Complete Pulumi Infrastructure as Code for the Contido application, converted from Terraform.
This Pulumi project spans the complete AWS infrastructure for Contido, including:
- Lambda Functions: Sync service and file ingest service
- Event Source Mappings: Triggered by SQS queues
- S3 Buckets: Upload, MAM, Asset, Archive, and Edit buckets
- Bucket Configurations: Encryption, CORS, public access blocks, versioning
- CloudFront Distributions: Proxy, Thumbnail, and Asset CDNs
- Origin Access Identities (OAI): Secure S3 access from CloudFront
- Route53 Records: DNS aliases for CDN domains (optional)
- IAM Policies: Resource access, secret manager, Lambda basic permissions, CDN invalidation
- IAM Roles: Lambda execution role with attached policies
- IAM Users: Backend, Frontend, and Aspera users with specific permissions
- SQS Queues:
- Upload event notifications
- MAM bucket restore and storage
- File transfer and ingest
- Transcoding workflows
- Client delivery
- Archive watch folder
- Lambda service queues
- Queue Policies: S3 bucket to queue permissions
- Pulumi CLI: Install Pulumi
- Python 3.7+: Install Python
- AWS CLI: Install AWS CLI and configure credentials
- AWS Account: Valid AWS credentials configured with appropriate permissions
curl -fsSL https://get.pulumi.com | shgit clone https://github.com/SuryaDesy/test-github-mcp.git
cd test-github-mcppython3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activatepip install -r requirements.txtCreate or select a stack:
pulumi stack select dev # or create: pulumi stack init devSet required configuration values:
pulumi config set client "acme"
pulumi config set env "development"
pulumi config set aws:region "ap-south-1"
pulumi config set account_id "909463554763"Set optional CloudFront/Route53 configuration:
pulumi config set cache_policy_id "your-policy-id"
pulumi config set origin_request_policy_id "your-policy-id"
pulumi config set acm_certificate_arn "arn:aws:acm:..."
pulumi config set r53_zone_id "your-zone-id"Set Lambda Docker image URIs (if deploying Lambda functions):
pulumi config set image_uri_sync "your-account.dkr.ecr.ap-south-1.amazonaws.com/sync-service:latest"
pulumi config set image_uri_ingest "your-account.dkr.ecr.ap-south-1.amazonaws.com/ingest-service:latest"pulumi previewpulumi upThis will show a preview of resources to be created. Review and confirm with yes.
pulumi stack output
pulumi stack output upload_bucket_namepulumi destroy.
├── Pulumi.yaml # Pulumi project metadata
├── __main__.py # Complete Pulumi program (all resources)
├── Pulumi.dev.yaml # Development stack config
├── Pulumi.prod.yaml # Production stack config
├── requirements.txt # Python dependencies
├── .gitignore # Git ignore patterns
└── README.md # This file
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
client |
string | Yes | - | Client name (used in resource naming) |
env |
string | Yes | - | Environment (dev, staging, prod) |
aws:region |
string | Yes | - | AWS region |
account_id |
string | Yes | - | AWS account ID (for IAM ARNs) |
cache_policy_id |
string | No | CloudFront default | CloudFront cache policy |
origin_request_policy_id |
string | No | CloudFront default | Origin request policy |
response_headers_policy_id |
string | No | Empty | Response headers policy |
acm_certificate_arn |
string | No | Uses CloudFront cert | ACM certificate ARN |
r53_zone_id |
string | No | Optional | Route53 hosted zone ID |
image_uri_sync |
string | No | Placeholder | Docker image URI for sync Lambda |
image_uri_ingest |
string | No | Placeholder | Docker image URI for ingest Lambda |
memory_size |
number | No | 1024 | Lambda memory allocation (MB) |
ephemeral_storage_size |
number | No | 2048 | Lambda ephemeral storage (MB) |
batch_size |
number | No | 1 | SQS batch size for Lambda |
| Bucket | Purpose | Features |
|---|---|---|
| Upload | File uploads with S3 notifications | Event notifications to SQS |
| MAM | Media asset management | Versioning, multi-queue notifications |
| Asset | Static assets serving | CloudFront origin |
| Archive | Long-term storage | Versioning enabled, archive notifications |
| Edit | Edit workflow storage | Standard configuration |
- Sync Service: Triggered by sync-service SQS queue
- File Ingest Service: Triggered by file-ingest-service SQS queue
- Upload event notifications
- MAM restore folder
- File transfer
- Ingest proxy
- Transcoding start
- Client delivery
- Archive watch folder
- Sync service
- File ingest service
- 3 Users: Backend, Frontend, Aspera
- 1 Role: Lambda execution role
- 6 Policies: Resource access, secret manager, Lambda logs, FE asset access, CDN invalidation, Aspera upload
- 3 CDN Distributions: Proxy, Thumbnail, Asset
- 3 Origin Access Identities: Secure S3 access
- 3 Route53 Records (optional): DNS aliases
- ✅ Full programming language (Python) for complex logic
- ✅ Type safety with IDE support
- ✅ Better code organization and reusability
- ✅ Cleaner syntax for complex resources
- ✅ Native support for conditional resources
- CloudFront Defaults: If ACM certificate not provided, uses CloudFront default certificate
- Lambda Optionality: Lambda functions only created if image URIs are provided
- Route53 Records: Only created if
r53_zone_idis configured - Conditional Policies: Response headers policy is optional
- SQS Policies: Automatically configured with least-privilege S3 source restrictions
- S3: List, Get, Put, Delete on all buckets
- SQS: Send, Receive, Delete, Get attributes
- SecretsManager: GetSecretValue
- KMS: Decrypt
- CloudWatch Logs: CreateLogGroup, CreateLogStream, PutLogEvents
- S3 asset bucket: List and object operations
- CloudFront: CreateInvalidation
- S3 upload bucket: List and object operations
The stack exports the following values:
pulumi stack output [output_name]Available outputs:
- Bucket names (all 5 buckets)
- Queue URLs (all 9 queues)
- Lambda function names (if configured)
- CloudFront domain names (all 3 distributions)
- Route53 record names (if configured)
- IAM resource names (users, role, policies)
✅ Implemented in this configuration:
- Server-side encryption on all S3 buckets
- Block public access on all buckets
- CloudFront OAIs for secure S3 access
- Bucket policies with least-privilege access
- IAM policies with specific resource restrictions
- SQS managed encryption enabled
- VPC security groups (if Lambda in VPC)
- Least-privilege IAM principles throughout
pulumi stack select dev
pulumi config set client "test-client"
pulumi config set env "dev"
pulumi uppulumi stack select prod
pulumi config set client "acme-corp"
pulumi config set env "prod"
pulumi config set acm_certificate_arn "arn:aws:acm:..."
pulumi config set r53_zone_id "Z1234567890ABC"
pulumi config set image_uri_sync "112345678901.dkr.ecr.ap-south-1.amazonaws.com/sync:v1.0"
pulumi config set image_uri_ingest "112345678901.dkr.ecr.ap-south-1.amazonaws.com/ingest:v1.0"
pulumi upIssue: S3 bucket policies have circular dependencies Solution: Bucket policies automatically depend on distributions in this code
Issue: Docker image URI not accessible
Solution: Ensure image_uri_sync and image_uri_ingest are valid and in ECR
Issue: r53_zone_id is required
Solution: Either provide the zone ID or manually create Route53 records
Issue: Missing queue policies Solution: Policies are automatically created with proper S3 source restrictions
- Add VPC & Security Groups for Lambda functions
- Implement Auto-Scaling for Lambda concurrency
- Add CloudWatch Monitoring and alarms
- Setup CI/CD Pipeline with Pulumi automation API
- Add Data Lifecycle Policies for S3 buckets
- Implement Multi-Region Disaster Recovery
- Add Cost Allocation Tags for billing analysis
This Pulumi project replaces the original Terraform configuration files:
s3.tf→ S3 buckets sectioncdn.tf→ CloudFront and Route53 sectionsiam_policies.tf→ IAM policies sectioniam-role.tf→ IAM roles sectioniam-user.tf→ IAM users sectionlambda.tf→ Lambda functions sectionsqs.tf→ SQS queues sectionr53.tf→ Route53 records sectionvar.tf→ Pulumi configurationproviders.tf→ AWS provider setup
- Pulumi Docs: https://www.pulumi.com/docs/
- Pulumi AWS Provider: https://www.pulumi.com/registry/packages/aws/
- GitHub Issues: Report issues in the repository
[Add your license information here]
Last Updated: 2026-02-10 Pulumi Version: >= 3.0.0 Python Version: >= 3.7