{
"name": "pulumiservice",
"displayName": "Pulumi Cloud",
"description": "A native Pulumi package for creating and managing Pulumi Cloud constructs.\n\nResources are organized into two surfaces under one package:\n\n- **v0 (package root)** — Mature, hand-maintained resources accessible directly off the package import (e.g. `pulumiservice.Stack`). **In maintenance mode**: bug fixes and security updates only; no new resources or features. Existing programs continue to work without any code changes.\n- **api (`pulumiservice.api`)** — **Preview.** Actively developed, generated at runtime from the public Pulumi Cloud OpenAPI specification. Resource shape and module layout may change before GA; not yet recommended for production. Coverage expands as new operations are mapped from the spec.\n\nResources from both surfaces can be used in the same program. There is no forced migration: existing users stay on v0 indefinitely, or migrate individual resources to the api surface by updating their IaC code (resource type + input shape) and adding Pulumi `aliases` on the new api declaration so state rebinds in place. v0 has known coverage gaps relative to the full Cloud API; the api surface closes those gaps over time.",
"keywords": [
"pulumi",
"kind/native",
"category/infrastructure"
],
"homepage": "https://pulumi.com",
"license": "Apache-2.0",
"repository": "https://github.com/pulumi/pulumi-pulumiservice",
"publisher": "Pulumi",
"namespace": "pulumi",
"language": {
"csharp": {
"namespaces": {
"api": "Api",
"pulumiservice": "PulumiService"
},
"packageReferences": {
"Pulumi": "3.*"
},
"respectSchemaVersion": true
},
"go": {
"generateResourceContainerTypes": true,
"importBasePath": "github.com/pulumi/pulumi-pulumiservice/sdk/go/pulumiservice",
"respectSchemaVersion": true
},
"java": {
"basePackage": "",
"buildFiles": "gradle",
"dependencies": {
"com.google.code.findbugs:jsr305": "3.0.2",
"com.google.code.gson:gson": "2.8.9",
"com.pulumi:pulumi": "1.16.2"
},
"gradleNexusPublishPluginVersion": "2.0.0",
"gradleTest": "",
"readme": "# Pulumi Service Provider\n\n[](https://slack.pulumi.com)\n[](https://www.npmjs.com/package/@pulumi/pulumiservice)\n[](https://pypi.org/project/pulumi-pulumiservice)\n[](https://badge.fury.io/nu/pulumi.pulumiservice)\n[](https://pkg.go.dev/github.com/pulumi/pulumi-pulumiservice/sdk/go)\n[](https://github.com/pulumi/pulumi-pulumiservice/blob/main/LICENSE)\n\nPulumi Service Provider for creating Pulumi Cloud resources.\n\nThe Pulumi Service Provider (PSP) is built on top of the [Pulumi Cloud REST API](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/), allowing Pulumi customers to create Pulumi Cloud resources using Pulumi programs. That includes Stacks, Environments, Teams, Tokens, Webhooks, Tags, Deployment Settings, Deployment Schedules and much more! Pulumi Service Provider is especially powerful when used in combination with the [Automation API](https://pulumi.com/automation).\n\nFor a full list of supported resources, visit the [Pulumi Registry](https://www.pulumi.com/registry/packages/pulumiservice/). For the REST API reference documentation, visit [Pulumi Cloud API Documentation](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/).\n\nFor now, PSP is in public preview, but we're working on releasing v1.0 in the near future.\n\n## Installing\n\nThis package is available in many languages in the standard packaging formats.\n\n### Node.js (Javascript/TypeScript)\n\nTo use from JavaScript or TypeScript in Node.js, install using either `npm`:\n\n```sh\nnpm install @pulumi/pulumiservice\n```\n\nor `yarn`:\n\n```sh\nyarn add @pulumi/pulumiservice\n```\n\n### Python\n\nTo use from Python, install using `pip`:\n\n```sh\npip install pulumi_pulumiservice\n```\n\n### Go\n\nTo use from Go, use `go get` to grab the latest version of the library\n\n```sh\ngo get github.com/pulumi/pulumi-pulumiservice/sdk/go\n```\n\n### .NET\n\nTo use from .NET, install using `dotnet add package`:\n\n```sh\ndotnet add package Pulumi.PulumiService\n```\n\n### Java\n\nTo use from Java, add an entry to your `build.gradle` file:\n\n```groovy\nimplementation 'com.pulumi:pulumiservice:%Fill in latest version from the badge up top%'\n```\n\nOr to your `pom.xml` file:\n\n```xml\n\n com.pulumi \n pulumiservice \n %Fill in latest version from the badge up top% \n \n```\n\n## Setup\n\nEnsure that you have ran `pulumi login`. Run `pulumi whoami` to verify that you are logged in.\n\n### Configuration Options\n\nUse `pulumi config set pulumiservice:` or pass options to the [constructor of `new pulumiservice.Provider`][1].\n\n| Option | Environment Variable Name | Required/Optional | Description |\n|---------------|---------------------------|-------------------|---------------------------------------------------------------------------------------|\n| `accessToken` | `PULUMI_ACCESS_TOKEN` | Optional | Overrides [Pulumi Service Access Tokens][2] |\n| `apiUrl` | `PULUMI_BACKEND_URL` | Optional | Allows overriding default [Pulumi Service API URL][3] for [self hosted customers][4]. |\n| | | | |\n\n## Examples\n\n```typescript\nimport * as aws from \"@pulumi/awsx\"\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as service from \"@pulumi/pulumiservice\";\n\nconst team = new service.Team(\"team\", {\n name: \"pulumi-service-team\",\n displayName: \"Pulumi Service\",\n description: \"The Pulumi Service Team\",\n organizationName: \"pulumi\",\n teamType: \"pulumi\",\n members: [\n \"piers\",\n \"bryce\",\n \"casey\"\n \"evan\",\n \"devon\",\n \"meagan\",\n \"myles\",\n \"steve\"\n ],\n});\n\nexport const members = team.members;\n```\n\nCheck out the [examples/](examples/) directory for more examples.\n\n[1]: https://www.pulumi.com/registry/packages/pulumiservice/api-docs/provider/\n[2]: https://www.pulumi.com/docs/pulumi-cloud/access-management/access-tokens/\n[3]: https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/\n[4]: https://www.pulumi.com/docs/pulumi-cloud/self-hosted/\n"
},
"nodejs": {
"dependencies": {
"@pulumi/pulumi": "^3.0.0"
},
"packageName": "@pulumi/pulumiservice",
"readme": "# Pulumi Service Provider\n\n[](https://slack.pulumi.com)\n[](https://www.npmjs.com/package/@pulumi/pulumiservice)\n[](https://pypi.org/project/pulumi-pulumiservice)\n[](https://badge.fury.io/nu/pulumi.pulumiservice)\n[](https://pkg.go.dev/github.com/pulumi/pulumi-pulumiservice/sdk/go)\n[](https://github.com/pulumi/pulumi-pulumiservice/blob/main/LICENSE)\n\nPulumi Service Provider for creating Pulumi Cloud resources.\n\nThe Pulumi Service Provider (PSP) is built on top of the [Pulumi Cloud REST API](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/), allowing Pulumi customers to create Pulumi Cloud resources using Pulumi programs. That includes Stacks, Environments, Teams, Tokens, Webhooks, Tags, Deployment Settings, Deployment Schedules and much more! Pulumi Service Provider is especially powerful when used in combination with the [Automation API](https://pulumi.com/automation).\n\nFor a full list of supported resources, visit the [Pulumi Registry](https://www.pulumi.com/registry/packages/pulumiservice/). For the REST API reference documentation, visit [Pulumi Cloud API Documentation](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/).\n\nFor now, PSP is in public preview, but we're working on releasing v1.0 in the near future.\n\n## Installing\n\nThis package is available in many languages in the standard packaging formats.\n\n### Node.js (Javascript/TypeScript)\n\nTo use from JavaScript or TypeScript in Node.js, install using either `npm`:\n\n```sh\nnpm install @pulumi/pulumiservice\n```\n\nor `yarn`:\n\n```sh\nyarn add @pulumi/pulumiservice\n```\n\n### Python\n\nTo use from Python, install using `pip`:\n\n```sh\npip install pulumi_pulumiservice\n```\n\n### Go\n\nTo use from Go, use `go get` to grab the latest version of the library\n\n```sh\ngo get github.com/pulumi/pulumi-pulumiservice/sdk/go\n```\n\n### .NET\n\nTo use from .NET, install using `dotnet add package`:\n\n```sh\ndotnet add package Pulumi.PulumiService\n```\n\n### Java\n\nTo use from Java, add an entry to your `build.gradle` file:\n\n```groovy\nimplementation 'com.pulumi:pulumiservice:%Fill in latest version from the badge up top%'\n```\n\nOr to your `pom.xml` file:\n\n```xml\n\n com.pulumi \n pulumiservice \n %Fill in latest version from the badge up top% \n \n```\n\n## Setup\n\nEnsure that you have ran `pulumi login`. Run `pulumi whoami` to verify that you are logged in.\n\n### Configuration Options\n\nUse `pulumi config set pulumiservice: ` or pass options to the [constructor of `new pulumiservice.Provider`][1].\n\n| Option | Environment Variable Name | Required/Optional | Description |\n|---------------|---------------------------|-------------------|---------------------------------------------------------------------------------------|\n| `accessToken` | `PULUMI_ACCESS_TOKEN` | Optional | Overrides [Pulumi Service Access Tokens][2] |\n| `apiUrl` | `PULUMI_BACKEND_URL` | Optional | Allows overriding default [Pulumi Service API URL][3] for [self hosted customers][4]. |\n| | | | |\n\n## Examples\n\n```typescript\nimport * as aws from \"@pulumi/awsx\"\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as service from \"@pulumi/pulumiservice\";\n\nconst team = new service.Team(\"team\", {\n name: \"pulumi-service-team\",\n displayName: \"Pulumi Service\",\n description: \"The Pulumi Service Team\",\n organizationName: \"pulumi\",\n teamType: \"pulumi\",\n members: [\n \"piers\",\n \"bryce\",\n \"casey\"\n \"evan\",\n \"devon\",\n \"meagan\",\n \"myles\",\n \"steve\"\n ],\n});\n\nexport const members = team.members;\n```\n\nCheck out the [examples/](examples/) directory for more examples.\n\n[1]: https://www.pulumi.com/registry/packages/pulumiservice/api-docs/provider/\n[2]: https://www.pulumi.com/docs/pulumi-cloud/access-management/access-tokens/\n[3]: https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/\n[4]: https://www.pulumi.com/docs/pulumi-cloud/self-hosted/\n",
"respectSchemaVersion": true
},
"python": {
"packageName": "pulumi_pulumiservice",
"pyproject": {
"enabled": true
},
"readme": "# Pulumi Service Provider\n\n[](https://slack.pulumi.com)\n[](https://www.npmjs.com/package/@pulumi/pulumiservice)\n[](https://pypi.org/project/pulumi-pulumiservice)\n[](https://badge.fury.io/nu/pulumi.pulumiservice)\n[](https://pkg.go.dev/github.com/pulumi/pulumi-pulumiservice/sdk/go)\n[](https://github.com/pulumi/pulumi-pulumiservice/blob/main/LICENSE)\n\nPulumi Service Provider for creating Pulumi Cloud resources.\n\nThe Pulumi Service Provider (PSP) is built on top of the [Pulumi Cloud REST API](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/), allowing Pulumi customers to create Pulumi Cloud resources using Pulumi programs. That includes Stacks, Environments, Teams, Tokens, Webhooks, Tags, Deployment Settings, Deployment Schedules and much more! Pulumi Service Provider is especially powerful when used in combination with the [Automation API](https://pulumi.com/automation).\n\nFor a full list of supported resources, visit the [Pulumi Registry](https://www.pulumi.com/registry/packages/pulumiservice/). For the REST API reference documentation, visit [Pulumi Cloud API Documentation](https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/).\n\nFor now, PSP is in public preview, but we're working on releasing v1.0 in the near future.\n\n## Installing\n\nThis package is available in many languages in the standard packaging formats.\n\n### Node.js (Javascript/TypeScript)\n\nTo use from JavaScript or TypeScript in Node.js, install using either `npm`:\n\n```sh\nnpm install @pulumi/pulumiservice\n```\n\nor `yarn`:\n\n```sh\nyarn add @pulumi/pulumiservice\n```\n\n### Python\n\nTo use from Python, install using `pip`:\n\n```sh\npip install pulumi_pulumiservice\n```\n\n### Go\n\nTo use from Go, use `go get` to grab the latest version of the library\n\n```sh\ngo get github.com/pulumi/pulumi-pulumiservice/sdk/go\n```\n\n### .NET\n\nTo use from .NET, install using `dotnet add package`:\n\n```sh\ndotnet add package Pulumi.PulumiService\n```\n\n### Java\n\nTo use from Java, add an entry to your `build.gradle` file:\n\n```groovy\nimplementation 'com.pulumi:pulumiservice:%Fill in latest version from the badge up top%'\n```\n\nOr to your `pom.xml` file:\n\n```xml\n\n com.pulumi \n pulumiservice \n %Fill in latest version from the badge up top% \n \n```\n\n## Setup\n\nEnsure that you have ran `pulumi login`. Run `pulumi whoami` to verify that you are logged in.\n\n### Configuration Options\n\nUse `pulumi config set pulumiservice: ` or pass options to the [constructor of `new pulumiservice.Provider`][1].\n\n| Option | Environment Variable Name | Required/Optional | Description |\n|---------------|---------------------------|-------------------|---------------------------------------------------------------------------------------|\n| `accessToken` | `PULUMI_ACCESS_TOKEN` | Optional | Overrides [Pulumi Service Access Tokens][2] |\n| `apiUrl` | `PULUMI_BACKEND_URL` | Optional | Allows overriding default [Pulumi Service API URL][3] for [self hosted customers][4]. |\n| | | | |\n\n## Examples\n\n```typescript\nimport * as aws from \"@pulumi/awsx\"\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as service from \"@pulumi/pulumiservice\";\n\nconst team = new service.Team(\"team\", {\n name: \"pulumi-service-team\",\n displayName: \"Pulumi Service\",\n description: \"The Pulumi Service Team\",\n organizationName: \"pulumi\",\n teamType: \"pulumi\",\n members: [\n \"piers\",\n \"bryce\",\n \"casey\"\n \"evan\",\n \"devon\",\n \"meagan\",\n \"myles\",\n \"steve\"\n ],\n});\n\nexport const members = team.members;\n```\n\nCheck out the [examples/](examples/) directory for more examples.\n\n[1]: https://www.pulumi.com/registry/packages/pulumiservice/api-docs/provider/\n[2]: https://www.pulumi.com/docs/pulumi-cloud/access-management/access-tokens/\n[3]: https://www.pulumi.com/docs/pulumi-cloud/reference/cloud-rest-api/\n[4]: https://www.pulumi.com/docs/pulumi-cloud/self-hosted/\n",
"requires": {
"pulumi": ">=3.235.0,<4.0.0"
},
"respectSchemaVersion": true
}
},
"config": {
"variables": {
"accessToken": {
"type": "string",
"description": "Access Token to authenticate with Pulumi Cloud.",
"secret": true
},
"apiUrl": {
"type": "string",
"description": "Optional override of Pulumi Cloud API endpoint.",
"default": "https://api.pulumi.com",
"defaultInfo": {
"environment": [
"PULUMI_BACKEND_URL",
"PULUMI_API"
]
}
}
}
},
"types": {
"pulumiservice:index:AWSOIDCConfiguration": {
"properties": {
"duration": {
"type": "string",
"description": "Duration of the assume-role session in “XhYmZs” format"
},
"policyARNs": {
"type": "array",
"items": {
"type": "string"
},
"description": "Optional set of IAM policy ARNs that further restrict the assume-role session"
},
"roleARN": {
"type": "string",
"description": "The ARN of the role to assume using the OIDC token."
},
"sessionName": {
"type": "string",
"description": "The name of the assume-role session."
}
},
"type": "object",
"required": [
"roleARN",
"sessionName"
]
},
"pulumiservice:index:ApprovalRuleConfig": {
"properties": {
"allowSelfApproval": {
"type": "boolean",
"description": "Whether self-approval is allowed."
},
"eligibleApprovers": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:EligibleApprover"
},
"description": "List of eligible approvers."
},
"numApprovalsRequired": {
"type": "integer",
"description": "Number of approvals required."
},
"requireReapprovalOnChange": {
"type": "boolean",
"description": "Whether reapproval is required on changes."
}
},
"type": "object",
"required": [
"numApprovalsRequired",
"allowSelfApproval",
"requireReapprovalOnChange",
"eligibleApprovers"
]
},
"pulumiservice:index:AuthPolicyDecision": {
"type": "string",
"enum": [
{
"description": "A deny rule for Oidc Issuer Policy.",
"value": "deny"
},
{
"description": "An allow rule for Oidc Issuer Policy.",
"value": "allow"
}
]
},
"pulumiservice:index:AuthPolicyDefinition": {
"properties": {
"authorizedPermissions": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:AuthPolicyPermissionLevel"
},
"description": "The permission level for organization tokens."
},
"decision": {
"$ref": "#/types/pulumiservice:index:AuthPolicyDecision",
"description": "The rule type of this policy definition"
},
"rules": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "OIDC rules to set for this policy."
},
"runnerID": {
"type": "string",
"description": "The runner ID for deployment runner tokens."
},
"teamName": {
"type": "string",
"description": "The team name for team tokens."
},
"tokenType": {
"$ref": "#/types/pulumiservice:index:AuthPolicyTokenType",
"description": "The token type for this policy definition"
},
"userLogin": {
"type": "string",
"description": "The user login for personal tokens."
}
},
"type": "object",
"required": [
"decision",
"tokenType",
"rules"
]
},
"pulumiservice:index:AuthPolicyPermissionLevel": {
"type": "string",
"enum": [
{
"description": "Standard level of permissions.",
"value": "standard"
},
{
"description": "Admin level of permissions.",
"value": "admin"
}
]
},
"pulumiservice:index:AuthPolicyTokenType": {
"type": "string",
"enum": [
{
"description": "Personal Pulumi token. Requires userLogin field to be filled.",
"value": "personal"
},
{
"description": "Team Pulumi token. Requires teamName field to be filled.",
"value": "team"
},
{
"description": "Organization Pulumi token. Requires authorizedPermissions field to be filled.",
"value": "organization"
},
{
"description": "Deployment Runner Pulumi token. Requires runnerID field to be filled.",
"value": "runner"
}
]
},
"pulumiservice:index:AzureOIDCConfiguration": {
"properties": {
"clientId": {
"type": "string",
"description": "The client ID of the federated workload identity."
},
"subscriptionId": {
"type": "string",
"description": "The subscription ID of the federated workload identity."
},
"tenantId": {
"type": "string",
"description": "The tenant ID of the federated workload identity."
}
},
"type": "object",
"required": [
"clientId",
"tenantId",
"subscriptionId"
]
},
"pulumiservice:index:CloudProvider": {
"type": "string",
"enum": [
{
"name": "aws",
"description": "Amazon Web Services",
"value": "aws"
},
{
"name": "azure-native",
"description": "Microsoft Azure",
"value": "azure-native"
},
{
"name": "gcp",
"description": "Google Cloud Platform",
"value": "gcp"
},
{
"name": "kubernetes",
"description": "Kubernetes",
"value": "kubernetes"
},
{
"name": "oci",
"description": "Oracle Cloud Infrastructure",
"value": "oci"
}
]
},
"pulumiservice:index:DeploymentSettingsCacheOptions": {
"description": "Dependency cache settings for the deployment",
"properties": {
"enable": {
"type": "boolean",
"description": "Enable dependency caching",
"default": false
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsExecutorContext": {
"description": "The executor context defines information about the executor where the deployment is executed. If unspecified, the default 'pulumi/pulumi' image is used.",
"properties": {
"executorImage": {
"type": "string",
"description": "Allows overriding the default executor image with a custom image. E.g. 'pulumi/pulumi-nodejs:latest'"
}
},
"type": "object",
"required": [
"executorImage"
]
},
"pulumiservice:index:DeploymentSettingsGitAuthBasicAuth": {
"description": "Git source settings for a deployment.",
"properties": {
"password": {
"type": "string",
"description": "Password for git basic authentication.",
"secret": true
},
"username": {
"type": "string",
"description": "User name for git basic authentication.",
"secret": true
}
},
"type": "object",
"required": [
"username",
"password"
]
},
"pulumiservice:index:DeploymentSettingsGitAuthSSHAuth": {
"description": "Git source settings for a deployment.",
"properties": {
"password": {
"type": "string",
"description": "Optional password for SSH authentication.",
"secret": true
},
"sshPrivateKey": {
"type": "string",
"description": "SSH private key.",
"secret": true
}
},
"type": "object",
"required": [
"sshPrivateKey"
]
},
"pulumiservice:index:DeploymentSettingsGitSource": {
"description": "Git source settings for a deployment.",
"properties": {
"branch": {
"type": "string",
"description": "The branch to deploy. One of either `branch` or `commit` must be specified."
},
"commit": {
"type": "string",
"description": "The commit to deploy. One of either `branch` or `commit` must be specified."
},
"gitAuth": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGitSourceGitAuth",
"description": "Git authentication configuration for this deployment. Should not be specified if there are `gitHub` settings for this deployment."
},
"repoDir": {
"type": "string",
"description": "The directory within the repository where the Pulumi.yaml is located."
},
"repoUrl": {
"type": "string",
"description": "The repository URL to use for git settings. Should not be specified if there are `gitHub` settings for this deployment."
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsGitSourceGitAuth": {
"description": "Git source settings for a deployment.",
"properties": {
"basicAuth": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGitAuthBasicAuth",
"description": "Basic auth for git authentication. Only one of `personalAccessToken`, `sshAuth`, or `basicAuth` must be defined."
},
"sshAuth": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGitAuthSSHAuth",
"description": "SSH auth for git authentication. Only one of `personalAccessToken`, `sshAuth`, or `basicAuth` must be defined."
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsGithub": {
"description": "GitHub settings for the deployment.",
"properties": {
"deployCommits": {
"type": "boolean",
"description": "Trigger a deployment running `pulumi up` on commit.",
"default": true
},
"paths": {
"type": "array",
"items": {
"type": "string"
},
"description": "The paths within the repo that deployments should be filtered to."
},
"previewPullRequests": {
"type": "boolean",
"description": "Trigger a deployment running `pulumi preview` when a PR is opened.",
"default": true
},
"pullRequestTemplate": {
"type": "boolean",
"description": "Use this stack as a template for pull request review stacks.",
"default": false
},
"repository": {
"type": "string",
"description": "The GitHub repository in the format org/repo."
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsOperationContext": {
"description": "Settings related to the Pulumi operation environment during the deployment.",
"properties": {
"environmentVariables": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Environment variables to set for the deployment."
},
"oidc": {
"$ref": "#/types/pulumiservice:index:OperationContextOIDC",
"description": "OIDC configuration to use during the deployment."
},
"options": {
"$ref": "#/types/pulumiservice:index:OperationContextOptions",
"description": "Options to override default behavior during the deployment."
},
"preRunCommands": {
"type": "array",
"items": {
"type": "string"
},
"description": "Shell commands to run before the Pulumi operation executes."
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsSourceContext": {
"description": "Settings related to the source of the deployment.",
"properties": {
"git": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGitSource",
"description": "Git source settings for a deployment."
}
},
"type": "object"
},
"pulumiservice:index:DeploymentSettingsVcs": {
"description": "VCS settings for the deployment, supporting multiple VCS providers.",
"properties": {
"deployCommits": {
"type": "boolean",
"description": "Trigger a deployment running `pulumi up` on commit.",
"default": true
},
"deployPullRequest": {
"type": "integer",
"description": "Deploy a specific pull request number."
},
"installationId": {
"type": "string",
"description": "The VCS integration installation ID. Use to disambiguate when an organization has multiple integrations of the same provider type (e.g., two GitHub Apps). If omitted, the API resolves the integration automatically from `provider` and `repository`."
},
"paths": {
"type": "array",
"items": {
"type": "string"
},
"description": "The paths within the repo that deployments should be filtered to."
},
"previewPullRequests": {
"type": "boolean",
"description": "Trigger a deployment running `pulumi preview` when a PR is opened.",
"default": true
},
"provider": {
"type": "string",
"description": "The VCS provider type."
},
"pullRequestTemplate": {
"type": "boolean",
"description": "Use this stack as a template for pull request review stacks.",
"default": false
},
"repository": {
"type": "string",
"description": "The repository identifier (e.g., 'ProjectName/RepoName' for Azure DevOps, 'org/repo' for GitHub)."
}
},
"type": "object",
"required": [
"provider"
]
},
"pulumiservice:index:EligibleApprover": {
"properties": {
"rbacPermission": {
"$ref": "#/types/pulumiservice:index:RbacPermission",
"description": "RBAC permission that gives right to approve."
},
"teamName": {
"type": "string",
"description": "Name of the team that can approve."
},
"user": {
"type": "string",
"description": "Login of the user that can approve."
}
},
"type": "object"
},
"pulumiservice:index:EnvironmentIdentifier": {
"properties": {
"name": {
"type": "string",
"description": "The environment name."
},
"organization": {
"type": "string",
"description": "The organization name."
},
"project": {
"type": "string",
"description": "The project name."
}
},
"type": "object",
"required": [
"organization",
"project",
"name"
]
},
"pulumiservice:index:EnvironmentPermission": {
"type": "string",
"enum": [
{
"description": "No permissions.",
"value": "none"
},
{
"description": "Permission to read environment definition only.",
"value": "read"
},
{
"description": "Permission to open and read the environment.",
"value": "open"
},
{
"description": "Permission to open, read and update the environment.",
"value": "write"
},
{
"description": "Permission for all operations on the environment.",
"value": "admin"
}
]
},
"pulumiservice:index:GCPOIDCConfiguration": {
"properties": {
"projectId": {
"type": "string",
"description": "The numerical ID of the GCP project."
},
"providerId": {
"type": "string",
"description": "The ID of the identity provider associated with the workload pool."
},
"region": {
"type": "string",
"description": "The region of the GCP project."
},
"serviceAccount": {
"type": "string",
"description": "The email address of the service account to use."
},
"tokenLifetime": {
"type": "string",
"description": "The lifetime of the temporary credentials in “XhYmZs” format."
},
"workloadPoolId": {
"type": "string",
"description": "The ID of the workload pool to use."
}
},
"type": "object",
"required": [
"projectId",
"workloadPoolId",
"providerId",
"serviceAccount"
]
},
"pulumiservice:index:InsightsAccountState": {
"properties": {
"accountName": {
"type": "string",
"description": "Name of the insights account.",
"replaceOnChanges": true
},
"environment": {
"type": "string",
"description": "The ESC environment used for provider credentials. Format: 'project/environment' with optional '@version' suffix (e.g., 'my-project/prod-env' or 'my-project/prod-env@v1.0')."
},
"insightsAccountId": {
"type": "string",
"description": "The insights account identifier."
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"provider": {
"$ref": "#/types/pulumiservice:index:CloudProvider",
"description": "The cloud provider for scanning.",
"replaceOnChanges": true
},
"providerConfig": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration as a JSON object. For AWS, specify regions to scan: {\"regions\": [\"us-west-1\", \"us-west-2\"]}."
},
"scanSchedule": {
"$ref": "#/types/pulumiservice:index:ScanSchedule",
"description": "Schedule for automated scanning. Use 'daily' for daily scans, '12h' for scans every twelve hours, or 'none' to disable scheduled scanning. Defaults to 'none'.",
"default": "none"
},
"scheduledScanEnabled": {
"type": "boolean",
"description": "Whether scheduled scanning is enabled."
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Key-value tags to associate with the insights account."
}
},
"type": "object",
"required": [
"organizationName",
"accountName",
"provider",
"environment",
"scanSchedule",
"insightsAccountId",
"scheduledScanEnabled"
]
},
"pulumiservice:index:OperationContextOIDC": {
"properties": {
"aws": {
"$ref": "#/types/pulumiservice:index:AWSOIDCConfiguration",
"description": "AWS-specific OIDC configuration."
},
"azure": {
"$ref": "#/types/pulumiservice:index:AzureOIDCConfiguration",
"description": "Azure-specific OIDC configuration."
},
"gcp": {
"$ref": "#/types/pulumiservice:index:GCPOIDCConfiguration",
"description": "GCP-specific OIDC configuration."
}
},
"type": "object"
},
"pulumiservice:index:OperationContextOptions": {
"properties": {
"deleteAfterDestroy": {
"type": "boolean",
"description": "Whether the stack should be deleted after it is destroyed."
},
"shell": {
"type": "string",
"description": "The shell to use to run commands during the deployment. Defaults to 'bash'."
},
"skipInstallDependencies": {
"type": "boolean",
"description": "Skip the default dependency installation step - use this to customize the dependency installation (e.g. if using yarn or poetry)"
},
"skipIntermediateDeployments": {
"type": "boolean",
"description": "Skip intermediate deployments (Consolidate multiple deployments of the same type into one deployment)"
}
},
"type": "object"
},
"pulumiservice:index:OrganizationMemberInfo": {
"properties": {
"role": {
"type": "string",
"description": "The member's built-in role (member, admin, billing-manager). Absent when a custom role is assigned — check `roleId` in that case."
},
"roleId": {
"type": "string",
"description": "The custom role ID assigned to this member, if any."
},
"roleName": {
"type": "string",
"description": "The name of the currently assigned role (custom role name, or built-in role)."
},
"username": {
"type": "string",
"description": "The member's Pulumi Cloud username."
},
"virtualAdmin": {
"type": "boolean",
"description": "Whether this member is an admin in Pulumi Cloud without admin access on the backing identity provider."
}
},
"type": "object",
"required": [
"username",
"virtualAdmin"
]
},
"pulumiservice:index:PolicyGroupPolicyPackReference": {
"description": "A reference to a policy pack within a policy group.",
"properties": {
"config": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Optional configuration for the policy pack. The special key `all` sets the default enforcement level for every policy in the pack; per-policy entries override it."
},
"displayName": {
"type": "string",
"description": "The display name of the policy pack."
},
"name": {
"type": "string",
"description": "The name of the policy pack."
},
"version": {
"type": "number",
"description": "The server-derived numeric version of the policy pack. This is output-only; use `versionTag` to pin a specific version."
},
"versionTag": {
"type": "string",
"description": "The version tag of the policy pack."
}
},
"type": "object",
"required": [
"name"
]
},
"pulumiservice:index:PolicyGroupPolicyPackReferenceInput": {
"description": "A reference to a policy pack within a policy group (input).",
"properties": {
"config": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Optional configuration for the policy pack. The special key `all` sets the default enforcement level for every policy in the pack; per-policy entries override it."
},
"displayName": {
"type": "string",
"description": "The display name of the policy pack."
},
"name": {
"type": "string",
"description": "The name of the policy pack."
},
"versionTag": {
"type": "string",
"description": "The version tag of the policy pack."
}
},
"type": "object",
"required": [
"name"
]
},
"pulumiservice:index:PolicyGroupStackReference": {
"description": "A reference to a stack within a policy group.",
"properties": {
"name": {
"type": "string",
"description": "The name of the stack."
},
"routingProject": {
"type": "string",
"description": "The routing project name (also known as project name)."
}
},
"type": "object",
"required": [
"name",
"routingProject"
]
},
"pulumiservice:index:PulumiOperation": {
"type": "string",
"enum": [
{
"name": "update",
"description": "Analogous to `pulumi up` command.",
"value": "update"
},
{
"name": "preview",
"description": "Analogous to `pulumi preview` command.",
"value": "preview"
},
{
"name": "refresh",
"description": "Analogous to `pulumi refresh` command.",
"value": "refresh"
},
{
"name": "destroy",
"description": "Analogous to `pulumi destroy` command.",
"value": "destroy"
}
]
},
"pulumiservice:index:RbacPermission": {
"type": "string",
"enum": [
{
"name": "Read",
"description": "Read permission.",
"value": "environment:read"
},
{
"name": "ReadDecrypt",
"description": "Read and decrypt permission.",
"value": "environment:read_decrypt"
},
{
"name": "Open",
"description": "Open permission.",
"value": "environment:open"
},
{
"name": "Write",
"description": "Write permission.",
"value": "environment:write"
},
{
"name": "Delete",
"description": "Delete permission.",
"value": "environment:delete"
},
{
"name": "Clone",
"description": "Clone permission.",
"value": "environment:clone"
},
{
"name": "Rotate",
"description": "Rotate permission.",
"value": "environment:rotate"
}
]
},
"pulumiservice:index:RoleScopeInfo": {
"properties": {
"description": {
"type": "string",
"description": "Human-readable description of what the scope grants."
},
"groupName": {
"type": "string",
"description": "The scope group label as shown in the Pulumi Cloud console (e.g. `Stacks`)."
},
"name": {
"type": "string",
"description": "The scope name (e.g. `stack:read`)."
},
"resourceType": {
"type": "string",
"description": "The resource-type bucket the scope belongs to (e.g. `stack`, `team`)."
}
},
"type": "object",
"required": [
"name",
"description",
"groupName",
"resourceType"
]
},
"pulumiservice:index:ScanSchedule": {
"type": "string",
"enum": [
{
"name": "none",
"description": "Disable automated scanning.",
"value": "none"
},
{
"description": "Run automated scans every twelve hours.",
"value": "12h"
},
{
"name": "daily",
"description": "Run automated scans once per day.",
"value": "daily"
}
]
},
"pulumiservice:index:TargetActionType": {
"type": "string",
"enum": [
{
"name": "Update",
"description": "Update action type for approval rules.",
"value": "update"
}
]
},
"pulumiservice:index:TeamStackPermissionScope": {
"type": "integer",
"enum": [
{
"name": "read",
"description": "Grants read permissions to stack.",
"value": 101
},
{
"name": "edit",
"description": "Grants edit permissions to stack.",
"value": 102
},
{
"name": "admin",
"description": "Grants admin permissions to stack.",
"value": 103
}
]
},
"pulumiservice:index:TemplateSourceDestination": {
"properties": {
"url": {
"type": "string",
"description": "Destination URL that gets filled in on new project creation."
}
},
"type": "object"
},
"pulumiservice:index:WebhookFilters": {
"type": "string",
"enum": [
{
"name": "StackCreated",
"description": "Trigger a webhook when a stack is created. Only valid for org webhooks.",
"value": "stack_created"
},
{
"name": "StackDeleted",
"description": "Trigger a webhook when a stack is deleted. Only valid for org webhooks.",
"value": "stack_deleted"
},
{
"name": "UpdateSucceeded",
"description": "Trigger a webhook when a stack update succeeds.",
"value": "update_succeeded"
},
{
"name": "UpdateFailed",
"description": "Trigger a webhook when a stack update fails.",
"value": "update_failed"
},
{
"name": "PreviewSucceeded",
"description": "Trigger a webhook when a stack preview succeeds.",
"value": "preview_succeeded"
},
{
"name": "PreviewFailed",
"description": "Trigger a webhook when a stack preview fails.",
"value": "preview_failed"
},
{
"name": "DestroySucceeded",
"description": "Trigger a webhook when a stack destroy succeeds.",
"value": "destroy_succeeded"
},
{
"name": "DestroyFailed",
"description": "Trigger a webhook when a stack destroy fails.",
"value": "destroy_failed"
},
{
"name": "RefreshSucceeded",
"description": "Trigger a webhook when a stack refresh succeeds.",
"value": "refresh_succeeded"
},
{
"name": "RefreshFailed",
"description": "Trigger a webhook when a stack refresh fails.",
"value": "refresh_failed"
},
{
"name": "DeploymentQueued",
"description": "Trigger a webhook when a deployment is queued.",
"value": "deployment_queued"
},
{
"name": "DeploymentStarted",
"description": "Trigger a webhook when a deployment starts running.",
"value": "deployment_started"
},
{
"name": "DeploymentSucceeded",
"description": "Trigger a webhook when a deployment succeeds.",
"value": "deployment_succeeded"
},
{
"name": "DeploymentFailed",
"description": "Trigger a webhook when a deployment fails.",
"value": "deployment_failed"
},
{
"name": "DriftDetected",
"description": "Trigger a webhook when drift is detected.",
"value": "drift_detected"
},
{
"name": "DriftDetectionSucceeded",
"description": "Trigger a webhook when a drift detection run succeeds, regardless of whether drift is detected.",
"value": "drift_detection_succeeded"
},
{
"name": "DriftDetectionFailed",
"description": "Trigger a webhook when a drift detection run fails.",
"value": "drift_detection_failed"
},
{
"name": "DriftRemediationSucceeded",
"description": "Trigger a webhook when a drift remediation run succeeds.",
"value": "drift_remediation_succeeded"
},
{
"name": "DriftRemediationFailed",
"description": "Trigger a webhook when a drift remediation run fails.",
"value": "drift_remediation_failed"
},
{
"name": "EnvironmentCreated",
"description": "Trigger a webhook when a new environment is created.",
"value": "environment_created"
},
{
"name": "EnvironmentDeleted",
"description": "Trigger a webhook when an environment is deleted.",
"value": "environment_deleted"
},
{
"name": "EnvironmentRevisionCreated",
"description": "Trigger a webhook when a new revision is created on an environment.",
"value": "environment_revision_created"
},
{
"name": "EnvironmentRevisionRetracted",
"description": "Trigger a webhook when a revision is retracted on an environment.",
"value": "environment_revision_retracted"
},
{
"name": "EnvironmentRevisionTagCreated",
"description": "Trigger a webhook when a revision tag is created on an environment.",
"value": "environment_revision_tag_created"
},
{
"name": "EnvironmentRevisionTagDeleted",
"description": "Trigger a webhook when a revision tag is deleted on an environment.",
"value": "environment_revision_tag_deleted"
},
{
"name": "EnvironmentRevisionTagUpdated",
"description": "Trigger a webhook when a revision tag is updated on an environment.",
"value": "environment_revision_tag_updated"
},
{
"name": "EnvironmentTagCreated",
"description": "Trigger a webhook when an environment tag is created.",
"value": "environment_tag_created"
},
{
"name": "EnvironmentTagDeleted",
"description": "Trigger a webhook when an environment tag is deleted.",
"value": "environment_tag_deleted"
},
{
"name": "EnvironmentTagUpdated",
"description": "Trigger a webhook when an environment tag is updated.",
"value": "environment_tag_updated"
},
{
"name": "ImportedEnvironmentChanged",
"description": "Trigger a webhook when an imported environment has changed.",
"value": "imported_environment_changed"
}
]
},
"pulumiservice:index:WebhookFormat": {
"type": "string",
"enum": [
{
"description": "The default webhook format.",
"value": "raw"
},
{
"description": "Messages formatted for consumption by Slack incoming webhooks.",
"value": "slack"
},
{
"name": "PulumiDeployments",
"description": "Initiate deployments on a stack from a Pulumi Cloud webhook.",
"value": "pulumi_deployments"
},
{
"name": "MicrosoftTeams",
"description": "Messages formatted for consumption by Microsoft Teams incoming webhooks.",
"value": "ms_teams"
}
]
},
"pulumiservice:index:WebhookGroup": {
"type": "string",
"enum": [
{
"name": "Stacks",
"description": "A group of webhooks containing all stack events.",
"value": "stacks"
},
{
"name": "Deployments",
"description": "A group of webhooks containing all deployment events.",
"value": "deployments"
},
{
"name": "Environments",
"description": "A group of webhooks containing all environment events.",
"value": "environments"
}
]
}
},
"provider": {
"properties": {
"accessToken": {
"type": "string",
"description": "Access Token to authenticate with Pulumi Cloud.",
"secret": true
},
"apiUrl": {
"type": "string",
"description": "Optional override of Pulumi Cloud API endpoint.",
"default": "https://api.pulumi.com",
"defaultInfo": {
"environment": [
"PULUMI_BACKEND_URL",
"PULUMI_API"
]
}
}
},
"inputProperties": {
"accessToken": {
"type": "string",
"description": "Access Token to authenticate with Pulumi Cloud.",
"secret": true
},
"apiUrl": {
"type": "string",
"description": "Optional override of Pulumi Cloud API endpoint.",
"default": "https://api.pulumi.com",
"defaultInfo": {
"environment": [
"PULUMI_BACKEND_URL",
"PULUMI_API"
]
}
}
}
},
"resources": {
"pulumiservice:api/agents:Pool": {
"description": "Creates a new agent pool for an organization. Agent pools enable self-hosted deployment agents, allowing organizations to run Pulumi Deployments on their own infrastructure rather than Pulumi-managed infrastructure. This is useful for accessing private networks, meeting compliance requirements, or using custom execution environments. The response includes an access token (agent pool secret) that self-hosted agents use to authenticate when polling for deployment work. This token is only returned once at creation time and cannot be retrieved later.",
"properties": {
"agents": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The agents"
},
"created": {
"type": "integer",
"description": "The creation timestamp"
},
"description": {
"type": "string",
"description": "The description"
},
"name": {
"type": "string",
"description": "The name"
},
"poolId": {
"type": "string",
"description": "The unique identifier"
},
"tokenValue": {
"type": "string",
"description": "The token value",
"secret": true
}
},
"type": "object",
"required": [
"agents",
"created",
"description",
"name",
"poolId"
],
"inputProperties": {
"description": {
"type": "string",
"description": "The description"
},
"name": {
"type": "string",
"description": "The name"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"poolId": {
"type": "string",
"description": "The agent pool identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"description",
"name",
"orgName"
]
},
"pulumiservice:api/agents:Task": {
"description": "Creates a new agent task for the specified organization. The request must include a prompt (the user event message) that initiates the task. Set the 'permissionMode' field in the request body to restrict the agent to read-only operations. Returns the created task details including task ID, name, status, and timestamp.",
"properties": {
"approvalMode": {
"type": "string",
"description": "Approval mode for this task. Valid values: 'manual', 'auto', 'balanced'."
},
"asyncTriggerType": {
"type": "string",
"description": "The async trigger source for this task. Null for sync tasks."
},
"contextCompactionThresholdPercent": {
"type": "integer",
"description": "Percentage of the context window (1-100) at which the agent triggers conversation compaction. Populated alongside contextWindowTokens when token usage data is available; omitted otherwise."
},
"contextUsedTokens": {
"type": "integer",
"description": "Total input tokens consumed across all model invocations for this task. Approximate context window usage."
},
"contextWindowTokens": {
"type": "integer",
"description": "Maximum context window size in tokens for the primary model used by this task."
},
"createdAt": {
"type": "string",
"description": "When the task was created, in ISO 8601 format."
},
"createdBy": {
"$ref": "pulumi.json#/Any",
"description": "Information about the user who created this task."
},
"entities": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Pulumi entities (stacks, projects, etc.) that provide context for the agent."
},
"isShared": {
"type": "boolean",
"description": "Whether this task is shared with other org members."
},
"lastHeartbeat": {
"type": "string",
"description": "When the task runtime last reported a heartbeat. Null if the runtime has never checked in."
},
"name": {
"type": "string",
"description": "Display name for the task, typically auto-generated from the initial user message."
},
"permissionMode": {
"type": "string",
"description": "The permission scope for the task."
},
"planMode": {
"type": "boolean",
"description": "Whether the task is in plan mode. Set based on the first user message."
},
"runtimePhase": {
"type": "string",
"description": "The current runtime phase for this task. Null until the runtime checks in."
},
"sharedAt": {
"type": "string",
"description": "When the task was first shared. Null if never shared."
},
"source": {
"type": "string",
"description": "The origin that triggered this task. Valid values: 'console', 'cli', 'slack', 'schedule', 'api', 'github'."
},
"sourceAutomationID": {
"type": "string",
"description": "The automation that spawned this task, if the task was created by an automation run."
},
"status": {
"type": "string",
"description": "Current execution status of the task."
},
"taskType": {
"type": "string",
"description": "Whether the task was started synchronously by a user or asynchronously by background automation."
},
"tokensUsed": {
"type": "integer",
"description": "Total Neo tokens consumed across all model invocations for this task. Neo tokens are the priced unit used for billing — distinct from the raw model input tokens surfaced in contextUsedTokens / contextWindowTokens."
},
"toolExecutionMode": {
"type": "string",
"description": "Where tools are executed for this task. Valid values: 'cloud', 'cli'."
}
},
"type": "object",
"required": [
"approvalMode",
"createdAt",
"createdBy",
"entities",
"isShared",
"name",
"planMode",
"status",
"taskType",
"tokensUsed"
],
"inputProperties": {
"approvalMode": {
"type": "string",
"description": "Optional approval mode override for this task. If omitted, org default is used."
},
"cliIntegrations": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Optional filter for CLI integrations to enable for this task. Semantics: omitted/null → enable all CLI integrations connected for the org; empty list → explicit opt-out (no CLI integrations for this task); populated list → whitelist by (catalogId, name) of the configured instances to enable. Entries with missing or unknown catalogId, missing name, or referencing a (catalogId, name) pair that is not connected for the organization are rejected with a 400 response. catalogId matching is case-insensitive."
},
"enabledIntegrations": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Optional list of integrations to enable for this task. Semantics: omitted/null → inherit all org-enabled integrations; empty list → explicit opt-out (no integration credentials for this task); populated list → whitelist of specific integrations by ID. Modeled as an object array rather than a bare string array so multi-instance support (instance_name, scope, etc.) can be added later without a wire break."
},
"message": {
"$ref": "pulumi.json#/Any",
"description": "The message content"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"permissionMode": {
"type": "string",
"description": "Controls the permission scope for the task. When omitted, defaults to 'default' (the agent uses the creating user's full permissions)."
},
"planMode": {
"type": "boolean",
"description": "Whether to enable plan mode for this task."
},
"source": {
"type": "string",
"description": "The origin that triggered this task. Defaults to 'api' if omitted."
},
"taskID": {
"type": "string",
"description": "The agent task identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"toolExecutionMode": {
"type": "string",
"description": "Where tools should be executed. Defaults to 'cloud' if omitted."
}
},
"requiredInputs": [
"orgName"
]
},
"pulumiservice:api/auth:OidcIssuer": {
"description": "Registers a new OIDC issuer for an organization, establishing a trust relationship with an external identity provider. Once registered, the identity provider can issue signed, short-lived tokens that are exchanged for temporary Pulumi Cloud credentials during deployments. This eliminates the need to store long-lived access tokens. Supported providers include AWS, Azure, Google Cloud, GitHub Actions, and any OIDC-compliant identity provider. The request must include the issuer URL, and the service will fetch the provider's public signing keys to verify token authenticity.",
"properties": {
"created": {
"type": "string",
"description": "The ISO 8601 timestamp when the OIDC issuer was created."
},
"issuer": {
"type": "string",
"description": "The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider."
},
"issuerId": {
"type": "string",
"description": "The unique identifier of the registered OIDC issuer."
},
"jwks": {
"$ref": "pulumi.json#/Any",
"description": "The JSON Web Key Set for the OIDC issuer."
},
"lastUsed": {
"type": "string",
"description": "The ISO 8601 timestamp when the OIDC issuer was last used for token exchange."
},
"maxExpiration": {
"type": "integer",
"description": "The maximum token expiration time in seconds."
},
"modified": {
"type": "string",
"description": "The ISO 8601 timestamp when the OIDC issuer was last modified."
},
"name": {
"type": "string",
"description": "The display name of the OIDC issuer."
},
"thumbprints": {
"type": "array",
"items": {
"type": "string"
},
"description": "SHA-1 certificate thumbprints used to verify the OIDC issuer's TLS certificate."
},
"url": {
"type": "string",
"description": "The URL of the OIDC issuer."
}
},
"type": "object",
"required": [
"issuer",
"issuerId",
"name",
"url"
],
"inputProperties": {
"issuerId": {
"type": "string",
"description": "The OIDC issuer identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"jwks": {
"$ref": "pulumi.json#/Any",
"description": "The JSON Web Key Set for the OIDC issuer."
},
"maxExpiration": {
"type": "integer",
"description": "The maximum token expiration time in seconds."
},
"name": {
"type": "string",
"description": "The display name of the OIDC issuer."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"thumbprints": {
"type": "array",
"items": {
"type": "string"
},
"description": "SHA-1 certificate thumbprints used to verify the OIDC issuer's TLS certificate."
},
"url": {
"type": "string",
"description": "The URL of the OIDC issuer."
}
},
"requiredInputs": [
"name",
"orgName",
"url"
]
},
"pulumiservice:api/auth:Policy": {
"description": "Updates an authentication policy for an organization. Authentication policies define rules for how OIDC tokens are validated and what access they grant, including claim mappings, trust conditions, and role assignments. The policy definition cannot be empty.\n\nThe request body contains a `policies` array where each policy object includes:\n- `decision`: `allow` or `deny`\n- `tokenType`: `organization`, `team`, `personal`, or `runner`\n- `teamName`: required when tokenType is `team`\n- `userLogin`: required when tokenType is `personal`\n- `runnerID`: required when tokenType is `runner`\n- `authorizedPermissions`: array of permissions (only `admin` is supported for organization tokens)\n- `rules`: object defining claim-matching rules for the token\n\nFor more information about authorization rules, refer to the [OIDC authorization policies documentation](https://www.pulumi.com/docs/pulumi-cloud/access-management/oidc/client/#configure-the-authorization-policies).",
"properties": {
"created": {
"type": "string",
"description": "The creation timestamp"
},
"issuerId": {
"type": "string",
"description": "The unique identifier"
},
"modified": {
"type": "string",
"description": "The last modification timestamp"
},
"policies": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of policies"
},
"version": {
"type": "integer",
"description": "The version number"
}
},
"type": "object",
"required": [
"issuerId",
"policies",
"version"
],
"inputProperties": {
"issuerId": {
"type": "string",
"description": "The OIDC issuer identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"policies": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of policies"
},
"policyId": {
"type": "string",
"description": "The policy identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName",
"policies",
"policyId"
]
},
"pulumiservice:api/auth:SAML": {
"description": "Updates the SAML configuration for a SAML-backed organization, including the identity provider SSO descriptor, attribute mappings, and other SAML settings. The new IDP SSO descriptor is required in the update request.",
"properties": {
"entityId": {
"type": "string",
"description": "The following fields can be empty if the metadata (IDPSSODescriptor)\nitself is empty for the organization."
},
"idpSsoDescriptor": {
"type": "string",
"description": "The SAML Identity Provider SSO descriptor XML."
},
"nameIdFormat": {
"type": "string",
"description": "The SAML NameID format used by the identity provider."
},
"organization": {
"$ref": "pulumi.json#/Any",
"description": "The Pulumi organization."
},
"ssoUrl": {
"type": "string",
"description": "The SSO URL for the identity provider."
},
"validUntil": {
"type": "string",
"description": "ValidUntil is the date until which the X.509 Certificate\nissued to the organization by the identity provider is valid."
},
"validationError": {
"type": "string",
"description": "ValidationError will be set only if there is an error validating the SAML org's metadata XML."
}
},
"type": "object",
"required": [
"idpSsoDescriptor",
"organization"
],
"inputProperties": {
"newIdpSsoDescriptor": {
"type": "string",
"description": "The new IDP SSO descriptor XML for the SAML configuration."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName"
]
},
"pulumiservice:api/deployments:ScheduledDeployment": {
"description": "Creates a custom deployment schedule for a stack using Pulumi Deployments. Custom schedules allow you to automate recurring or one-time Pulumi operations on a stack. The request must include exactly one of 'scheduleCron' (a cron expression for recurring executions, e.g. '0 */4 * * *' for every 4 hours) or 'scheduleOnce' (an ISO 8601 timestamp for a one-time execution). The 'request' field contains the deployment configuration that will be executed on each scheduled run, including the Pulumi operation type and any settings overrides. The stack must have deployment settings configured before a schedule can be created.",
"properties": {
"created": {
"type": "string",
"description": "The timestamp when this scheduled action was created."
},
"definition": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "The action definition, which varies based on the action kind."
},
"kind": {
"type": "string",
"description": "The kind of action to be executed."
},
"lastExecuted": {
"type": "string",
"description": "The timestamp of the last execution, if any."
},
"modified": {
"type": "string",
"description": "The timestamp when this scheduled action was last modified."
},
"nextExecution": {
"type": "string",
"description": "The timestamp of the next scheduled execution."
},
"orgID": {
"type": "string",
"description": "The organization ID that owns this scheduled action."
},
"paused": {
"type": "boolean",
"description": "Whether the scheduled action is currently paused."
},
"scheduleCron": {
"type": "string",
"description": "A cron expression defining the recurring schedule."
},
"scheduleID": {
"type": "string",
"description": "The unique identifier for this scheduled action."
},
"scheduleOnce": {
"type": "string",
"description": "A timestamp for a one-time scheduled execution."
}
},
"type": "object",
"required": [
"created",
"definition",
"kind",
"lastExecuted",
"modified",
"nextExecution",
"orgID",
"paused",
"scheduleID"
],
"inputProperties": {
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"request": {
"$ref": "pulumi.json#/Any",
"description": "Deployment request payload to execute when the schedule fires. This has the same shape and semantics as CreateDeploymentRequest used for immediate deployments."
},
"scheduleCron": {
"type": "string",
"description": "Cron expression defining a recurring schedule for this deployment. When set, scheduleOnce must be null. Uses standard 5-field cron syntax (MIN HOUR DOM MON DOW) and is evaluated in UTC."
},
"scheduleID": {
"type": "string",
"description": "The schedule identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"scheduleOnce": {
"type": "string",
"description": "Single point-in-time schedule for this deployment. When set, scheduleCron must be null. The value must be an ISO 8601 timestamp with timezone."
},
"stackName": {
"type": "string",
"description": "The stack name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName",
"projectName",
"stackName"
]
},
"pulumiservice:api/deployments:Settings": {
"description": "Creates or updates Pulumi Deployments settings for a stack using a merge operation. If no settings exist, they are created. If settings already exist, the request body is merged with the current settings using the following logic: for each property, start with the current value, remove it if the patch specifies null, or merge the new non-null value with the existing one. Non-object properties (strings, numbers, booleans) are replaced entirely. Settings include source context (git repository URL, branch, directory), operation context (environment variables, pre-run commands, OIDC configuration), executor context, GitHub integration settings, and cache options. Requires a Team Growth or higher subscription. Cannot be used to configure Pulumi Deployments for Terraform stacks.",
"properties": {
"agentPoolID": {
"type": "string",
"description": "The identifier of the agent pool to use for deployments."
},
"cacheOptions": {
"$ref": "pulumi.json#/Any",
"description": "Cache options for the deployment."
},
"executorContext": {
"$ref": "pulumi.json#/Any",
"description": "The executor context defining the execution environment."
},
"gitHub": {
"$ref": "pulumi.json#/Any",
"description": "GitHub-specific deployment settings"
},
"operationContext": {
"$ref": "pulumi.json#/Any",
"description": "The operation context defining pre-run and post-run commands and environment variables."
},
"source": {
"type": "string",
"description": "The source from which the deployment settings were created."
},
"sourceContext": {
"$ref": "pulumi.json#/Any",
"description": "The source context defining where the source code is located."
},
"tag": {
"type": "string",
"description": "A tag to identify the deployment settings configuration."
},
"vcs": {
"$ref": "pulumi.json#/Any",
"description": "VCS provider settings"
},
"version": {
"type": "integer",
"description": "The version of the deployment settings."
}
},
"type": "object",
"inputProperties": {
"agentPoolID": {
"type": "string",
"description": "The identifier of the agent pool to use for deployments."
},
"cacheOptions": {
"$ref": "pulumi.json#/Any",
"description": "Cache options for the deployment."
},
"executorContext": {
"$ref": "pulumi.json#/Any",
"description": "The executor context defining the execution environment."
},
"gitHub": {
"$ref": "pulumi.json#/Any",
"description": "GitHub-specific deployment settings"
},
"operationContext": {
"$ref": "pulumi.json#/Any",
"description": "The operation context defining pre-run and post-run commands and environment variables."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"sourceContext": {
"$ref": "pulumi.json#/Any",
"description": "The source context defining where the source code is located."
},
"stackName": {
"type": "string",
"description": "The stack name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"tag": {
"type": "string",
"description": "A tag to identify the deployment settings configuration."
},
"vcs": {
"$ref": "pulumi.json#/Any",
"description": "VCS provider settings"
}
},
"requiredInputs": [
"orgName",
"projectName",
"stackName"
]
},
"pulumiservice:api/esc:Environment": {
"description": "Creates a new Pulumi ESC (Environments, Secrets, and Configuration) environment within the specified organization. The request body must include the project name and the environment name. Environment names must be unique within a project and may only contain alphanumeric characters, hyphens, underscores, and periods. The newly created environment starts with an empty YAML definition that can be updated via the UpdateEnvironment endpoint.",
"properties": {
"yaml": {
"type": "string",
"description": "Raw YAML body content.",
"secret": true
}
},
"type": "object",
"inputProperties": {
"name": {
"type": "string",
"description": "The name of the environment.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"project": {
"type": "string",
"description": "The project name for the environment.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"yaml": {
"type": "string",
"description": "Raw YAML body content.",
"secret": true
}
},
"requiredInputs": [
"name",
"orgName",
"project"
]
},
"pulumiservice:api/esc:EnvironmentDraft": {
"description": "Creates a new draft change request for a Pulumi ESC environment. Drafts allow proposing changes to an environment definition that can be reviewed and approved before being applied. This is part of the approvals workflow for environments. Returns a ChangeRequestRef containing the draft identifier. Requires the Approvals feature to be enabled for the organization.",
"properties": {
"changeRequestId": {
"type": "string",
"description": "The change request identifier"
},
"latestRevisionNumber": {
"type": "integer",
"description": "The latest revision number"
},
"yaml": {
"type": "string",
"description": "Raw YAML body content.",
"secret": true
}
},
"type": "object",
"inputProperties": {
"changeRequestId": {
"type": "string",
"description": "The change request ID",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"envName",
"orgName",
"projectName"
]
},
"pulumiservice:api/esc:EnvironmentSchedule": {
"description": "Creates a new scheduled action for a Pulumi ESC environment. Schedules can be used to automate recurring operations on environments, such as secret rotation. The request body specifies the schedule timing and the action to perform. Returns the created ScheduledAction on success. Requires the secret rotation feature to be enabled for the organization.",
"properties": {
"created": {
"type": "string",
"description": "The timestamp when this scheduled action was created."
},
"definition": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "The action definition, which varies based on the action kind."
},
"kind": {
"type": "string",
"description": "The kind of action to be executed."
},
"lastExecuted": {
"type": "string",
"description": "The timestamp of the last execution, if any."
},
"modified": {
"type": "string",
"description": "The timestamp when this scheduled action was last modified."
},
"nextExecution": {
"type": "string",
"description": "The timestamp of the next scheduled execution."
},
"orgID": {
"type": "string",
"description": "The organization ID that owns this scheduled action."
},
"paused": {
"type": "boolean",
"description": "Whether the scheduled action is currently paused."
},
"scheduleCron": {
"type": "string",
"description": "A cron expression defining the recurring schedule."
},
"scheduleID": {
"type": "string",
"description": "The unique identifier for this scheduled action."
},
"scheduleOnce": {
"type": "string",
"description": "A timestamp for a one-time scheduled execution."
}
},
"type": "object",
"required": [
"created",
"definition",
"kind",
"lastExecuted",
"modified",
"nextExecution",
"orgID",
"paused",
"scheduleID"
],
"inputProperties": {
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"scheduleCron": {
"type": "string",
"description": "The schedule cron"
},
"scheduleID": {
"type": "string",
"description": "The schedule ID",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"scheduleOnce": {
"type": "string",
"description": "The schedule once"
},
"secretRotationRequest": {
"$ref": "pulumi.json#/Any",
"description": "The secret rotation request",
"secret": true
}
},
"requiredInputs": [
"envName",
"orgName",
"projectName"
]
},
"pulumiservice:api/esc:EnvironmentSettings": {
"description": "Updates settings for a Pulumi ESC environment using a partial update (patch) approach. Currently supports toggling deletion protection via the deletionProtected field. When deletionProtected is set to true, the environment cannot be deleted until the setting is explicitly disabled. Only the fields included in the request body are modified; omitted fields retain their current values.",
"properties": {
"deletionProtected": {
"type": "boolean",
"description": "Whether the environment is protected from deletion."
}
},
"type": "object",
"required": [
"deletionProtected"
],
"inputProperties": {
"deletionProtected": {
"type": "boolean",
"description": "DeletionProtected indicates whether deletion protection should be enabled for this environment. Null means no change."
},
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"envName",
"orgName",
"projectName"
]
},
"pulumiservice:api/esc:EnvironmentTag": {
"description": "Adds a new user-defined tag to a Pulumi ESC environment. Tags are key-value pairs that provide contextual metadata for organizing and searching environments (e.g., region=us-east-1, team=platform). The tag name and value are provided in the request body. Returns the created EnvironmentTag on success. Returns 409 if a tag with the same name already exists on the environment.",
"properties": {
"created": {
"type": "string",
"description": "The timestamp when the tag was created."
},
"editorLogin": {
"type": "string",
"description": "The login name of the user who last edited the tag."
},
"editorName": {
"type": "string",
"description": "The display name of the user who last edited the tag."
},
"modified": {
"type": "string",
"description": "The timestamp when the tag was last modified."
},
"name": {
"type": "string",
"description": "The name of the tag."
},
"value": {
"type": "string",
"description": "The value of the tag."
}
},
"type": "object",
"required": [
"created",
"editorLogin",
"editorName",
"modified",
"name",
"value"
],
"inputProperties": {
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"value": {
"type": "string",
"description": "The value"
}
},
"requiredInputs": [
"envName",
"name",
"orgName",
"projectName",
"value"
]
},
"pulumiservice:api/esc:OpenEnvironmentRequest": {
"description": "Creates an open request for a Pulumi ESC environment that has gated opens enabled. When an environment has open gates configured, opening the environment requires an approval workflow. This endpoint initiates that process by creating an open request, and also creates corresponding open requests for each imported environment that has open gates. Requires the Approvals feature to be enabled for the organization. Returns 400 if the environment does not have gated opens.",
"properties": {
"accessDurationSeconds": {
"type": "integer",
"description": "Total duration that the resulting grant can be used to access the environment open endpoint (after first open)"
},
"grantExpirationSeconds": {
"type": "integer",
"description": "Time from application of the request until the resulting grant expires"
}
},
"type": "object",
"required": [
"accessDurationSeconds",
"grantExpirationSeconds"
],
"inputProperties": {
"accessDurationSeconds": {
"type": "integer",
"description": "Total duration that the resulting grant can be used to access the environment open endpoint (after first open)"
},
"changeRequestId": {
"type": "string",
"description": "The change request ID",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"grantExpirationSeconds": {
"type": "integer",
"description": "Time from application of the request until the resulting grant expires"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"accessDurationSeconds",
"envName",
"grantExpirationSeconds",
"orgName",
"projectName"
]
},
"pulumiservice:api/esc:RevisionTag": {
"description": "Creates a new revision tag for a Pulumi ESC environment. Revision tags are named references that point to specific revision numbers, similar to Git tags. They allow pinning a stable reference to a known-good version of an environment. Tagged versions can be used in imports and Pulumi stack configuration (e.g., myproject/env@prod) to ensure stable references unaffected by subsequent changes. The built-in 'latest' tag always points to the most recent revision.",
"properties": {
"created": {
"type": "string",
"description": "The timestamp when the tag was created."
},
"editorLogin": {
"type": "string",
"description": "The login name of the user who last edited the tag."
},
"editorName": {
"type": "string",
"description": "The display name of the user who last edited the tag."
},
"modified": {
"type": "string",
"description": "The timestamp when the tag was last modified."
},
"name": {
"type": "string",
"description": "The name of the tag."
},
"revision": {
"type": "integer",
"description": "The revision number this tag points to."
}
},
"type": "object",
"required": [
"created",
"modified",
"name",
"revision"
],
"inputProperties": {
"envName": {
"type": "string",
"description": "The environment name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"revision": {
"type": "integer",
"description": "The revision"
}
},
"requiredInputs": [
"envName",
"name",
"orgName",
"projectName"
]
},
"pulumiservice:api/esc:Webhook": {
"description": "Creates a new webhook for a Pulumi ESC environment. Webhooks allow external services to be notified when environment events occur, such as updates or opens. The request body specifies the webhook configuration including the destination URL, event filters, and format. Returns 400 if the organization name in the request body does not match the URL path parameter. Returns 409 if a webhook with the same name already exists.",
"properties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment."
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"hasSecret": {
"type": "boolean",
"description": "HasSecret is true if the webhook has a secret. This is used to determine whether\nto show that there is a secret in the UI.",
"secret": true
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope."
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook."
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack."
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"secretCiphertext": {
"type": "string",
"description": "SecretCiphertext is the ciphertext value of the webhook's secret.\nIt's used to check whether the secret was changed by the PSP",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack."
}
},
"type": "object",
"required": [
"active",
"displayName",
"hasSecret",
"name",
"organizationName",
"payloadUrl",
"secretCiphertext"
],
"inputProperties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack."
}
},
"requiredInputs": [
"active",
"displayName",
"envName",
"name",
"organizationName",
"payloadUrl",
"projectName"
]
},
"pulumiservice:api/insights:Account": {
"description": "Creates a new Insights account. An Insights account represents a cloud provider account (e.g., AWS, Azure, OCI) configured for resource discovery.",
"properties": {
"agentPoolID": {
"type": "string",
"description": "The ID of the agent pool to run account discovery workflows.\nIf not specified, discovery will use the default agent pool."
},
"name": {
"type": "string",
"description": "The name of the account."
},
"ownedBy": {
"$ref": "pulumi.json#/Any",
"description": "The user with ownership of this Insights account"
},
"provider": {
"type": "string",
"description": "The cloud provider for the account (e.g., aws, gcp, azure-native)."
},
"providerConfig": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration for the account."
},
"providerEnvRef": {
"type": "string",
"description": "Reference to an ESC environment containing provider credentials,\nin the format 'project/environment' with an optional @version suffix."
},
"providerVersion": {
"type": "string",
"description": "The version of the Pulumi provider package used for discovery."
},
"scanStatus": {
"$ref": "pulumi.json#/Any",
"description": "Status of the last discovery scan for this account."
},
"scheduledScanEnabled": {
"type": "boolean",
"description": "If true, the account is scheduled for recurring discovery."
}
},
"type": "object",
"required": [
"name",
"ownedBy",
"provider",
"scheduledScanEnabled"
],
"inputProperties": {
"accountName": {
"type": "string",
"description": "The Insights account name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"agentPoolID": {
"type": "string",
"description": "The ID of the agent pool to run account discovery workflows.\nIf not specified, discovery will use the default agent pool."
},
"cron": {
"type": "string",
"description": "Deprecated: Use scanSchedule instead. Cron expression for scheduling scans."
},
"environment": {
"type": "string",
"description": "Reference to an ESC environment containing provider credentials,\nin the format 'project/environment' with an optional @version suffix."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"provider": {
"type": "string",
"description": "The cloud provider for the account (e.g., aws, gcp, azure-native)."
},
"providerConfig": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration for the account."
},
"scanSchedule": {
"type": "string",
"description": "Schedule for automated discovery scans (e.g., 'none', 'daily')."
}
},
"requiredInputs": [
"accountName",
"environment",
"orgName",
"provider"
]
},
"pulumiservice:api/insights:ScheduledScanSettings": {
"description": "Updates the scheduled scan configuration for an Insights account, such as scan frequency and schedule.",
"properties": {
"batchSize": {
"type": "integer",
"description": "The batch size for processing resources during the scan."
},
"listConcurrency": {
"type": "integer",
"description": "The concurrency level for list operations during the scan."
},
"paused": {
"type": "boolean",
"description": "Whether the scheduled scan is paused."
},
"readConcurrency": {
"type": "integer",
"description": "The concurrency level for read operations during the scan."
},
"readTimeout": {
"type": "string",
"description": "The timeout duration for read operations, as a Go duration string (e.g., '30s', '5m')."
},
"scheduleCron": {
"type": "string",
"description": "The cron expression defining the scan schedule."
}
},
"type": "object",
"required": [
"paused",
"scheduleCron"
],
"inputProperties": {
"accountName": {
"type": "string",
"description": "The Insights account name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"batchSize": {
"type": "integer",
"description": "The batch size for processing resources during the scan."
},
"listConcurrency": {
"type": "integer",
"description": "The concurrency level for list operations during the scan."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"paused": {
"type": "boolean",
"description": "Whether the scheduled scan is paused."
},
"readConcurrency": {
"type": "integer",
"description": "The concurrency level for read operations during the scan."
},
"readTimeout": {
"type": "string",
"description": "The timeout duration for read operations, as a Go duration string (e.g., '30s', '5m')."
},
"scheduleCron": {
"type": "string",
"description": "The cron expression defining the scan schedule."
}
},
"requiredInputs": [
"accountName",
"orgName",
"paused"
]
},
"pulumiservice:api/integrations:AzureDevOpsIntegration": {
"description": "Updates an existing Azure DevOps integration's settings. Can modify the Azure DevOps organization, project, or authentication configuration.",
"properties": {
"authUser": {
"$ref": "pulumi.json#/Any",
"description": "The Pulumi user whose Azure DevOps authentication token is being used"
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments"
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this integration"
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this integration"
},
"installed": {
"type": "boolean",
"description": "Does the org have an Azure DevOps app integration configured"
},
"organization": {
"$ref": "pulumi.json#/Any",
"description": "Metadata about the Azure DevOps organization linked to the Pulumi organization"
},
"project": {
"$ref": "pulumi.json#/Any",
"description": "Metadata about the Azure DevOps project linked to the Pulumi organization"
},
"valid": {
"type": "boolean",
"description": "Is the app integration valid"
}
},
"type": "object",
"required": [
"installed",
"valid"
],
"inputProperties": {
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments"
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this integration"
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this integration"
},
"integrationId": {
"type": "string",
"description": "The Azure DevOps integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"orgName"
]
},
"pulumiservice:api/integrations:BitBucketIntegration": {
"description": "Updates an existing BitBucket integration's settings, such as PR comment preferences and AI summary options.",
"properties": {
"authType": {
"type": "string",
"description": "The authentication type used: 'workspace_token', 'user_token', or 'pat'."
},
"authUser": {
"$ref": "pulumi.json#/Any",
"description": "The user whose BitBucket OAuth token is being used for authentication, if user-based auth is configured."
},
"avatarUrl": {
"type": "string",
"description": "URL of the BitBucket workspace avatar image."
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this integration."
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this integration."
},
"installed": {
"type": "boolean",
"description": "Whether this integration is fully installed and operational."
},
"valid": {
"type": "boolean",
"description": "Whether the integration's credentials are currently valid."
},
"workspaceName": {
"type": "string",
"description": "Display name of the BitBucket workspace."
},
"workspaceSlug": {
"type": "string",
"description": "The slug (URL-friendly name) of the linked BitBucket workspace."
},
"workspaceUuid": {
"type": "string",
"description": "The UUID of the linked BitBucket workspace."
}
},
"type": "object",
"required": [
"disableDetailedDiff",
"disableNeoSummaries",
"disablePRComments",
"installed",
"valid",
"workspaceSlug",
"workspaceUuid"
],
"inputProperties": {
"disableDetailedDiff": {
"type": "boolean",
"description": "If true, disable detailed property-level diffs in PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "If true, disable Neo AI-generated deployment summaries in PR comments."
},
"disablePRComments": {
"type": "boolean",
"description": "If true, disable automatic PR comments on deployments."
},
"integrationId": {
"type": "string",
"description": "The BitBucket integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"orgName"
]
},
"pulumiservice:api/integrations:CustomVCSIntegration": {
"description": "Creates a new custom VCS integration for an organization. Custom VCS integrations allow connecting self-hosted or third-party version control systems (e.g. Gitea, Forgejo, Bitbucket Server) to Pulumi Deployments. Credentials are managed via ESC environments, and deployments are triggered by inbound webhooks. Returns the created integration including its webhook URL and HMAC secret for signature verification.",
"properties": {
"baseUrl": {
"type": "string",
"description": "URL prefix for repositories covered by this integration"
},
"created": {
"type": "string",
"description": "ISO 8601 timestamp of when the integration was created"
},
"environment": {
"type": "string",
"description": "ESC environment reference in 'project/envName' format containing VCS credentials"
},
"integrationId": {
"type": "string",
"description": "Unique identifier (UUID) for this integration"
},
"modified": {
"type": "string",
"description": "ISO 8601 timestamp of when the integration was last modified"
},
"name": {
"type": "string",
"description": "Human-readable name for the integration"
},
"repositories": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of repositories configured on this integration"
},
"vcsType": {
"type": "string",
"description": "Version control system type"
},
"webhookSecret": {
"type": "string",
"description": "HMAC secret for webhook signature verification. Only returned on integration creation; subsequent GET requests omit this field.",
"secret": true
},
"webhookUrl": {
"type": "string",
"description": "Full webhook endpoint URL that the external VCS should POST events to. This URL is generated by the service and includes the integration ID."
}
},
"type": "object",
"required": [
"baseUrl",
"created",
"environment",
"integrationId",
"modified",
"name",
"vcsType"
],
"inputProperties": {
"baseUrl": {
"type": "string",
"description": "URL prefix for repositories covered by this integration (e.g. 'https://gitea.example.com/myorg'). Used to match repositories to integrations."
},
"environment": {
"type": "string",
"description": "ESC environment reference in 'project/envName' format containing VCS credentials (e.g. SSH keys, access tokens) used for repository operations"
},
"integrationId": {
"type": "string",
"description": "The custom VCS integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "Human-readable name for the integration, unique within the organization (e.g. 'Gitea Production')"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"vcsType": {
"type": "string",
"description": "Version control system type. Defaults to 'git' if not specified."
}
},
"requiredInputs": [
"baseUrl",
"environment",
"name",
"orgName"
]
},
"pulumiservice:api/integrations:CustomVCSRepository": {
"description": "Adds a repository to a custom VCS integration. The repository name must be unique within the integration. Returns 409 Conflict if a repository with the same name is already configured.",
"type": "object",
"inputProperties": {
"displayName": {
"type": "string",
"description": "Human-readable display name for the repository. If not provided, the name is used for display purposes."
},
"integrationId": {
"type": "string",
"description": "The custom VCS integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "Repository name or path, joined with the integration's base URL to form the clone URL (e.g. 'myrepo' or 'subgroup/myrepo')"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"name",
"orgName"
]
},
"pulumiservice:api/integrations:GitHubEnterpriseIntegration": {
"description": "Updates GitHub Enterprise Server integration settings.",
"properties": {
"accountID": {
"type": "integer",
"description": "The GitHub account ID (user or org)."
},
"accountName": {
"type": "string",
"description": "The GitHub account name (login)."
},
"avatarUrl": {
"type": "string",
"description": "The avatar URL of the GitHub account."
},
"created": {
"type": "string",
"description": "When the installation was created."
},
"disableCodeAccessForReviews": {
"type": "boolean",
"description": "Whether code access for AI reviews is disabled for this installation."
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this installation."
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this installation."
},
"ghUrls": {
"$ref": "pulumi.json#/Any",
"description": "URL to configure repository access for this GitHub App installation."
},
"hasContentsPermission": {
"type": "boolean",
"description": "Whether the installation has the 'contents' permission."
},
"hasMembersPermission": {
"type": "boolean",
"description": "Whether the installation has the 'members' permission (only relevant for organization accounts)."
},
"installationID": {
"type": "integer",
"description": "The GitHub installation ID."
},
"isOrganization": {
"type": "boolean",
"description": "Whether the GitHub account is an organization (as opposed to a personal account)."
},
"isSelfHosted": {
"type": "boolean",
"description": "Whether this is a self-hosted GitHub Enterprise installation."
},
"neoGitHubAppPermissionRequirements": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Neo GitHub App permission requirements for this installation."
}
},
"type": "object",
"required": [
"disableCodeAccessForReviews",
"disableDetailedDiff",
"disableNeoSummaries",
"disablePRComments",
"hasContentsPermission",
"hasMembersPermission",
"installationID",
"isOrganization",
"isSelfHosted"
],
"inputProperties": {
"disableCodeAccessForReviews": {
"type": "boolean",
"description": "Whether to disable code access for AI reviews"
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether to disable detailed property-level diffs in PR comments"
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether to disable Neo AI summaries on PRs"
},
"disablePRComments": {
"type": "boolean",
"description": "Whether to disable PR comments from the Pulumi GitHub App"
},
"integrationId": {
"type": "string",
"description": "The GitHub Enterprise integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"orgName"
]
},
"pulumiservice:api/integrations:GitHubIntegration": {
"description": "Updates GitHub App integration settings.",
"properties": {
"accountID": {
"type": "integer",
"description": "The GitHub account ID (user or org)."
},
"accountName": {
"type": "string",
"description": "The GitHub account name (login)."
},
"avatarUrl": {
"type": "string",
"description": "The avatar URL of the GitHub account."
},
"created": {
"type": "string",
"description": "When the installation was created."
},
"disableCodeAccessForReviews": {
"type": "boolean",
"description": "Whether code access for AI reviews is disabled for this installation."
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this installation."
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this installation."
},
"ghUrls": {
"$ref": "pulumi.json#/Any",
"description": "URL to configure repository access for this GitHub App installation."
},
"hasContentsPermission": {
"type": "boolean",
"description": "Whether the installation has the 'contents' permission."
},
"hasMembersPermission": {
"type": "boolean",
"description": "Whether the installation has the 'members' permission (only relevant for organization accounts)."
},
"installationID": {
"type": "integer",
"description": "The GitHub installation ID."
},
"isOrganization": {
"type": "boolean",
"description": "Whether the GitHub account is an organization (as opposed to a personal account)."
},
"isSelfHosted": {
"type": "boolean",
"description": "Whether this is a self-hosted GitHub Enterprise installation."
},
"neoGitHubAppPermissionRequirements": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Neo GitHub App permission requirements for this installation."
}
},
"type": "object",
"required": [
"disableCodeAccessForReviews",
"disableDetailedDiff",
"disableNeoSummaries",
"disablePRComments",
"hasContentsPermission",
"hasMembersPermission",
"installationID",
"isOrganization",
"isSelfHosted"
],
"inputProperties": {
"disableCodeAccessForReviews": {
"type": "boolean",
"description": "Whether to disable code access for AI reviews"
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether to disable detailed property-level diffs in PR comments"
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether to disable Neo AI summaries on PRs"
},
"disablePRComments": {
"type": "boolean",
"description": "Whether to disable PR comments from the Pulumi GitHub App"
},
"integrationId": {
"type": "string",
"description": "The GitHub App integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"orgName"
]
},
"pulumiservice:api/integrations:GitLabIntegration": {
"description": "Updates an existing GitLab integration's settings, such as PR comment preferences and AI summary options.",
"properties": {
"authUser": {
"$ref": "pulumi.json#/Any",
"description": "The Pulumi user whose GitLab authentication token is being used, if applicable."
},
"avatarUrl": {
"type": "string",
"description": "The URL of the GitLab group's avatar image."
},
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this integration."
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this integration."
},
"gitLabGroupId": {
"type": "integer",
"description": "The GitLab group ID linked to this integration."
},
"gitLabOrg": {
"$ref": "pulumi.json#/Any",
"description": "Metadata about the GitLab group linked to this integration."
},
"groupAccessTokenExpiration": {
"type": "string",
"description": "The expiration date of the group access token, if one is being used for authentication.",
"secret": true
},
"groupName": {
"type": "string",
"description": "The display name of the GitLab group."
},
"groupPath": {
"type": "string",
"description": "The URL-safe path of the GitLab group (e.g. 'parent-group/child-group')."
},
"installed": {
"type": "boolean",
"description": "Whether the integration has been fully installed."
},
"valid": {
"type": "boolean",
"description": "Whether the integration is currently valid (tokens, hooks, etc.)."
}
},
"type": "object",
"required": [
"disableDetailedDiff",
"disableNeoSummaries",
"disablePRComments",
"gitLabGroupId",
"installed",
"valid"
],
"inputProperties": {
"disableDetailedDiff": {
"type": "boolean",
"description": "Whether detailed property-level diffs are disabled for PR comments."
},
"disableNeoSummaries": {
"type": "boolean",
"description": "Whether Neo AI summaries are disabled for this integration."
},
"disablePRComments": {
"type": "boolean",
"description": "Whether PR comments are disabled for this integration."
},
"integrationId": {
"type": "string",
"description": "The GitLab integration identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"integrationId",
"orgName"
]
},
"pulumiservice:api/services:Item": {
"description": "Adds items (such as access tokens, team memberships, or stack permissions) to an existing service account. Service accounts provide programmatic, non-human access to Pulumi Cloud resources and are scoped to an organization. Items define what the service account can access and what credentials it holds. Returns the updated service details.",
"properties": {
"continuationToken": {
"type": "string",
"description": "ContinuationToken is an opaque value the client can send to fetch additional\nitems. Will be nil once all items have been returned."
},
"items": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of service items"
},
"service": {
"$ref": "pulumi.json#/Any",
"description": "The service details"
}
},
"type": "object",
"required": [
"items",
"service"
],
"inputProperties": {
"items": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of items"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"ownerName": {
"type": "string",
"description": "The owner name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"ownerType": {
"type": "string",
"description": "The owner type",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"serviceName": {
"type": "string",
"description": "The service name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"items",
"orgName",
"ownerName",
"ownerType",
"serviceName"
]
},
"pulumiservice:api/services:Service": {
"description": "Creates a new service account in an organization. Service accounts provide programmatic, non-human identities for accessing Pulumi Cloud resources. They are scoped to an organization and can hold access tokens, belong to teams, and have stack permissions. The service name must be unique within the organization.",
"properties": {
"continuationToken": {
"type": "string",
"description": "ContinuationToken is an opaque value the client can send to fetch additional\nitems. Will be nil once all items have been returned."
},
"items": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of service items"
}
},
"type": "object",
"required": [
"items"
],
"inputProperties": {
"description": {
"type": "string",
"description": "an optional description of the service"
},
"items": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "an optional list of items to add during service creation"
},
"name": {
"type": "string",
"description": "the name of the service",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"ownerName": {
"type": "string",
"description": "the service owner name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"ownerType": {
"type": "string",
"description": "the service owner type",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"properties": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "an optional list of properties to set on the service"
}
},
"requiredInputs": [
"description",
"items",
"name",
"orgName",
"ownerName",
"ownerType",
"properties"
]
},
"pulumiservice:api/stacks:Config": {
"description": "Updates the service-managed configuration for a stack. The request body may include the ESC environment reference, secrets provider type, encrypted key, and encryption salt. If stack configuration is returned by the API, it is used in place of the local stack config file (e.g. Pulumi.[stack].yaml). Returns the updated configuration object. Returns 400 if the environment reference is invalid or not found.",
"properties": {
"encryptedKey": {
"type": "string",
"description": "The KMS-encrypted ciphertext for the data key used for secrets encryption. Only used for cloud-based secrets providers."
},
"encryptionSalt": {
"type": "string",
"description": "The stack's base64-encoded encryption salt. Only used for passphrase-based secrets providers."
},
"environment": {
"type": "string",
"description": "Reference to ESC environment to use as stack configuration."
},
"secretsProvider": {
"type": "string",
"description": "The stack's secrets provider.",
"secret": true
}
},
"type": "object",
"required": [
"environment"
],
"inputProperties": {
"encryptedKey": {
"type": "string",
"description": "The KMS-encrypted ciphertext for the data key used for secrets encryption. Only used for cloud-based secrets providers."
},
"encryptionSalt": {
"type": "string",
"description": "The stack's base64-encoded encryption salt. Only used for passphrase-based secrets providers."
},
"environment": {
"type": "string",
"description": "Reference to ESC environment to use as stack configuration."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"secretsProvider": {
"type": "string",
"description": "The stack's secrets provider.",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"environment",
"orgName",
"projectName",
"stackName"
]
},
"pulumiservice:api/stacks:Stack": {
"description": "Creates a new stack within a project in the organization. If the project does not exist, it will be created. A stack is an isolated, independently configurable instance of a Pulumi program, typically representing a deployment environment (e.g., development, staging, production). The stack name must be unique within the project.\n\nThe optional `config` object supports:\n- `environment`: reference to an ESC environment for storing stack configuration (must not already exist)\n- `secretsProvider`: the secrets provider for the stack\n- `encryptedKey`: KMS-encrypted ciphertext for the data key (cloud-based secrets providers only)\n- `encryptionSalt`: base64-encoded encryption salt (passphrase-based secrets providers only)",
"properties": {
"activeUpdate": {
"type": "string",
"description": "The active update"
},
"config": {
"$ref": "pulumi.json#/Any",
"description": "Optional cloud-persisted stack configuration.\nIf set, then the stack's configuration is loaded from the cloud and not a file on disk."
},
"currentOperation": {
"$ref": "pulumi.json#/Any",
"description": "CurrentOperation provides information about a stack operation in-progress, as applicable."
},
"orgName": {
"type": "string",
"description": "The organization name"
},
"projectName": {
"type": "string",
"description": "The project name"
},
"stackName": {
"type": "string",
"description": "The stack name"
},
"tags": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Map of tags"
},
"version": {
"type": "integer",
"description": "The version number"
}
},
"type": "object",
"required": [
"activeUpdate",
"orgName",
"projectName",
"stackName",
"version"
],
"inputProperties": {
"config": {
"$ref": "pulumi.json#/Any",
"description": "The configuration for the new stack."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"stackName": {
"type": "string",
"description": "The name of the stack being created.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"state": {
"$ref": "pulumi.json#/Any",
"description": "An optional state to initialize the stack with."
},
"tags": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "An optional set of tags to apply to the stack."
},
"teams": {
"type": "array",
"items": {
"type": "string"
},
"description": "An optional set of teams to assign to the stack."
}
},
"requiredInputs": [
"orgName",
"projectName",
"stackName"
]
},
"pulumiservice:api/stacks:Tag": {
"description": "Creates a new tag on the specified stack. Tags are key-value metadata pairs that can be used for organization, filtering, and storing additional information about stacks. The request body must include both a tag name and value. Returns 400 if the tag name is invalid or the tag already exists. Built-in tags (such as those automatically set by the Pulumi CLI) follow specific naming conventions.",
"type": "object",
"inputProperties": {
"name": {
"type": "string",
"description": "The tag key, which must conform to the stack tag naming rules."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The project name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"stackName": {
"type": "string",
"description": "The stack name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"value": {
"type": "string",
"description": "The tag value associated with this key."
}
},
"requiredInputs": [
"name",
"orgName",
"projectName",
"stackName",
"value"
]
},
"pulumiservice:api/stacks:Webhook": {
"description": "Creates a new webhook for the specified stack. The request body must include the webhook name, payload URL, and format.\n\nThe `format` field accepts: `raw` (default), `slack`, `ms_teams`, or `pulumi_deployments`.\n\nThe `filters` field accepts a list of event types to subscribe to. See the [webhook event filtering documentation](https://www.pulumi.com/docs/pulumi-cloud/webhooks/#event-filtering) for available filters.\n\nThe optional `secret` field sets the HMAC key for signature verification. See the [webhook headers documentation](https://www.pulumi.com/docs/pulumi-cloud/webhooks/#headers) for details.\n\nReturns 409 if a webhook with the same name already exists. Returns 400 if the organization or stack name in the request body does not match the URL path parameters.",
"properties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment."
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"hasSecret": {
"type": "boolean",
"description": "HasSecret is true if the webhook has a secret. This is used to determine whether\nto show that there is a secret in the UI.",
"secret": true
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope."
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook."
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack."
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"secretCiphertext": {
"type": "string",
"description": "SecretCiphertext is the ciphertext value of the webhook's secret.\nIt's used to check whether the secret was changed by the PSP",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack."
}
},
"type": "object",
"required": [
"active",
"displayName",
"hasSecret",
"name",
"organizationName",
"payloadUrl",
"secretCiphertext"
],
"inputProperties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment."
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"active",
"displayName",
"name",
"organizationName",
"payloadUrl",
"projectName",
"stackName"
]
},
"pulumiservice:api/teams:Role": {
"description": "UpdateTeamRoles upserts the role assigned to a team since we currently only support\na 1:1 mapping of teams to roles.",
"type": "object",
"inputProperties": {
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"roleID": {
"type": "string",
"description": "The role identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"teamName": {
"type": "string",
"description": "The team name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName",
"roleID",
"teamName"
]
},
"pulumiservice:api/teams:Team": {
"description": "CreatePulumiTeam creates a \"Pulumi\" team, i.e. one whose membership is managed by Pulumi.\n(As opposed to a GitHub or GitLab-based team.)",
"properties": {
"accounts": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of account permissions granted to the team."
},
"description": {
"type": "string",
"description": "A free-form text description of the team's purpose."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"environments": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of environment settings for the team."
},
"kind": {
"type": "string",
"description": "The kind of team (e.g., pulumi or GitHub-backed)."
},
"listMembersError": {
"type": "string",
"description": "ListMembersError is the error message if an error was encountered whilst trying to\ncontact the team's backend (eg. GitHub). The UI will only show this error if it is non-nil\nand if Members itself is an empty slice."
},
"members": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of team members."
},
"name": {
"type": "string",
"description": "The unique identifier name of the team within the organization."
},
"roleIds": {
"type": "array",
"items": {
"type": "string"
},
"description": "RoleIDs are the IDs of the FGA roles assigned to the team, if any.\nCurrently only one role per team is supported."
},
"stacks": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "The list of stack permissions granted to the team."
},
"userRole": {
"type": "string",
"description": "UserRole is the calling user's role on the given team."
}
},
"type": "object",
"required": [
"description",
"displayName",
"kind",
"name"
],
"inputProperties": {
"description": {
"type": "string",
"description": "The description"
},
"displayName": {
"type": "string",
"description": "The display name"
},
"name": {
"type": "string",
"description": "The name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"description",
"displayName",
"name",
"orgName"
]
},
"pulumiservice:api/tokens:OrgToken": {
"description": "Generates a new access token scoped to the organization for use in CI/CD pipelines and automated workflows. Organization tokens belong to the organization rather than individual users, ensuring that access is not disrupted when team members leave.\n\nThe `name` field must be unique across the organization (including deleted tokens) and cannot exceed 40 characters. The `expires` field accepts a unix epoch timestamp up to two years from the present, or `0` for no expiry (default).\n\n**Important:** The token value in the response is only returned once at creation time and cannot be retrieved later. Audit logs for actions performed with organization tokens are attributed to the organization rather than an individual user.",
"properties": {
"tokenId": {
"type": "string",
"description": "The unique identifier"
},
"tokenValue": {
"type": "string",
"description": "The token value",
"secret": true
}
},
"type": "object",
"required": [
"tokenId",
"tokenValue"
],
"inputProperties": {
"admin": {
"type": "boolean",
"description": "Whether the entity has admin privileges"
},
"description": {
"type": "string",
"description": "The description"
},
"expires": {
"type": "integer",
"description": "The expiration time"
},
"name": {
"type": "string",
"description": "The name"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"reason": {
"type": "string",
"description": "Audit log reason for creating this token",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"roleID": {
"type": "string",
"description": "The role identifier"
}
},
"requiredInputs": [
"admin",
"description",
"expires",
"name",
"orgName"
]
},
"pulumiservice:api/tokens:PersonalToken": {
"description": "Creates a new personal access token for the authenticated user. The request body includes a description for the token and an optional expiration time. The response includes the token ID and the tokenValue (prefixed with 'pul-'). The token value is only returned once at creation time and cannot be retrieved later.",
"properties": {
"tokenId": {
"type": "string",
"description": "The unique identifier"
},
"tokenValue": {
"type": "string",
"description": "The token value",
"secret": true
}
},
"type": "object",
"required": [
"tokenId",
"tokenValue"
],
"inputProperties": {
"description": {
"type": "string",
"description": "The description"
},
"expires": {
"type": "integer",
"description": "The expiration time"
},
"reason": {
"type": "string",
"description": "Tracks the context that triggered token creation (e.g., redirect URL or referral source)",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"description",
"expires"
]
},
"pulumiservice:api/tokens:TeamToken": {
"description": "Generates a new access token scoped to a specific team within an organization. Team tokens inherit the stack permissions assigned to the team, making them suitable for CI/CD pipelines that need access limited to a specific set of stacks.\n\nThe `name` field must be unique across the organization (including deleted tokens) and cannot exceed 40 characters. The `expires` field accepts a unix epoch timestamp up to two years from the present, or `0` for no expiry (default).\n\n**Important:** The token value in the response is only returned once at creation time and cannot be retrieved later.",
"properties": {
"tokenId": {
"type": "string",
"description": "The unique identifier"
},
"tokenValue": {
"type": "string",
"description": "The token value",
"secret": true
}
},
"type": "object",
"required": [
"tokenId",
"tokenValue"
],
"inputProperties": {
"description": {
"type": "string",
"description": "The description"
},
"expires": {
"type": "integer",
"description": "The expiration time"
},
"name": {
"type": "string",
"description": "The name"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"reason": {
"type": "string",
"description": "Audit log reason for creating this token",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"teamName": {
"type": "string",
"description": "The team name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"description",
"expires",
"name",
"orgName",
"teamName"
]
},
"pulumiservice:api:AuditLogExportConfiguration": {
"description": "Creates or updates the organization's automated audit log export configuration. Audit log export enables automatic delivery of audit events to an S3 bucket for long-term retention and SIEM integration. The configuration includes the S3 bucket details and IAM role for authentication. This feature is available on Business Critical edition.",
"properties": {
"enabled": {
"type": "boolean",
"description": "Whether audit log export is currently active. May be paused automatically if the configured destination repeatedly fails to authenticate."
},
"lastResult": {
"$ref": "pulumi.json#/Any",
"description": "The result of the last audit log export attempt."
},
"s3Config": {
"$ref": "pulumi.json#/Any",
"description": "The S3 configuration for exporting audit logs."
}
},
"type": "object",
"required": [
"enabled",
"lastResult",
"s3Config"
],
"inputProperties": {
"newEnabled": {
"type": "boolean",
"description": "Whether the audit log export is enabled."
},
"newS3Configuration": {
"$ref": "pulumi.json#/Any",
"description": "The new S3 configuration for audit log export."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"newEnabled",
"newS3Configuration",
"orgName"
]
},
"pulumiservice:api:DefaultOrganization": {
"description": "UpdateDefaultOrganization sets the default organization for the current user.",
"properties": {
"GitHubLogin": {
"type": "string",
"description": "Returns the organization name. Can be an empty string, if the user is a member of no organizations"
},
"Messages": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "Messages is a list of messages that should be displayed to the user that contextualize\nthe default org; for example: warning new users if their default org as returned by the\nservice is on an expiring trial and not free tier, with possible recommendations\non how to configure their default org locally.\nCan be possibly empty."
}
},
"type": "object",
"required": [
"GitHubLogin",
"Messages"
],
"inputProperties": {
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName"
]
},
"pulumiservice:api:Gate": {
"description": "Creates a new change gate for an entity in the organization. Change gates enforce approval workflows by requiring one or more approvals before infrastructure changes can be applied to the protected resource.",
"properties": {
"enabled": {
"type": "boolean",
"description": "Whether the change gate is enabled"
},
"gateID": {
"type": "string",
"description": "Unique identifier of the change gate"
},
"name": {
"type": "string",
"description": "Name of the change gate"
},
"rule": {
"$ref": "pulumi.json#/Any",
"description": "Rule configuration for the gate"
},
"target": {
"$ref": "pulumi.json#/Any",
"description": "Target configuration for the gate"
}
},
"type": "object",
"required": [
"enabled",
"gateID",
"name",
"rule",
"target"
],
"inputProperties": {
"enabled": {
"type": "boolean",
"description": "Whether the change gate is enabled"
},
"gateID": {
"type": "string",
"description": "The change gate identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "Name of the change gate"
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"rule": {
"$ref": "pulumi.json#/Any",
"description": "Rule configuration for the gate"
},
"target": {
"$ref": "pulumi.json#/Any",
"description": "Target configuration for the gate"
}
},
"requiredInputs": [
"enabled",
"name",
"orgName",
"rule",
"target"
]
},
"pulumiservice:api:OrgTemplateCollection": {
"description": "Creates a new template collection (source) for an organization. Template collections define where project templates are sourced from, such as a Git repository. Organization members can use these templates to create new stacks with pre-configured infrastructure code.",
"properties": {
"destination": {
"$ref": "pulumi.json#/Any",
"description": "Deprecated - use destinationURL instead."
},
"destinationURL": {
"type": "string",
"description": "The destination URL for the template source."
},
"error": {
"type": "string",
"description": "An error message if the template source is invalid. Omitted or empty when the source is valid."
},
"isValid": {
"type": "boolean",
"description": "Whether the template source configuration is valid."
},
"name": {
"type": "string",
"description": "The human-readable name for this template source."
},
"sourceURL": {
"type": "string",
"description": "The source URL to fetch templates from."
},
"templateID": {
"type": "string",
"description": "The unique identifier of the template source."
}
},
"type": "object",
"required": [
"isValid",
"name",
"sourceURL",
"templateID"
],
"inputProperties": {
"destination": {
"$ref": "pulumi.json#/Any",
"description": "deprecated - use DestinationURL instead"
},
"destinationURL": {
"type": "string",
"description": "The destination URL for the template source."
},
"name": {
"type": "string",
"description": "The name of the template source."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"sourceURL": {
"type": "string",
"description": "The source URL to fetch templates from."
}
},
"requiredInputs": [
"name",
"orgName",
"sourceURL"
]
},
"pulumiservice:api:OrganizationMember": {
"description": "Adds an existing Pulumi user to an organization with a built-in role. **Important:** The user must have already signed up for a Pulumi account before they can be added to an organization.\n\nThis endpoint only assigns built-in roles. To onboard a user with a custom role, use the organization invite flow (`BatchCreateOrgInviteEmail`) and set `roleId` on the invite — the custom role is applied when the user accepts. Alternatively, add the user here with a built-in role and then call `UpdateOrganizationMember` with `fgaRoleId` to reassign.\n\nReturns the newly created organization member record. Returns 409 if the user is already a member of the organization.",
"properties": {
"created": {
"type": "string",
"description": "When the member joined the organization."
},
"fgaRole": {
"$ref": "pulumi.json#/Any",
"description": "The role currently assigned to this member — either a built-in role (member, admin, billingManager) or a custom role. Falls back to the organization's default role if no role is assigned directly."
},
"knownToPulumi": {
"type": "boolean",
"description": "KnownToPulumi returns if the organization member has a Pulumi account."
},
"links": {
"$ref": "pulumi.json#/Any",
"description": "Links to the member in the Pulumi Console"
},
"role": {
"type": "string",
"description": "**Deprecated:** Use `fgaRole` instead. The member's built-in role within the organization. For members assigned a custom role, this is the closest built-in projection (`member`, `admin`, or `billingManager`) and may lose detail; `fgaRole` is authoritative."
},
"user": {
"$ref": "pulumi.json#/Any",
"description": "The user information for this organization member."
},
"virtualAdmin": {
"type": "boolean",
"description": "VirtualAdmin indicates that the member does not have admin access on the\nbacking identity provider, but does have admin access to the Pulumi organization."
}
},
"type": "object",
"required": [
"created",
"fgaRole",
"knownToPulumi",
"role",
"user",
"virtualAdmin"
],
"inputProperties": {
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"role": {
"type": "string",
"description": "The built-in role assigned to the new member. Must be `member`, `admin`, or `billingManager`."
},
"userLogin": {
"type": "string",
"description": "The user login name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"orgName",
"role",
"userLogin"
]
},
"pulumiservice:api:OrganizationWebhook": {
"description": "Creates a new webhook for an organization to notify external services when events occur. Webhooks can be configured to fire on stack events (created, deleted, update succeeded/failed), deployment events (queued, started, succeeded, failed), drift detection events, and policy violation events (mandatory, advisory).\n\nThe `format` field accepts: `raw` (default), `slack`, `ms_teams`, or `pulumi_deployments`.\n\nThe `filters` field accepts a list of event types to subscribe to. See the [webhook event filtering documentation](https://www.pulumi.com/docs/pulumi-cloud/webhooks/#event-filtering) for available filters.\n\nThe optional `secret` field sets the HMAC key for signature verification via the `Pulumi-Webhook-Signature` header. See the [webhook headers documentation](https://www.pulumi.com/docs/pulumi-cloud/webhooks/#headers) for details.",
"properties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment."
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"hasSecret": {
"type": "boolean",
"description": "HasSecret is true if the webhook has a secret. This is used to determine whether\nto show that there is a secret in the UI.",
"secret": true
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope."
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook."
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack."
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"secretCiphertext": {
"type": "string",
"description": "SecretCiphertext is the ciphertext value of the webhook's secret.\nIt's used to check whether the secret was changed by the PSP",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack."
}
},
"type": "object",
"required": [
"active",
"displayName",
"hasSecret",
"name",
"organizationName",
"payloadUrl",
"secretCiphertext"
],
"inputProperties": {
"active": {
"type": "boolean",
"description": "Whether the webhook is active and will receive deliveries."
},
"displayName": {
"type": "string",
"description": "The human-readable display name shown in the UI."
},
"envName": {
"type": "string",
"description": "The environment name. Set when the webhook is scoped to a specific environment."
},
"filters": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific event types this webhook subscribes to. If empty, all events are delivered."
},
"format": {
"type": "string",
"description": "The format of the webhook payload (e.g., 'raw', 'slack', 'ms_teams')."
},
"groups": {
"type": "array",
"items": {
"type": "string"
},
"description": "Event groups this webhook subscribes to (e.g., 'stacks', 'deployments')."
},
"name": {
"type": "string",
"description": "The unique identifier name for the webhook within its scope.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization that owns this webhook.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"payloadUrl": {
"type": "string",
"description": "The URL to which webhook payloads are delivered."
},
"projectName": {
"type": "string",
"description": "The project name. Set when the webhook is scoped to a specific stack."
},
"secret": {
"type": "string",
"description": "Secret will be omitted when returned from the service.",
"secret": true
},
"stackName": {
"type": "string",
"description": "The stack name. Set when the webhook is scoped to a specific stack."
}
},
"requiredInputs": [
"active",
"displayName",
"name",
"organizationName",
"payloadUrl"
]
},
"pulumiservice:api:PolicyGroup": {
"description": "Creates a new Policy Group for an organization. Policy Groups define which Policy Packs are enforced on which stacks or cloud accounts, with configurable enforcement levels (advisory, mandatory, or disabled) per pack. This allows different policy strictness for different environments, such as advisory-only in development and mandatory in production.",
"properties": {
"accounts": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of Insights account names that are members of this policy group."
},
"agentPoolId": {
"type": "string",
"description": "Agent pool ID for audit policy evaluation. Defaults to Pulumi hosted pool if not specified."
},
"appliedPolicyPacks": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of policy packs that are applied to this policy group."
},
"entityType": {
"type": "string",
"description": "The type of entities this policy group applies to (stacks or accounts)."
},
"isOrgDefault": {
"type": "boolean",
"description": "True if this is either the default stacks or default accounts policy group for the organization."
},
"mode": {
"type": "string",
"description": "The enforcement mode for the policy group (audit or preventative)."
},
"name": {
"type": "string",
"description": "The name of the policy group."
},
"stacks": {
"type": "array",
"items": {
"$ref": "pulumi.json#/Any"
},
"description": "List of stacks that are members of this policy group."
}
},
"type": "object",
"required": [
"accounts",
"appliedPolicyPacks",
"entityType",
"isOrgDefault",
"mode",
"name",
"stacks"
],
"inputProperties": {
"agentPoolId": {
"type": "string",
"description": "Agent pool ID for policy evaluation. Defaults to Pulumi hosted pool if not specified."
},
"entityType": {
"type": "string",
"description": "The type of entities this policy group applies to (stacks or accounts)."
},
"mode": {
"type": "string",
"description": "The enforcement mode for the policy group (audit or preventative). Defaults to 'audit' for account policy groups, 'preventative' for stack policy groups."
},
"name": {
"type": "string",
"description": "The name of the new policy group.",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"entityType",
"name",
"orgName"
]
},
"pulumiservice:api:Role": {
"description": "Creates a new custom role for an organization. Custom roles define fine-grained permission sets that can be assigned to organization members and teams, enabling precise access control beyond the built-in admin and member roles. Optionally, an associated policy and role binding can be created alongside the role. Role definitions are subject to two limits: a permission descriptor group may contain at most 500 entries (each directly-specified entity counts as one entry), and the total serialized size of the role definition may not exceed 1 MB. Exceeding either limit returns a 400 error. If you need to grant access to more than 500 individually listed resources, use tag-based (ABAC) rules instead.",
"properties": {
"created": {
"type": "string",
"description": "When the role was created."
},
"defaultIdentifier": {
"type": "string",
"description": "The identifier for default roles. Empty for custom roles."
},
"description": {
"type": "string",
"description": "A human-readable description of the permission descriptor."
},
"details": {
"$ref": "pulumi.json#/Any",
"description": "The detailed permission descriptor tree."
},
"isOrgDefault": {
"type": "boolean",
"description": "Whether this role is the organization default."
},
"modified": {
"type": "string",
"description": "When the role was last modified."
},
"name": {
"type": "string",
"description": "The name of the permission descriptor."
},
"orgId": {
"type": "string",
"description": "The ID of the organization this role belongs to."
},
"resourceType": {
"type": "string",
"description": "The resource type this permission descriptor applies to."
},
"roleID": {
"type": "string",
"description": "The unique identifier for this role."
},
"uxPurpose": {
"type": "string",
"description": "The UX purpose of this permission descriptor (e.g. role, policy, set)."
},
"version": {
"type": "integer",
"description": "The version of this role."
}
},
"type": "object",
"required": [
"created",
"isOrgDefault",
"modified",
"orgId",
"roleID",
"version"
],
"inputProperties": {
"createPolicyAndRole": {
"type": "boolean",
"description": "Also create an associated policy and role binding alongside the role",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"description": {
"type": "string",
"description": "A human-readable description of the permission descriptor."
},
"details": {
"$ref": "pulumi.json#/Any",
"description": "The detailed permission descriptor tree."
},
"name": {
"type": "string",
"description": "The name of the permission descriptor."
},
"orgName": {
"type": "string",
"description": "The organization name",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"resourceType": {
"type": "string",
"description": "The resource type this permission descriptor applies to."
},
"roleID": {
"type": "string",
"description": "The role identifier",
"replaceOnChanges": true,
"willReplaceOnChanges": true
},
"uxPurpose": {
"type": "string",
"description": "The UX purpose of this permission descriptor (e.g. role, policy, set)."
}
},
"requiredInputs": [
"orgName"
]
},
"pulumiservice:index:AccessToken": {
"description": "Access tokens allow a user to authenticate against the Pulumi Cloud.",
"properties": {
"description": {
"type": "string",
"description": "Description of the access token.",
"replaceOnChanges": true
},
"value": {
"type": "string",
"description": "The token's value.",
"secret": true
}
},
"required": [
"description",
"value"
],
"inputProperties": {
"description": {
"type": "string",
"description": "Description of the access token.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"description"
]
},
"pulumiservice:index:AgentPool": {
"description": "Agent Pool for customer managed deployments.",
"properties": {
"agentPoolId": {
"type": "string",
"description": "The agent pool identifier."
},
"description": {
"type": "string",
"description": "Description of the agent pool."
},
"forceDestroy": {
"type": "boolean",
"description": "Optional. Flag indicating whether to delete the agent pool even if stacks are configured to use it."
},
"name": {
"type": "string",
"description": "Name of the agent pool."
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"tokenValue": {
"type": "string",
"description": "The agent pool's token's value.",
"secret": true
}
},
"required": [
"organizationName",
"name",
"agentPoolId",
"tokenValue"
],
"inputProperties": {
"description": {
"type": "string",
"description": "Description of the agent pool."
},
"forceDestroy": {
"type": "boolean",
"description": "Optional. Flag indicating whether to delete the agent pool even if stacks are configured to use it."
},
"name": {
"type": "string",
"description": "Name of the agent pool."
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organizationName",
"name"
]
},
"pulumiservice:index:ApprovalRule": {
"description": "An approval rule for environment deployments.",
"properties": {
"approvalRuleConfig": {
"$ref": "#/types/pulumiservice:index:ApprovalRuleConfig",
"description": "The approval rule configuration."
},
"enabled": {
"type": "boolean",
"description": "Whether the approval rule is enabled."
},
"environmentIdentifier": {
"$ref": "#/types/pulumiservice:index:EnvironmentIdentifier",
"description": "The environment this rule applies to."
},
"name": {
"type": "string",
"description": "Name of the approval rule."
},
"targetActionTypes": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:TargetActionType"
},
"description": "The type of action this rule applies to."
}
},
"required": [
"name",
"enabled",
"targetActionTypes",
"environmentIdentifier",
"approvalRuleConfig"
],
"inputProperties": {
"approvalRuleConfig": {
"$ref": "#/types/pulumiservice:index:ApprovalRuleConfig",
"description": "The approval rule configuration."
},
"enabled": {
"type": "boolean",
"description": "Whether the approval rule is enabled."
},
"environmentIdentifier": {
"$ref": "#/types/pulumiservice:index:EnvironmentIdentifier",
"description": "The environment this rule applies to."
},
"name": {
"type": "string",
"description": "The name of the approval rule.",
"willReplaceOnChanges": true
},
"targetActionTypes": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:TargetActionType"
},
"description": "The type of action this rule applies to."
}
},
"requiredInputs": [
"name",
"enabled",
"targetActionTypes",
"environmentIdentifier",
"approvalRuleConfig"
]
},
"pulumiservice:index:DeploymentSchedule": {
"description": "A scheduled recurring or single time run of a pulumi command.",
"properties": {
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"pulumiOperation": {
"$ref": "#/types/pulumiservice:index:PulumiOperation",
"description": "Which command to run."
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for recurring scheduled runs. If you are supplying this, do not supply timestamp."
},
"scheduleId": {
"type": "string",
"description": "Schedule ID of the created schedule, assigned by Pulumi Cloud."
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"timestamp": {
"type": "string",
"description": "The time at which the schedule should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z. If you are supplying this, do not supply scheduleCron.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"stack",
"pulumiOperation",
"scheduleId"
],
"inputProperties": {
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"pulumiOperation": {
"$ref": "#/types/pulumiservice:index:PulumiOperation",
"description": "Which command to run."
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for recurring scheduled runs. If you are supplying this, do not supply timestamp."
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"timestamp": {
"type": "string",
"description": "The time at which the schedule should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z. If you are supplying this, do not supply scheduleCron.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"pulumiOperation"
]
},
"pulumiservice:index:DeploymentSettings": {
"description": "Deployment settings configure Pulumi Deployments for a stack.\n\n### Import\n\nDeployment settings can be imported using the `id`, which for deployment settings is `{org}/{project}/{stack}` e.g.,\n\n```sh\n $ pulumi import pulumiservice:index:DeploymentSettings my_settings my-org/my-project/my-stack\n```\n\n",
"properties": {
"agentPoolId": {
"type": "string",
"description": "The agent pool identifier to use for the deployment."
},
"cacheOptions": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsCacheOptions",
"description": "Dependency cache settings for the deployment"
},
"executorContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsExecutorContext",
"description": "Settings related to the deployment executor."
},
"github": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGithub",
"description": "GitHub settings for the deployment.",
"deprecationMessage": "Use the 'vcs' property instead, which supports both GitHub and Azure DevOps."
},
"operationContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsOperationContext",
"description": "Settings related to the Pulumi operation environment during the deployment."
},
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name."
},
"sourceContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsSourceContext",
"description": "Settings related to the source of the deployment."
},
"stack": {
"type": "string",
"description": "Stack name."
},
"vcs": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsVcs",
"description": "VCS settings for the deployment. Supports Azure DevOps and GitHub via the 'provider' discriminator field."
}
},
"required": [
"organization",
"project",
"stack"
],
"inputProperties": {
"agentPoolId": {
"type": "string",
"description": "The agent pool identifier to use for the deployment."
},
"cacheOptions": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsCacheOptions",
"description": "Dependency cache settings for the deployment"
},
"executorContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsExecutorContext",
"description": "Settings related to the deployment executor."
},
"github": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsGithub",
"description": "GitHub settings for the deployment.",
"deprecationMessage": "Use the 'vcs' property instead, which supports both GitHub and Azure DevOps."
},
"operationContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsOperationContext",
"description": "Settings related to the Pulumi operation environment during the deployment."
},
"organization": {
"type": "string",
"description": "Organization name.",
"willReplaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"willReplaceOnChanges": true
},
"sourceContext": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsSourceContext",
"description": "Settings related to the source of the deployment."
},
"stack": {
"type": "string",
"description": "Stack name.",
"willReplaceOnChanges": true
},
"vcs": {
"$ref": "#/types/pulumiservice:index:DeploymentSettingsVcs",
"description": "VCS settings for the deployment. Supports Azure DevOps and GitHub via the 'provider' discriminator field."
}
},
"requiredInputs": [
"organization",
"project",
"stack"
]
},
"pulumiservice:index:DriftSchedule": {
"description": "A cron schedule to run drift detection.",
"properties": {
"autoRemediate": {
"type": "boolean",
"description": "Whether any drift detected should be remediated after a drift run.",
"default": false
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for when to run drift detection."
},
"scheduleId": {
"type": "string",
"description": "Schedule ID of the created schedule, assigned by Pulumi Cloud."
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"stack",
"scheduleCron",
"scheduleId"
],
"inputProperties": {
"autoRemediate": {
"type": "boolean",
"description": "Whether any drift detected should be remediated after a drift run.",
"default": false
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for when to run drift detection."
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"scheduleCron"
]
},
"pulumiservice:index:Environment": {
"description": "An ESC Environment.",
"properties": {
"environmentId": {
"type": "string",
"description": "The environment's UUID. Use this as the `identity` value when pinning a custom RBAC role to this environment via a `PermissionLiteralExpressionEnvironment` in `OrganizationRole.permissions`, or pass it directly to the `buildEnvironmentScopedPermissions` helper."
},
"name": {
"type": "string",
"description": "Environment name."
},
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name."
},
"revision": {
"type": "integer",
"description": "Revision number of the latest version."
},
"yaml": {
"$ref": "pulumi.json#/Asset",
"description": "Environment's yaml file."
}
},
"required": [
"organization",
"project",
"name",
"yaml",
"revision"
],
"inputProperties": {
"name": {
"type": "string",
"description": "Environment name."
},
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name.",
"default": "default"
},
"yaml": {
"$ref": "pulumi.json#/Asset",
"description": "Environment's yaml file."
}
},
"requiredInputs": [
"organization",
"name",
"yaml"
]
},
"pulumiservice:index:EnvironmentRotationSchedule": {
"description": "A scheduled recurring or single time environment rotation.",
"properties": {
"environment": {
"type": "string",
"description": "Environment name.",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for recurring scheduled rotations. If you are supplying this, do not supply timestamp."
},
"scheduleId": {
"type": "string",
"description": "Schedule ID of the created rotation schedule, assigned by Pulumi Cloud."
},
"timestamp": {
"type": "string",
"description": "The time at which the rotation should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z. If you are supplying this, do not supply scheduleCron.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"environment",
"scheduleId"
],
"inputProperties": {
"environment": {
"type": "string",
"description": "Environment name.",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"scheduleCron": {
"type": "string",
"description": "Cron expression for recurring scheduled rotations. If you are supplying this, do not supply timestamp."
},
"timestamp": {
"type": "string",
"description": "The time at which the rotation should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z. If you are supplying this, do not supply scheduleCron.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"environment"
]
},
"pulumiservice:index:EnvironmentVersionTag": {
"description": "A tag on a specific revision of an environment.",
"properties": {
"environment": {
"type": "string",
"description": "Environment name."
},
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name."
},
"revision": {
"type": "integer",
"description": "Revision number."
},
"tagName": {
"type": "string",
"description": "Tag name."
}
},
"required": [
"organization",
"project",
"environment",
"tagName",
"revision"
],
"inputProperties": {
"environment": {
"type": "string",
"description": "Environment name."
},
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name.",
"default": "default"
},
"revision": {
"type": "integer",
"description": "Revision number."
},
"tagName": {
"type": "string",
"description": "Tag name."
}
},
"requiredInputs": [
"organization",
"environment",
"tagName",
"revision"
]
},
"pulumiservice:index:InsightsAccount": {
"description": "Insights Account for cloud resource scanning and analysis across AWS, Azure, and GCP.",
"properties": {
"accountName": {
"type": "string",
"description": "Name of the insights account.",
"replaceOnChanges": true
},
"environment": {
"type": "string",
"description": "The ESC environment used for provider credentials. Format: 'project/environment' with optional '@version' suffix (e.g., 'my-project/prod-env' or 'my-project/prod-env@v1.0')."
},
"insightsAccountId": {
"type": "string",
"description": "The insights account identifier."
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"provider": {
"$ref": "#/types/pulumiservice:index:CloudProvider",
"description": "The cloud provider for scanning.",
"replaceOnChanges": true
},
"providerConfig": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration as a JSON object. For AWS, specify regions to scan: {\"regions\": [\"us-west-1\", \"us-west-2\"]}."
},
"scanSchedule": {
"$ref": "#/types/pulumiservice:index:ScanSchedule",
"description": "Schedule for automated scanning. Use 'daily' for daily scans, '12h' for scans every twelve hours, or 'none' to disable scheduled scanning. Defaults to 'none'.",
"default": "none"
},
"scheduledScanEnabled": {
"type": "boolean",
"description": "Whether scheduled scanning is enabled."
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Key-value tags to associate with the insights account."
}
},
"required": [
"organizationName",
"accountName",
"provider",
"environment",
"scanSchedule",
"insightsAccountId",
"scheduledScanEnabled"
],
"inputProperties": {
"accountName": {
"type": "string",
"description": "Name of the insights account.",
"replaceOnChanges": true
},
"environment": {
"type": "string",
"description": "The ESC environment used for provider credentials. Format: 'project/environment' with optional '@version' suffix (e.g., 'my-project/prod-env' or 'my-project/prod-env@v1.0')."
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"provider": {
"$ref": "#/types/pulumiservice:index:CloudProvider",
"description": "The cloud provider for scanning.",
"replaceOnChanges": true
},
"providerConfig": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration as a JSON object. For AWS, specify regions to scan: {\"regions\": [\"us-west-1\", \"us-west-2\"]}."
},
"scanSchedule": {
"$ref": "#/types/pulumiservice:index:ScanSchedule",
"description": "Schedule for automated scanning. Use 'daily' for daily scans, '12h' for scans every twelve hours, or 'none' to disable scheduled scanning. Defaults to 'none'.",
"default": "none"
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Key-value tags to associate with the insights account."
}
},
"requiredInputs": [
"organizationName",
"accountName",
"provider",
"environment",
"scanSchedule"
]
},
"pulumiservice:index:OidcIssuer": {
"description": "Register an OIDC Provider to establish a trust relationship between third-party systems like GitHub Actions and Pulumi Cloud, obviating the need to store a hard-coded Pulumi Cloud token in systems that need to run Pulumi commands or consume Pulumi Cloud APIs. Instead of a hard-coded, static token that must be manually rotated, trusted systems are granted temporary Pulumi Cloud tokens on an as-needed basis, which is more secure than static tokens.",
"properties": {
"maxExpirationSeconds": {
"type": "integer",
"description": "The maximum duration of the Pulumi access token working after an exchange, specified in seconds."
},
"name": {
"type": "string",
"description": "Issuer name."
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"policies": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:AuthPolicyDefinition"
},
"description": "The authorization policies for this Oidc Issuer."
},
"thumbprints": {
"type": "array",
"items": {
"type": "string"
},
"description": "The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these."
},
"url": {
"type": "string",
"description": "The OIDC issuer URL.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"name",
"url",
"thumbprints",
"policies"
],
"inputProperties": {
"maxExpirationSeconds": {
"type": "integer",
"description": "The maximum duration of the Pulumi access token working after an exchange, specified in seconds."
},
"name": {
"type": "string",
"description": "Issuer name."
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"policies": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:AuthPolicyDefinition"
},
"description": "The auth policies for this Oidc Issuer."
},
"thumbprints": {
"type": "array",
"items": {
"type": "string"
},
"description": "The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these."
},
"url": {
"type": "string",
"description": "The OIDC issuer URL.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"name",
"url"
]
},
"pulumiservice:index:OrgAccessToken": {
"description": "The Pulumi Cloud allows users to create access tokens scoped to orgs. Org access tokens is a resource to create them and assign them to an org",
"properties": {
"admin": {
"type": "boolean",
"description": "Optional. True if this is an admin token.",
"default": false,
"replaceOnChanges": true
},
"description": {
"type": "string",
"description": "Optional. Description for the token.",
"replaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name for the token.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"value": {
"type": "string",
"description": "The token's value.",
"secret": true
}
},
"required": [
"name",
"organizationName",
"value"
],
"inputProperties": {
"admin": {
"type": "boolean",
"description": "Optional. True if this is an admin token.",
"default": false,
"replaceOnChanges": true
},
"description": {
"type": "string",
"description": "Optional. Description for the token.",
"replaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name for the token.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"name",
"organizationName"
]
},
"pulumiservice:index:OrganizationMember": {
"description": "Manages a user's membership in a Pulumi Cloud organization and their assigned role. The user must already have a Pulumi Cloud account before they can be added. Custom (fine-grained) roles are assigned by setting `roleId`; built-in roles are assigned by setting `role`. When both are set, `roleId` takes precedence.",
"properties": {
"adopted": {
"type": "boolean",
"description": "True when this resource adopted an existing organization member (the user was already in the org at Create time). Adopted memberships are left in place on destroy; only the role is reset."
},
"email": {
"type": "string",
"description": "The member's email address."
},
"name": {
"type": "string",
"description": "The member's display name."
},
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"role": {
"type": "string",
"description": "The built-in organization role. One of `member`, `admin`, `billing-manager`. Defaults to `member` on create. Ignored when `roleId` is set."
},
"roleId": {
"type": "string",
"description": "The ID of a custom (fine-grained) organization role to assign. Takes precedence over `role`."
},
"roleName": {
"type": "string",
"description": "The name of the currently assigned role (custom role name, or built-in role)."
},
"username": {
"type": "string",
"description": "The Pulumi Cloud username of the member.",
"replaceOnChanges": true
}
},
"required": [
"organizationName",
"username",
"name",
"email",
"roleName",
"adopted"
],
"inputProperties": {
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"role": {
"type": "string",
"description": "The built-in organization role. One of `member`, `admin`, `billing-manager`. Defaults to `member` on create. Ignored when `roleId` is set."
},
"roleId": {
"type": "string",
"description": "The ID of a custom (fine-grained) organization role to assign. Takes precedence over `role`."
},
"username": {
"type": "string",
"description": "The Pulumi Cloud username of the member.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organizationName",
"username"
]
},
"pulumiservice:index:OrganizationRole": {
"description": "A custom (fine-grained) role defined on a Pulumi Cloud organization. Custom roles allow precise permission control beyond the built-in `admin` / `member` / `billing-manager` roles. Assign them to members via the `OrganizationMember.roleId` field or to teams via `TeamRoleAssignment`.\n\nRequires the Custom Roles feature to be enabled on the organization. See the [Pulumi Cloud RBAC docs](https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/) for the shape of the `permissions` descriptor.",
"properties": {
"description": {
"type": "string",
"description": "Human-readable description of what the role grants."
},
"name": {
"type": "string",
"description": "The role's display name. Must be unique within the organization."
},
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"permissions": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "The role's permission descriptor tree, expressed in the Pulumi Cloud wire grammar. The provider exposes the descriptor as `map[string]Any` and passes it through verbatim — the wire-format `__type` discriminator is used at every level (SDK and API alike).\n\nCommon top-level descriptors:\n- `PermissionDescriptorAllow` — `{__type: \"PermissionDescriptorAllow\", permissions: [\"\", ...]}` grants the listed scopes.\n- `PermissionDescriptorGroup` — `{__type: \"PermissionDescriptorGroup\", entries: [{__type: \"PermissionDescriptorAllow\", ...}, ...]}` composes multiple descriptors; the role grants the union of every entry.\n- `PermissionDescriptorCondition` — `{__type: \"PermissionDescriptorCondition\", condition: {__type: ...}, subNode: {__type: ...}}` gates a sub-descriptor on a boolean expression.\n- `PermissionDescriptorCompose` — references other roles by ID; `{__type: \"PermissionDescriptorCompose\", permissionDescriptors: [, ...]}`.\n\nPulumi Cloud's REST API also accepts `PermissionDescriptorIfThenElse`, `PermissionDescriptorSelect`, and the `PermissionExpression*` / `PermissionLiteralExpression*` boolean operators (And, Or, Not, Equal, Environment, Stack, Team, InsightsAccount, …); the provider does not inspect anything below the top, so future Cloud additions work without a provider release.\n\nFor the common case of granting a set of scopes on one entity, prefer the `buildAllowPermissions`, `buildEnvironmentScopedPermissions`, `buildStackScopedPermissions`, and `buildInsightsAccountScopedPermissions` helpers, which build the descriptor tree for you. To grant a role to a team, use the `TeamRoleAssignment` resource — roles are *associated with* teams, not gated on them via a permission descriptor.\n\nNote: the `__type` field name uses Pulumi's `__`-prefixed-key passthrough (pulumi/pulumi#22834, available in pulumi 3.235.0+). Earlier pulumi runtimes will drop these keys at the SDK boundary; the Python SDK pins the minimum runtime version automatically."
},
"resourceType": {
"type": "string",
"description": "The resource type the role's permissions apply to. Defaults to `global` (the org-wide role that can be assigned to members and teams). Other valid values: `stack`, `environment`, `insights-account`."
},
"roleId": {
"type": "string",
"description": "The unique identifier of the custom role."
},
"version": {
"type": "integer",
"description": "The service-maintained version number that increments on every update."
}
},
"required": [
"organizationName",
"name",
"permissions",
"roleId",
"version"
],
"inputProperties": {
"description": {
"type": "string",
"description": "Human-readable description of what the role grants."
},
"name": {
"type": "string",
"description": "The role's display name. Must be unique within the organization."
},
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"permissions": {
"type": "object",
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "The role's permission descriptor tree, expressed in the Pulumi Cloud wire grammar. The provider exposes the descriptor as `map[string]Any` and passes it through verbatim — the wire-format `__type` discriminator is used at every level (SDK and API alike).\n\nCommon top-level descriptors:\n- `PermissionDescriptorAllow` — `{__type: \"PermissionDescriptorAllow\", permissions: [\"\", ...]}` grants the listed scopes.\n- `PermissionDescriptorGroup` — `{__type: \"PermissionDescriptorGroup\", entries: [{__type: \"PermissionDescriptorAllow\", ...}, ...]}` composes multiple descriptors; the role grants the union of every entry.\n- `PermissionDescriptorCondition` — `{__type: \"PermissionDescriptorCondition\", condition: {__type: ...}, subNode: {__type: ...}}` gates a sub-descriptor on a boolean expression.\n- `PermissionDescriptorCompose` — references other roles by ID; `{__type: \"PermissionDescriptorCompose\", permissionDescriptors: [, ...]}`.\n\nPulumi Cloud's REST API also accepts `PermissionDescriptorIfThenElse`, `PermissionDescriptorSelect`, and the `PermissionExpression*` / `PermissionLiteralExpression*` boolean operators (And, Or, Not, Equal, Environment, Stack, Team, InsightsAccount, …); the provider does not inspect anything below the top, so future Cloud additions work without a provider release.\n\nFor the common case of granting a set of scopes on one entity, prefer the `buildAllowPermissions`, `buildEnvironmentScopedPermissions`, `buildStackScopedPermissions`, and `buildInsightsAccountScopedPermissions` helpers, which build the descriptor tree for you. To grant a role to a team, use the `TeamRoleAssignment` resource — roles are *associated with* teams, not gated on them via a permission descriptor.\n\nNote: the `__type` field name uses Pulumi's `__`-prefixed-key passthrough (pulumi/pulumi#22834, available in pulumi 3.235.0+). Earlier pulumi runtimes will drop these keys at the SDK boundary; the Python SDK pins the minimum runtime version automatically."
},
"resourceType": {
"type": "string",
"description": "The resource type the role's permissions apply to. Defaults to `global` (the org-wide role that can be assigned to members and teams). Other valid values: `stack`, `environment`, `insights-account`."
}
},
"requiredInputs": [
"organizationName",
"name",
"permissions"
]
},
"pulumiservice:index:PolicyGroup": {
"description": "A Policy Group allows you to apply policy packs to a set of stacks in your organization.",
"properties": {
"accounts": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of accounts that belong to this policy group."
},
"entityType": {
"type": "string",
"description": "The entity type for the policy group. Valid values are 'stacks' or 'accounts'. Defaults to 'stacks'."
},
"mode": {
"type": "string",
"description": "The mode for the policy group. Valid values are 'audit' (reports violations) or 'preventative' (blocks operations). Defaults to 'audit'."
},
"name": {
"type": "string",
"description": "The name of the policy group."
},
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization the policy group belongs to."
},
"policyPacks": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:PolicyGroupPolicyPackReference"
},
"description": "List of policy packs applied to this policy group."
},
"stacks": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:PolicyGroupStackReference"
},
"description": "List of stack references that belong to this policy group."
}
},
"required": [
"name",
"organizationName",
"entityType",
"mode"
],
"inputProperties": {
"accounts": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of accounts that belong to this policy group."
},
"entityType": {
"type": "string",
"description": "The entity type for the policy group. Valid values are 'stacks' or 'accounts'. Defaults to 'stacks'.",
"default": "stacks",
"willReplaceOnChanges": true
},
"mode": {
"type": "string",
"description": "The mode for the policy group. Valid values are 'audit' (reports violations) or 'preventative' (blocks operations). Defaults to 'audit'.",
"default": "audit",
"willReplaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name of the policy group.",
"willReplaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization the policy group belongs to.",
"willReplaceOnChanges": true
},
"policyPacks": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:PolicyGroupPolicyPackReferenceInput"
},
"description": "List of policy packs applied to this policy group."
},
"stacks": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:PolicyGroupStackReference"
},
"description": "List of stack references that belong to this policy group."
}
},
"requiredInputs": [
"name",
"organizationName"
]
},
"pulumiservice:index:Stack": {
"description": "A stack is a collection of resources that share a common lifecycle. Stacks are uniquely identified by their name and the project they belong to.",
"properties": {
"forceDestroy": {
"type": "boolean",
"description": "Optional. Flag indicating whether to delete the stack even if it still contains resources.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The name of the organization.",
"replaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The name of the project.",
"replaceOnChanges": true
},
"stackName": {
"type": "string",
"description": "The name of the stack.",
"replaceOnChanges": true
}
},
"required": [
"organizationName",
"projectName",
"stackName"
],
"inputProperties": {
"forceDestroy": {
"type": "boolean",
"description": "Optional. Flag indicating whether to delete the stack even if it still contains resources.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The name of the organization.",
"replaceOnChanges": true
},
"projectName": {
"type": "string",
"description": "The name of the project.",
"replaceOnChanges": true
},
"stackName": {
"type": "string",
"description": "The name of the stack.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organizationName",
"projectName",
"stackName"
]
},
"pulumiservice:index:StackTag": {
"description": "Stacks have associated metadata in the form of tags. Each tag consists of a name and value.",
"properties": {
"name": {
"type": "string",
"description": "Name of the tag. The 'key' part of the key=value pair",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"value": {
"type": "string",
"description": "Value of the tag. The 'value' part of the key=value pair",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"stack",
"name",
"value"
],
"inputProperties": {
"name": {
"type": "string",
"description": "Name of the tag. The 'key' part of the key=value pair",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"value": {
"type": "string",
"description": "Value of the tag. The 'value' part of the key=value pair",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"name",
"value"
]
},
"pulumiservice:index:StackTags": {
"description": "Manages a set of stack tags as a single resource via a `tags` map, instead of one `StackTag` per key — useful for YAML programs.\n\nOnly tags declared in `tags` are managed; tags added out-of-band (CLI, pulumibot, a singular `StackTag` resource) are left alone. Tag values are immutable in Pulumi Cloud, so a value change is implemented as delete-and-recreate.\n\nImporting with ID `{organization}/{project}/{stack}/tags` adopts every tag currently on the stack; declare `tags` explicitly after import so subsequent updates match your intent. See the [registry docs](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/stacktags/) for full usage and examples.\n",
"properties": {
"organization": {
"type": "string",
"description": "Organization name."
},
"project": {
"type": "string",
"description": "Project name."
},
"stack": {
"type": "string",
"description": "Stack name."
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Map of tag names to values. Each entry represents a stack tag."
}
},
"required": [
"organization",
"project",
"stack",
"tags"
],
"inputProperties": {
"organization": {
"type": "string",
"description": "Organization name.",
"willReplaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"willReplaceOnChanges": true
},
"stack": {
"type": "string",
"description": "Stack name.",
"willReplaceOnChanges": true
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Map of tag names to values. Each entry represents a stack tag."
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"tags"
]
},
"pulumiservice:index:Team": {
"description": "The Pulumi Cloud offers role-based access control (RBAC) using teams. Teams allow organization admins to assign a set of stack permissions to a group of users.",
"properties": {
"description": {
"type": "string",
"description": "Optional. Team description."
},
"displayName": {
"type": "string",
"description": "Optional. Team display name."
},
"githubTeamId": {
"type": "number",
"description": "The GitHub ID of the team to mirror. Must be in the same GitHub organization that the Pulumi org is backed by. Required for \"github\" teams."
},
"members": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of Pulumi Cloud usernames of team members."
},
"name": {
"type": "string",
"description": "The team's name. Required for \"pulumi\" teams.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization the team belongs to.",
"replaceOnChanges": true
},
"teamType": {
"type": "string",
"description": "The type of team. Must be either `pulumi` or `github`.",
"replaceOnChanges": true
}
},
"required": [
"organizationName",
"teamType",
"members"
],
"inputProperties": {
"description": {
"type": "string",
"description": "Optional. Team description."
},
"displayName": {
"type": "string",
"description": "Optional. Team display name."
},
"githubTeamId": {
"type": "number",
"description": "The GitHub ID of the team to mirror. Must be in the same GitHub organization that the Pulumi org is backed by. Required for \"github\" teams."
},
"members": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of Pulumi Cloud usernames of team members."
},
"name": {
"type": "string",
"description": "The team's name. Required for \"pulumi\" teams.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization the team belongs to.",
"replaceOnChanges": true
},
"teamType": {
"type": "string",
"description": "The type of team. Must be either `pulumi` or `github`.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organizationName",
"teamType"
]
},
"pulumiservice:index:TeamAccessToken": {
"description": "The Pulumi Cloud allows users to create access tokens scoped to team. Team access tokens is a resource to create them and assign them to a team",
"properties": {
"description": {
"type": "string",
"description": "Optional. Description for the token.",
"replaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name for the token. This must be unique amongst all machine tokens within your organization.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"teamName": {
"type": "string",
"description": "The team name.",
"replaceOnChanges": true
},
"value": {
"type": "string",
"description": "The token's value.",
"secret": true
}
},
"required": [
"name",
"organizationName",
"teamName",
"value"
],
"inputProperties": {
"description": {
"type": "string",
"description": "Optional. Description for the token.",
"replaceOnChanges": true
},
"name": {
"type": "string",
"description": "The name for the token. This must be unique amongst all machine tokens within your organization.",
"replaceOnChanges": true
},
"organizationName": {
"type": "string",
"description": "The organization's name.",
"replaceOnChanges": true
},
"teamName": {
"type": "string",
"description": "The team name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"name",
"organizationName",
"teamName"
]
},
"pulumiservice:index:TeamEnvironmentPermission": {
"description": "A permission for a team to use an environment.",
"properties": {
"environment": {
"type": "string",
"description": "Environment name.",
"replaceOnChanges": true
},
"maxOpenDuration": {
"type": "string",
"description": "The maximum duration for which members of this team may open the environment.",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"permission": {
"$ref": "#/types/pulumiservice:index:EnvironmentPermission",
"description": "Which permission level to grant to the specified team.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"default": "default",
"replaceOnChanges": true
},
"team": {
"type": "string",
"description": "Team name.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"team",
"environment",
"permission"
],
"inputProperties": {
"environment": {
"type": "string",
"description": "Environment name.",
"replaceOnChanges": true
},
"maxOpenDuration": {
"type": "string",
"description": "The maximum duration for which members of this team may open the environment.",
"replaceOnChanges": true
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"permission": {
"$ref": "#/types/pulumiservice:index:EnvironmentPermission",
"description": "Which permission level to grant to the specified team.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"default": "default",
"replaceOnChanges": true
},
"team": {
"type": "string",
"description": "Team name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"team",
"environment",
"permission"
]
},
"pulumiservice:index:TeamRoleAssignment": {
"description": "Assigns a custom (fine-grained) role to a Pulumi Cloud team. The Pulumi Cloud API currently supports one role per team; creating a second assignment replaces the first. The team's organization must already have the custom-roles feature enabled.",
"properties": {
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"roleId": {
"type": "string",
"description": "The ID of the custom role to assign.",
"replaceOnChanges": true
},
"roleName": {
"type": "string",
"description": "The name of the currently assigned role (custom role name, or built-in role)."
},
"teamName": {
"type": "string",
"description": "The team name.",
"replaceOnChanges": true
}
},
"required": [
"organizationName",
"teamName",
"roleId",
"roleName"
],
"inputProperties": {
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name.",
"replaceOnChanges": true
},
"roleId": {
"type": "string",
"description": "The ID of the custom role to assign.",
"replaceOnChanges": true
},
"teamName": {
"type": "string",
"description": "The team name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organizationName",
"teamName",
"roleId"
]
},
"pulumiservice:index:TeamStackPermission": {
"description": "Grants a team permissions to the specified stack.",
"properties": {
"organization": {
"type": "string",
"description": "The organization or the personal account name of the stack.",
"replaceOnChanges": true
},
"permission": {
"$ref": "#/types/pulumiservice:index:TeamStackPermissionScope",
"description": "Sets the permission level that this team will be granted to the stack.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "The project name for this stack.",
"replaceOnChanges": true
},
"stack": {
"type": "string",
"description": "The name of the stack that the team will be granted permissions to.",
"replaceOnChanges": true
},
"team": {
"type": "string",
"description": "The name of the team to grant this stack permissions to. This is not the display name.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"stack",
"team",
"permission"
],
"inputProperties": {
"organization": {
"type": "string",
"description": "The organization or the personal account name of the stack.",
"replaceOnChanges": true
},
"permission": {
"$ref": "#/types/pulumiservice:index:TeamStackPermissionScope",
"description": "Sets the permission level that this team will be granted to the stack.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "The project name for this stack.",
"replaceOnChanges": true
},
"stack": {
"type": "string",
"description": "The name of the stack that the team will be granted permissions to.",
"replaceOnChanges": true
},
"team": {
"type": "string",
"description": "The name of the team to grant this stack permissions to. This is not the display name.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"team",
"permission"
]
},
"pulumiservice:index:TemplateSource": {
"description": "A source for Pulumi templates.",
"properties": {
"destination": {
"$ref": "#/types/pulumiservice:index:TemplateSourceDestination",
"description": "The default destination for projects using templates from this source."
},
"organizationName": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"sourceName": {
"type": "string",
"description": "Source name."
},
"sourceURL": {
"type": "string",
"description": "Github URL of the repository from which to grab templates."
}
},
"required": [
"organizationName",
"sourceName",
"sourceURL"
],
"inputProperties": {
"destination": {
"$ref": "#/types/pulumiservice:index:TemplateSourceDestination",
"description": "The default destination for projects using templates from this source."
},
"organizationName": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"sourceName": {
"type": "string",
"description": "Source name."
},
"sourceURL": {
"type": "string",
"description": "Github URL of the repository from which to grab templates."
}
},
"requiredInputs": [
"organizationName",
"sourceName",
"sourceURL"
]
},
"pulumiservice:index:TtlSchedule": {
"description": "A scheduled stack destroy run.",
"properties": {
"deleteAfterDestroy": {
"type": "boolean",
"description": "True if the stack and all associated history and settings should be deleted.",
"default": false
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"scheduleId": {
"type": "string",
"description": "Schedule ID of the created schedule, assigned by Pulumi Cloud."
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"timestamp": {
"type": "string",
"description": "The time at which the schedule should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z.",
"replaceOnChanges": true
}
},
"required": [
"organization",
"project",
"stack",
"timestamp",
"scheduleId"
],
"inputProperties": {
"deleteAfterDestroy": {
"type": "boolean",
"description": "True if the stack and all associated history and settings should be deleted.",
"default": false
},
"organization": {
"type": "string",
"description": "Organization name.",
"replaceOnChanges": true
},
"project": {
"type": "string",
"description": "Project name.",
"replaceOnChanges": true
},
"stack": {
"type": "string",
"description": "Stack name.",
"replaceOnChanges": true
},
"timestamp": {
"type": "string",
"description": "The time at which the schedule should run, in ISO 8601 format. Eg: 2020-01-01T00:00:00Z.",
"replaceOnChanges": true
}
},
"requiredInputs": [
"organization",
"project",
"stack",
"timestamp"
]
},
"pulumiservice:index:Webhook": {
"description": "Pulumi Webhooks allow you to notify external services of events happening within your Pulumi organization or stack. For example, you can trigger a notification whenever a stack is updated. Whenever an event occurs, Pulumi will send an HTTP POST request to all registered webhooks. The webhook can then be used to emit some notification, start running integration tests, or even update additional stacks.\n\n### Import\n\nPulumi webhooks can be imported using the `id`, which for webhooks is `{org}/{project}/{stack}/{webhook-name}` e.g.,\n\n```sh\n $ pulumi import pulumiservice:index:Webhook my_webhook my-org/my-project/my-stack/4b0d0671\n```\n\n",
"properties": {
"active": {
"type": "boolean",
"description": "Indicates whether this webhook is enabled or not."
},
"displayName": {
"type": "string",
"description": "The friendly name displayed in the Pulumi Cloud."
},
"environmentName": {
"type": "string",
"description": "Name of the environment. Only specified if this is an environment webhook."
},
"filters": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:WebhookFilters"
},
"description": "Optional set of filters to apply to the webhook. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#filters) for more information."
},
"format": {
"$ref": "#/types/pulumiservice:index:WebhookFormat",
"description": "Format of the webhook payload. Can be either `raw`, `slack`, `ms_teams` or `pulumi_deployments`. Defaults to `raw`."
},
"groups": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:WebhookGroup"
},
"description": "Optional set of filter groups to apply to the webhook. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#groups) for more information."
},
"name": {
"type": "string",
"description": "Webhook identifier generated by Pulumi Cloud."
},
"organizationName": {
"type": "string",
"description": "Name of the organization."
},
"payloadUrl": {
"type": "string",
"description": "URL to send request to."
},
"projectName": {
"type": "string",
"description": "Name of the project. Only specified if this is a stack or environment webhook."
},
"secret": {
"type": "string",
"description": "Optional. secret used as the HMAC key. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#headers) for more information.",
"secret": true
},
"stackName": {
"type": "string",
"description": "Name of the stack. Only specified if this is a stack webhook."
}
},
"required": [
"active",
"displayName",
"organizationName",
"payloadUrl",
"name",
"format"
],
"inputProperties": {
"active": {
"type": "boolean",
"description": "Indicates whether this webhook is enabled or not."
},
"displayName": {
"type": "string",
"description": "The friendly name displayed in the Pulumi Cloud."
},
"environmentName": {
"type": "string",
"description": "Name of the environment. Only specified if this is an environment webhook."
},
"filters": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:WebhookFilters"
},
"description": "Optional set of filters to apply to the webhook. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#filters) for more information."
},
"format": {
"$ref": "#/types/pulumiservice:index:WebhookFormat",
"description": "Format of the webhook payload. Can be either `raw` or `slack`. Defaults to `raw`.",
"default": "raw"
},
"groups": {
"type": "array",
"items": {
"$ref": "#/types/pulumiservice:index:WebhookGroup"
},
"description": "Optional set of filter groups to apply to the webhook. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#groups) for more information."
},
"organizationName": {
"type": "string",
"description": "Name of the organization.",
"willReplaceOnChanges": true
},
"payloadUrl": {
"type": "string",
"description": "URL to send request to."
},
"projectName": {
"type": "string",
"description": "Name of the project. Only specified if this is a stack or environment webhook."
},
"secret": {
"type": "string",
"description": "Optional. secret used as the HMAC key. See [webhook docs](https://www.pulumi.com/docs/intro/pulumi-service/webhooks/#headers) for more information.",
"secret": true
},
"stackName": {
"type": "string",
"description": "Name of the stack. Only needed if this is a stack webhook."
}
},
"requiredInputs": [
"active",
"displayName",
"organizationName",
"payloadUrl"
]
}
},
"functions": {
"pulumiservice:index:buildAllowPermissions": {
"description": "Builds an `OrganizationRole.permissions` descriptor that grants the supplied scopes globally — i.e. on every entity of the matching resource type. This is the simplest descriptor: a flat `PermissionDescriptorAllow`. Use this helper instead of hand-authoring the descriptor literal so the wire-format `__type` discriminator stays an implementation detail. For grants scoped to a specific entity, see `buildEnvironmentScopedPermissions`, `buildStackScopedPermissions`, or `buildInsightsAccountScopedPermissions`. The result is directly assignable to `OrganizationRole.permissions`. To grant scopes on more than one entity in a single role, hand-roll a `PermissionDescriptorGroup` whose `entries` list pulls the output of each helper.",
"inputs": {
"properties": {
"permissions": {
"type": "array",
"items": {
"type": "string"
},
"description": "The set of scopes to grant globally (e.g. `stack:read`, `environment:open`, `organization:billingManager`). Discover valid scope names via the `getOrganizationRoleScopes` data source."
}
},
"type": "object",
"required": [
"permissions"
]
},
"outputs": {
"properties": {
"permissions": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "A `PermissionDescriptorAllow` granting the supplied scopes on every entity of the matching resource type, ready to assign to `OrganizationRole.permissions`.",
"type": "object"
}
},
"required": [
"permissions"
],
"type": "object"
}
},
"pulumiservice:index:buildEnvironmentScopedPermissions": {
"description": "Builds an `OrganizationRole.permissions` descriptor that grants the supplied scopes only on the named environment. Pair with `Environment.environmentId` (or the `getEnvironment` data source) to avoid hand-rolling the `PermissionDescriptorCondition` tree yourself. The result is directly assignable to `OrganizationRole.permissions`. To grant scopes on more than one entity in a single role, hand-roll a `PermissionDescriptorGroup` whose `entries` list pulls the output of each helper.",
"inputs": {
"properties": {
"environmentId": {
"type": "string",
"description": "The target environment's UUID. Use the `environmentId` output of an `Environment` resource or the `getEnvironment` data source."
},
"permissions": {
"type": "array",
"items": {
"type": "string"
},
"description": "The set of `environment:*` scopes to grant on the target environment (e.g. `environment:read`, `environment:open`, `environment:update`). Discover valid scope names via the `getOrganizationRoleScopes` data source."
}
},
"type": "object",
"required": [
"environmentId",
"permissions"
]
},
"outputs": {
"properties": {
"permissions": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "A `PermissionDescriptorCondition` tree gating a `PermissionDescriptorAllow` on the named environment, ready to assign to `OrganizationRole.permissions`.",
"type": "object"
}
},
"required": [
"permissions"
],
"type": "object"
}
},
"pulumiservice:index:buildInsightsAccountScopedPermissions": {
"description": "Builds an `OrganizationRole.permissions` descriptor that grants the supplied scopes only on the named insights account. Pair with `InsightsAccount.insightsAccountId` (or the `getInsightsAccount` data source). The result is directly assignable to `OrganizationRole.permissions`. To grant scopes on more than one entity in a single role, hand-roll a `PermissionDescriptorGroup` whose `entries` list pulls the output of each helper.",
"inputs": {
"properties": {
"insightsAccountId": {
"type": "string",
"description": "The target insights account's identifier. Use the `insightsAccountId` output of an `InsightsAccount` resource or the `getInsightsAccount` data source."
},
"permissions": {
"type": "array",
"items": {
"type": "string"
},
"description": "The set of `insights-account:*` scopes to grant on the target account. Discover valid scope names via the `getOrganizationRoleScopes` data source."
}
},
"type": "object",
"required": [
"insightsAccountId",
"permissions"
]
},
"outputs": {
"properties": {
"permissions": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "A `PermissionDescriptorCondition` tree gating a `PermissionDescriptorAllow` on the named insights account, ready to assign to `OrganizationRole.permissions`.",
"type": "object"
}
},
"required": [
"permissions"
],
"type": "object"
}
},
"pulumiservice:index:buildStackScopedPermissions": {
"description": "Builds an `OrganizationRole.permissions` descriptor that grants the supplied scopes only on the named stack. The `stackId` is the stack's opaque Pulumi Cloud identifier — distinct from the `organization/project/stack` triple. The result is directly assignable to `OrganizationRole.permissions`. To grant scopes on more than one entity in a single role, hand-roll a `PermissionDescriptorGroup` whose `entries` list pulls the output of each helper.",
"inputs": {
"properties": {
"permissions": {
"type": "array",
"items": {
"type": "string"
},
"description": "The set of `stack:*` scopes to grant on the target stack (e.g. `stack:read`, `stack:edit`, `stack:admin`). Discover valid scope names via the `getOrganizationRoleScopes` data source."
},
"stackId": {
"type": "string",
"description": "The target stack's opaque Pulumi Cloud identifier (not the `organization/project/stack` triple)."
}
},
"type": "object",
"required": [
"stackId",
"permissions"
]
},
"outputs": {
"properties": {
"permissions": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "A `PermissionDescriptorCondition` tree gating a `PermissionDescriptorAllow` on the named stack, ready to assign to `OrganizationRole.permissions`.",
"type": "object"
}
},
"required": [
"permissions"
],
"type": "object"
}
},
"pulumiservice:index:getCurrentUser": {
"description": "Returns the Pulumi Cloud user that the provider's access token belongs to. Useful for seeding a newly-created `Team` with the creator as a member, since Pulumi Cloud auto-adds the creator. Omitting this user from the team will result in a refresh drift.",
"inputs": {
"type": "object"
},
"outputs": {
"properties": {
"avatarUrl": {
"description": "URL of the user's avatar image.",
"type": "string"
},
"email": {
"description": "The user's email address.",
"type": "string"
},
"name": {
"description": "The user's display name.",
"type": "string"
},
"username": {
"description": "The user's Pulumi Cloud username.",
"type": "string"
}
},
"required": [
"username",
"name",
"email",
"avatarUrl"
],
"type": "object"
}
},
"pulumiservice:index:getEnvironment": {
"description": "Looks up an existing ESC environment by name and returns its UUID. Use this to scope a custom RBAC role to a specific environment — pass the returned UUID into `buildEnvironmentScopedPermissions`, or use it as the `identity` field of a hand-rolled `PermissionLiteralExpressionEnvironment` in `OrganizationRole.permissions`. Errors when the environment is not found.",
"inputs": {
"properties": {
"name": {
"type": "string",
"description": "The environment name."
},
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization that owns the environment."
},
"projectName": {
"type": "string",
"description": "The ESC project name. Defaults to `default`."
}
},
"type": "object",
"required": [
"organizationName",
"name"
]
},
"outputs": {
"properties": {
"environmentId": {
"description": "The environment's UUID. Pass it to `buildEnvironmentScopedPermissions` (preferred) or use it as the `identity` field of a hand-rolled `PermissionLiteralExpressionEnvironment` in `OrganizationRole.permissions`.",
"type": "string"
},
"name": {
"description": "The environment name.",
"type": "string"
},
"organizationName": {
"description": "The Pulumi Cloud organization that owns the environment.",
"type": "string"
},
"projectName": {
"description": "The ESC project the environment lives in.",
"type": "string"
}
},
"required": [
"organizationName",
"projectName",
"name",
"environmentId"
],
"type": "object"
}
},
"pulumiservice:index:getInsightsAccount": {
"description": "Get details about a specific Insights account.",
"inputs": {
"properties": {
"accountName": {
"type": "string"
},
"organizationName": {
"type": "string"
}
},
"type": "object",
"required": [
"organizationName",
"accountName"
]
},
"outputs": {
"properties": {
"accountName": {
"description": "Name of the insights account.",
"replaceOnChanges": true,
"type": "string"
},
"environment": {
"description": "The ESC environment used for provider credentials. Format: 'project/environment' with optional '@version' suffix (e.g., 'my-project/prod-env' or 'my-project/prod-env@v1.0').",
"type": "string"
},
"insightsAccountId": {
"description": "The insights account identifier.",
"type": "string"
},
"organizationName": {
"description": "The organization's name.",
"replaceOnChanges": true,
"type": "string"
},
"provider": {
"$ref": "#/types/pulumiservice:index:CloudProvider",
"description": "The cloud provider for scanning.",
"replaceOnChanges": true
},
"providerConfig": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Provider-specific configuration as a JSON object. For AWS, specify regions to scan: {\"regions\": [\"us-west-1\", \"us-west-2\"]}.",
"type": "object"
},
"scanSchedule": {
"$ref": "#/types/pulumiservice:index:ScanSchedule",
"default": "none",
"description": "Schedule for automated scanning. Use 'daily' for daily scans, '12h' for scans every twelve hours, or 'none' to disable scheduled scanning. Defaults to 'none'."
},
"scheduledScanEnabled": {
"description": "Whether scheduled scanning is enabled.",
"type": "boolean"
},
"tags": {
"additionalProperties": {
"type": "string"
},
"description": "Key-value tags to associate with the insights account.",
"type": "object"
}
},
"required": [
"organizationName",
"accountName",
"provider",
"environment",
"scanSchedule",
"insightsAccountId",
"scheduledScanEnabled"
],
"type": "object"
}
},
"pulumiservice:index:getInsightsAccounts": {
"description": "Get a list of all Insights accounts for an organization.",
"inputs": {
"properties": {
"organizationName": {
"type": "string"
}
},
"type": "object",
"required": [
"organizationName"
]
},
"outputs": {
"properties": {
"accounts": {
"items": {
"$ref": "#/types/pulumiservice:index:InsightsAccountState"
},
"type": "array"
}
},
"required": [
"accounts"
],
"type": "object"
}
},
"pulumiservice:index:getOrganizationMember": {
"description": "Looks up a single member of a Pulumi Cloud organization by username (the backing identity-provider login, e.g. GitHub login). Returns an error when the member is not found.",
"inputs": {
"properties": {
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization."
},
"username": {
"type": "string",
"description": "The Pulumi Cloud username (backing identity-provider login) to look up."
}
},
"type": "object",
"required": [
"organizationName",
"username"
]
},
"outputs": {
"properties": {
"role": {
"description": "The member's built-in role (member, admin, billing-manager). Absent when a custom role is assigned — check `roleId` in that case.",
"type": "string"
},
"roleId": {
"description": "The custom role ID assigned to this member, if any.",
"type": "string"
},
"roleName": {
"description": "The name of the currently assigned role (custom role name, or built-in role).",
"type": "string"
},
"username": {
"description": "The member's Pulumi Cloud username.",
"type": "string"
},
"virtualAdmin": {
"description": "Whether this member is an admin in Pulumi Cloud without admin access on the backing identity provider.",
"type": "boolean"
}
},
"required": [
"username",
"virtualAdmin"
],
"type": "object"
}
},
"pulumiservice:index:getOrganizationMembers": {
"description": "Lists all members of a Pulumi Cloud organization, including their role assignments. Merges Pulumi Cloud's identity-provider roster (paginated; includes users who haven't signed in to Pulumi yet) with the seat-count roster, deduped by username, so SAML- and non-SAML-provisioned members both appear regardless of which roster they're tracked in.",
"inputs": {
"properties": {
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization."
}
},
"type": "object",
"required": [
"organizationName"
]
},
"outputs": {
"properties": {
"members": {
"items": {
"$ref": "#/types/pulumiservice:index:OrganizationMemberInfo"
},
"type": "array"
}
},
"required": [
"members"
],
"type": "object"
}
},
"pulumiservice:index:getOrganizationRoleScopes": {
"description": "Lists the permission scopes available for custom roles in an organization. Use this to discover valid scope names before setting `OrganizationRole.permissions`. The catalogue is flattened into a single list with resource type and group context, sorted deterministically.",
"inputs": {
"properties": {
"organizationName": {
"type": "string",
"description": "The Pulumi Cloud organization name."
}
},
"type": "object",
"required": [
"organizationName"
]
},
"outputs": {
"properties": {
"scopes": {
"items": {
"$ref": "#/types/pulumiservice:index:RoleScopeInfo"
},
"type": "array"
}
},
"required": [
"scopes"
],
"type": "object"
}
},
"pulumiservice:index:getPolicyPack": {
"description": "Get details about a specific version of a policy pack.",
"inputs": {
"properties": {
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization."
},
"policyPackName": {
"type": "string",
"description": "The name of the policy pack."
},
"version": {
"type": "integer",
"description": "The version number of the policy pack. If not specified, returns the latest version."
}
},
"required": [
"organizationName",
"policyPackName"
]
},
"outputs": {
"properties": {
"config": {
"additionalProperties": {
"$ref": "pulumi.json#/Any"
},
"description": "Configuration for the policy pack.",
"type": "object"
},
"displayName": {
"description": "The display name of the policy pack.",
"type": "string"
},
"name": {
"description": "The name of the policy pack.",
"type": "string"
},
"policies": {
"description": "List of policies in this pack.",
"items": {
"type": "object"
},
"type": "array"
},
"version": {
"description": "The version number.",
"type": "integer"
},
"versionTag": {
"description": "The version tag (if any).",
"type": "string"
}
},
"required": [
"name",
"displayName",
"version"
]
}
},
"pulumiservice:index:getPolicyPacks": {
"description": "Get a list of all policy packs for an organization.",
"inputs": {
"properties": {
"organizationName": {
"type": "string",
"description": "The name of the Pulumi organization."
}
},
"required": [
"organizationName"
]
},
"outputs": {
"properties": {
"policyPacks": {
"description": "List of policy packs in the organization.",
"items": {
"type": "object"
},
"type": "array"
}
},
"required": [
"policyPacks"
]
}
}
}
}