILL.md
READMESKILL.md - Cloudformation To Pulumi
interface: display_name: "CloudFormation to Pulumi Migration" short_description: "Convert CloudFormation stacks/templates to Pulumi" default_prompt: "Use $cloudformation-to-pulumi to migrate an AWS CloudFormation stack or template to Pulumi." # CloudFormation Stack Importer Tool This tool imports existing AWS resources from CloudFormation stacks into Pulumi state. ## Installation ```shell pulumi plugin install tool cdk-importer ``` ## Credentials Running the `cdk-importer` tool requires credentials loaded via Pulumi ESC. - If the user has already provided an ESC environment, use it. - If no ESC environment is specified, **ask the user which ESC environment to use** before proceeding with using the tool. You MUST confirm the AWS region with the user. The results may be incorrect if ran with the wrong AWS Region. The region can be set with the `AWS_REGION` environment variable ## Commands ### program import Import into the selected Pulumi stack using an existing Pulumi program. ```shell pulumi plugin run cdk-importer -- program import \ --program-dir ./generated \ --stack MyStack ``` **Required flags:** - `--program-dir`: Path to the Pulumi program (resource names must match CloudFormation Logical IDs) - `--stack`: CloudFormation stack name (can be specified multiple times or comma-separated) **Optional flags:** - `--import-file`: Path to write a Pulumi bulk import file with failing resources (defaults to `import.json` when provided without a value) - `--debug`: Enable line by line logging of imported resources **Behavior:** - Runs against the selected Pulumi stack. - With `--import-file`, writes the bulk import file after import. The file will only contain entries for resources that failed to import with `<PLACEHOLDER>` ids. - Can be run iteratively to progressively import resources. **Example Output:** ```shell [INFO] Getting stack resources component="cdk-importer" stack=NeoExample-Dev [INFO] Starting up providers... component="cdk-importer" [INFO] Importing stack... component="cdk-importer" [INFO] Run complete component="cdk-importer" status="success" resourcesImported=50 resourcesFailedToImport=0 stack="NeoExample-Dev" importFile="/workspace/pulumi-example-app-neo/import.json" importFileExists=true ``` ## Import File Output The generated `import.json` includes: - Full AWS resource metadata (type, logical name, provider reference, component bit, provider version) - Property subsets captured during provider interception Resources with composite identifiers may show `<PLACEHOLDER>` IDs that need manual completion before running `pulumi import --file import.json`. ## Unsupported Resources **Resources that cannot be imported:** - CloudFormation Custom Resources (`aws-native:cloudformation:CustomResourceEmulator`) ## Example Workflow 1. Convert your CloudFormation template to Pulumi (using CloudFormation Logical IDs as resource names) 2. Import into your Pulumi stack: ```shell pulumi plugin run cdk-importer -- program import \ --program-dir ./pulumi-program-dir \ --stack MyStack ``` ## Handling Failures This tool may not support 100% of the CloudFormation resources in the stack. For unsupported resources it is necessary to find the import ID and import manually. **Example output:** ```shell [INFO] Getting stack resources component="cdk-importer" stack=NeoExample-Dev [INFO] Starting up providers... component="cdk-importer" [INFO] Importing stack... component="cdk-importer" [INFO] Pulumi errors component="cdk-importer" details=urn:pulumi:dev::cdk-convert-example::aws:rds/proxyDefaultTargetGroup:ProxyDefaultTargetGroup::DatabaseDbClusterDbProxyProxyTargetGroupA552DCC1: Don't have an ID!: aws:rds/proxyDefaultTargetGroup:ProxyDefaultTargetGroup neo-example-dev-database-db-cluster-db-proxy-eede4daa urn:pulumi:dev::cdk-convert-example::aws:rds/proxyDefaultTargetGroup:ProxyDefaultTargetGroup::DatabaseDbClusterDbProxyProxyTargetGroupA552DCC1 update failed [INFO] Run complet