Changelogs » Pulumi

PyUp Safety actively tracks 323,951 Python packages for vulnerabilities and notifies you when to upgrade.



Bug Fixes
  - [cli] - Respect provider aliases
  - [cli] - `pulumi stack ls` now returns all accessible stacks (removing
  earlier cap imposed by the httpstate backend).
  - [sdk/go] - Fix panics caused by logging from `ApplyT`, affecting
  `pulumi-docker` and potentially other providers
  - [sdk/python] - Handle unknown results from methods.


  - [sdk/go] - Add stack output helpers for numeric types.
  - [sdk/python] - Permit `Input[Resource]` values in `depends_on`.
  - [backend/filestate] - Allow pulumi stack ls to see all stacks regardless of passphrase.
  Bug Fixes
  - [sdk/{go,python,nodejs}] - Rehydrate provider resources in `Construct`.
  - [engine] - Include children when targeting components.
  - [cli] - Restore passing log options to providers when `--logflow` is specified
  - [sdk/nodejs] - Fix `pulumi up --logflow` causing Node multi-lang components to hang
  - [sdk/{dotnet,python,nodejs}] - Set the package on DependencyProviderResource.


  - [sdk/dotnet] - Fix async await warnings.
  - [codegen/dotnet] - Emit dynamic config-getters.
  - [sdk/python] - Support for authoring resource methods in Python.
  - [sdk/{go,dotnet}] - Admit non-asset/archive values when unmarshalling into assets and archives.
  Bug Fixes
  - [sdk/dotnet] - Fix for race conditions in .NET SDK that used to
  manifest as a `KeyNotFoundException` from `WhileRunningAsync`.
  - [sdk/go] - Fix target and replace options for the Automation API.
  - [cli] - Don't escape special characters when printing JSON.
  - [sdk/go] - Fix panic when marshaling `self` in a method.


  - [codegen/python,nodejs] Emit dynamic config-getters.
  [7447](, [#7530](
  - [sdk/python] Make `Output[T]` covariant
  Bug Fixes
  - [sdk/nodejs] Fix a bug in closure serialization.
  - [cli] Normalize cloud URL during login
  - [sdk/nodejs,dotnet] Wait on remote component dependencies


  - [sdk/nodejs] Support for calling resource methods.
  - [sdk/go] Support for calling resource methods.
  Bug Fixes
  - [codegen/go] Reimplement strict go enums to be Inputs.
  - [codegen/go] Emit To[ElementType]Output methods for go enum output types.


  - [sdk] Add `replaceOnChanges` resource option.
  - [sdk/go] Support for authoring resource methods in Go.
  Bug Fixes
  - [sdk/python] Fix an issue where dependency keys were incorrectly translates to camelcase.
  - [cli] Fix rendering of diffs for resource without DetailedDiffs.


  - [cli] Added support for passing custom paths that need
  to be watched by the `pulumi watch` command.
  - [auto/nodejs] Fail early when multiple versions of `pulumi/pulumi` are detected in nodejs inline programs.
  - [sdk/go] Add preliminary support for unmarshaling plain arrays and maps of output values.
  - Initial support for resource methods (Node.js authoring, Python calling).
  Bug Fixes
  - [sdk/dotnet] Fix swallowed nested exceptions with inline program, so they correctly bubble to the consumer.
  - [sdk/go] Specify known when creating outputs for `construct`.
  - [cli] Fix passphrase rotation.
  - [multilang/python] Fix nested module generation.
  - [multilang/nodejs] Fix a hang when an error is thrown within an apply in a remote component.
  - [codegen/python] Include enum docstrings for python.


**Please Note:** The v3.5.0 release did not complete and was re-released at the same commit as v3.5.1.
  - [dotnet/sdk] Support microsoft logging extensions with inline programs.
  - [dotnet/sdk] Add create unknown to output utilities.
  - [dotnet] Fix Resharper code issues.
  - [codegen] Include properties with an underlying type of string on Go provider instances.
  - [cli] Provide a more helpful error instead of panicking when codegen fails during import.
  - [codegen/python] Cache package version for improved performance.
  - [sdk/python] Reduce `log.debug` calls for improved performance.
  Bug Fixes
  - [sdk/dotnet] Fix resources destroyed after exception thrown during inline program.
  - [sdk/python] Fix regression in behaviour for `Output.from_input({})`.
  - [sdk/python] Prevent infinite loops when iterating `Output` objects.
  - [codegen/python] Rename conflicting ResourceArgs classes.


  - [dotnet/sdk] Add get value async to output utilities.
  Bug Fixes
  - [CLI] Fix broken venv for Python projects started from templates.
  - [cli] Send plugin install output to stderr, so that it doesn't
  clutter up --json, automation API scenarios, and so on.
  - [cli] Protect against panics when using the wrong resource type with `pulumi import`.
  - [auto/nodejs] Emit warning instead of breaking on parsing JSON events for automation API.
  - [sdk/python] Improve performance of `Output.from_input` and `Output.all` on nested objects.
  - [cli] Update version of go-cloud used by Pulumi to `0.23.0`.


  - [dotnet/sdk] Use source context with serilog.
  - [auto/dotnet] Make StackDeployment.FromJsonString public.
  - [sdk/python] Generated SDKs may now be installed from in-tree source.
  Bug Fixes
  - [auto/nodejs] Fix an intermittent bug in parsing JSON events.
  - [auto/dotnet] Fix deserialization of CancelEvent in .NET 5.
  - Temporarily disable warning when a secret config is read as a non-secret.


  - [cli] Provide user information when protected resources are not able to be deleted
  - [cli] Error instead of panic on invalid state file import
  - Warn when a secret config is read as a non-secret
  - [sdk/nodejs|python] Add GetSchema support to providers
  - [auto/dotnet] Provide PulumiFn implementation that allows runtime stack type
  - [auto/go] Provide GetPermalink for all results
  Bug Fixes
  - [sdk/python] Fix relative `runtime:options:virtualenv` path resolution to ignore `main` project attribute
  - [auto/dotnet] Disable Language Server Host logging and checking appsettings.json config
  - [auto/python] Export missing `ProjectBackend` type
  - [sdk/nodejs] Fix noisy errors.
  - Config: Avoid emitting integers in objects using exponential notation.
  - [codegen/python] Fix issue with lazy_import affecting pulumi-eks
  - Ensure that all outstanding asynchronous work is awaited before returning from a .NET
  Pulumi program.
  - Config: Avoid emitting integers in objects using exponential notation.
  - Build: Add vs code dev container
  - Ensure that all outstanding asynchronous work is awaited before returning from a Go
  Pulumi program. Note that this may require changes to programs that use the
  `pulumi.NewOutput` API.


Bug Fixes
  - [cli] Fix a regression caused by [6893]( that stopped stacks created
  with empty passphrases from completing successful pulumi commands when loading the passphrase secrets provider.


  - [auto/go] Provide GetPermalink for all results
  - [automation/*] Add support for getting stack outputs using Workspace
  - [automation/*] Optionally skip Automation API version check
  The version check can be skipped by passing a non-empty value to the `PULUMI_AUTOMATION_API_SKIP_VERSION_CHECK` environment variable.
  - [auto/go,nodejs] Add UserAgent to update/pre/refresh/destroy options.
  Bug Fixes
  - [cli] Return an appropriate error when a user has not set `PULUMI_CONFIG_PASSPHRASE` nor `PULUMI_CONFIG_PASSPHRASE_FILE`
  when trying to access the Passphrase Secrets Manager
  - [cli] Prevent against panic when using a ResourceReference as a program output
  - [sdk/python] Fix bug in MockResourceArgs.
  - [sdk/python] Address issues when using resource subclasses.
  - [sdk/python] Fix type-related regression on Python 3.6.
  - [sdk/python] Don't error when a dict input value has a mismatched type annotation.
  - [automation/dotnet] Fix EventLogWatcher failing to read events after an exception was thrown
  - [automation/dotnet] Use stackName in ImportStack
  - [automation/go] Improve autoError message formatting
  - [auto/dotnet] Bump YamlDotNet to 11.1.1
  - [sdk/dotnet] Enable deterministic builds
  - [auto/*] Bump minimum version to v3.1.0.


Breaking Changes
  Please note, the following 2 breaking changes were included in our [3.0 changlog](
  Unfortunately, the initial release did not include that change. We apologize for any confusion or inconvenience this may have included the addressed behaviour.
  - [cli] Standardize stack select behavior to ensure that passing `--stack` does not make that the current stack.
  - [cli] Set pagination defaults for `pulumi stack history` to 10 entries.
  - [sdk/nodejs] Handle providers for RegisterResourceRequest
  - [automation/dotnet] Remove dependency on Gprc.Tools for F / Paket compatibility
  Bug Fixes
  - [codegen] Fix codegen for types that are used by both resources and functions.
  - [sdk/python] Fix bug in `get_resource_module` affecting resource hydration.
  - [automation/python] Fix bug in UpdateSummary deserialization for nested config values.


Breaking Changes
  - [sdk/cli] Bump version of Pulumi CLI and SDK to v3
  - Dropped support for NodeJS < v11.x
  - [CLI] Standardize the `--stack` flag to *not* set the stack as current (i.e. setStack=false) across CLI commands.
  - [CLI] Set pagination defaults for `pulumi stack history` to 10 entries.
  - [CLI] Remove `pulumi history` command. This was previously deprecated and replaced by `pulumi stack history`
  - [sdk/*] Refactor Mocks newResource and call to accept an argument struct for future extensibility rather than individual args
  - [sdk/nodejs] Enable nodejs dynamic provider caching by default on program side.
  - [sdk/python] Improved dict key translation support (3.0-based providers will opt-in to the improved behavior)
  - [sdk/python] Allow using Python to build resource providers for multi-lang components.
  - [sdk/go] Simplify `Apply` method options to reduce binary size
  - [Automation/*] All operations use `--stack` to specify the stack instead of running `select stack` before the operation.
  - [Automation/go] Moving go automation API package from sdk/v2/go/x/auto -> sdk/v2/go/auto
  - [Automation/nodejs] Moving NodeJS automation API package from sdk/nodejs/x/automation -> sdk/nodejs/automation
  - [Automation/python] Moving Python automation API package from pulumi.x.automation -> pulumi.automation
  - [Automation/go] Moving go automation API package from sdk/v2/go/x/auto -> sdk/v2/go/auto
  - [sdk/nodejs] Add support for multiple V8 VM contexts in closure serialization.
  - [sdk] Handle providers for RegisterResourceRequest
  - [sdk/go] Support defining remote components in Go.
  Bug Fixes
  - [CLI] Clean the template cache if the repo remote has changed.


Bug Fixes
  - [cli] Fix a bug that prevented copying checkpoint files when using Azure Blob Storage
  as the backend provider. [6794](


Bug Fixes
  - [automation/python] Fix serialization bug in `StackSettings`


  - [automation/dotnet] Rename (Get,Set,Remove)Config(Value)
  The following methods on Workspace and WorkspaceStack classes have
  been renamed. Please update your code (before -> after):
  * GetConfigValue -> GetConfig
  * SetConfigValue -> SetConfig
  * RemoveConfigValue -> RemoveConfig
  * GetConfig -> GetAllConfig
  * SetConfig -> SetAllConfig
  * RemoveConfig -> RemoveAllConfig
  This change was made to align with the other Pulumi language SDKs.
  - [cli] Add option to print absolute rather than relative dates in stack history
  pulumi stack history --full-dates
  - [cli] Enable absolute and relative parent paths for pulumi main
  - [sdk/dotnet] Thread-safe concurrency-friendly global state
  - [tooling] Update pulumi python docker image to python 3.9
  - [sdk/nodejs] Add program side caching for dynamic provider serialization behind env var
  - [sdk/nodejs] Allow prompt values in `construct` for multi-lang components.
  - [automation/dotnet] Allow null environment variables
  - [automation/dotnet] Expose WorkspaceStack.GetOutputsAsync
  var stack = await WorkspaceStack.CreateAsync(stackName, workspace);
  await stack.SetConfigAsync(config);
  var initialOutputs = await stack.GetOutputsAsync();
  - [automation/dotnet] Implement (Import,Export)StackAsync methods on LocalWorkspace and WorkspaceStack and expose StackDeployment helper class.
  var stack = await WorkspaceStack.CreateAsync(stackName, workspace);
  var upResult = await stack.UpAsync();
  deployment = await workspace.ExportStackAsync(stackName);
  - [automation/dotnet] Implement CancelAsync method on WorkspaceStack
  var stack = await WorkspaceStack.CreateAsync(stackName, workspace);
  var cancelTask = stack.CancelAsync();
  - [automation/python] Expose structured logging for Stack.up/preview/refresh/destroy.
  You can now pass in an `on_event` callback function as a keyword arg to `up`, `preview`, `refresh`
  and `destroy` to process streaming json events defined in `automation/`
  Bug Fixes
  - [sdk/go] Fix wrongly named Go modules
  - [cli] Handle non-existent creds file in `pulumi logout --all`
  - [automation/nodejs] Do not run the promise leak checker if an inline program has errored.
  - [sdk/nodejs] Explicitly create event log file for NodeJS Automation API.
  - [sdk/nodejs] Fix error handling for failed logging statements
  - [sdk/nodejs] Fix `Construct` to wait for child resources of a multi-lang components to be created.
  - [sdk/python] Fix serialization bug if output contains 'items' property.
  - [automation] Set default value for 'main' for inline programs to support relative paths, assets, and closure serialization.
  - [automation/dotnet] Environment variable value type is now nullable.
  - [automation/dotnet] Fix GetConfigValueAsync failing to deserialize
  - [automation] Fix (de)serialization of StackSettings in .NET, Node, and Python.


Bug Fixes
  - [cli] Revert the swapping out of the YAML parser library
  - [automation/go,python,nodejs] Respect pre-existing Pulumi.yaml for inline programs.


  - [sdk/nodejs] Add provider side caching for dynamic provider deserialization
  - [automation/dotnet] Expose structured logging
  - [cli] Support full fidelity YAML round-tripping
  - Strip Byte-order Mark (BOM) from YAML configs during load. [6636](
  - Swap out YAML parser library [6642](
  - [sdk/python] Ensure all async tasks are awaited prior to exit.
  Bug Fixes
  - [sdk/nodejs] Fix error propagation in registerResource and other resource methods.
  - [automation/python] Fix passing of additional environment variables.
  - [sdk/python] Make exceptions raised by calls to provider functions (e.g. data sources) catchable.
  - [automation/go,python,nodejs] Respect pre-existing Pulumi.yaml for inline programs.


  - [cli] Improve diff displays during `pulumi refresh`
  - [sdk/go] Cache loaded configuration files.
  - [sdk/nodejs] Allow `Mocks::newResource` to determine whether the created resource is a `CustomResource`.
  - [automation/*] Implement minimum version checking and add:
  - Go: `LocalWorkspace.PulumiVersion()` [6577](
  - Nodejs: `LocalWorkspace.pulumiVersion` [6580](
  - Python: `LocalWorkspace.pulumi_version` [6589](
  - Dotnet: `LocalWorkspace.PulumiVersion` [6590](
  Bug Fixes
  - [sdk/python] Fix automatic venv creation
  - [automation/python] Fix Settings file save
  - [sdk/dotnet] Remove MaybeNull from Output/Input.Create to avoid spurious warnings


Bug Fixes
  - [cli] Fix a bug where a version wasn't passed to go install commands as part of `make brew` installs from homebrew


  - [automation/go] Expose structured logging for Stack.Up/Preview/Refresh/Destroy.
  This change is marked breaking because it changes the shape of the `PreviewResult` struct.
  type PreviewResult struct {
  Steps         []PreviewStep  `json:"steps"`
  ChangeSummary map[string]int `json:"changeSummary"`
  type PreviewResult struct {
  StdOut        string
  StdErr        string
  ChangeSummary map[apitype.OpType]int
  - [automation/dotnet] Add ability to capture stderr
  This change is marked breaking because it also renames `OnOutput` to `OnStandardOutput`.
  - [sdk/go] Add helpers to convert raw Go maps and arrays to Pulumi `Map` and `Array` inputs.
  - [sdk/go] Return zero values instead of panicing in `Index` and `Elem` methods.
  - [sdk/go] Support multiple folders in GOPATH.
  - [cli] Add ability to download arm64 provider plugins
  - [build] Updating Pulumi to use Go 1.16
  - [build] Adding a Pulumi arm64 binary for use on new macOS hardware.
  Please note that `pulumi watch` will not be supported on darwin/arm64 builds.
  - [automation/nodejs] Expose structured logging for Stack.up/preview/refresh/destroy.
  - [automation/nodejs] Add `onOutput` event handler to `PreviewOptions`.
  - [cli] Add locking support to the self-managed backends using the `PULUMI_SELF_MANAGED_STATE_LOCKING=1` environment variable.
  Bug Fixes
  - [sdk/python] Fix mocks issue when passing a resource more than once.
  - [automation/dotnet] Add ReadDiscard OperationType
  - [cli] Ensure the user has the correct access to the secrets manager before using it as part of
  `pulumi stack export --show-secrets`.
  - [sdk/go] Implement getResource in the mock monitor.


  - [6410]( Add `diff` option to Automation API's `preview` and `up`
  Bug Fixes
  - [automation/dotnet] resolve issue with OnOutput delegate not being called properly during pulumi process execution.
  - [automation/python,nodejs,dotnet] BREAKING Remove `summary` property from `PreviewResult`.
  The `summary` property on `PreviewResult` returns a result that is always incorrect and is being removed.
  - [automation/python] Fix Windows error caused by use of NamedTemporaryFile in automation api.
  - [sdk/nodejs] Serialize default parameters correctly. [6397](
  - [cli] Respect provider aliases while diffing resources.


  - [cli] Disable permalinks to the update details page when using self-managed backends (S3, Azure, GCS). Should the user
  want to get permalinks when using a self backend, they can pass a flag:
  `pulumi up --suppress-permalink false`.
  Permalinks for these self-managed backends will be suppressed on `update`, `preview`, `destroy`, `import` and `refresh`
  - [cli] Added commands `config set-all` and `config rm-all` to set and remove multiple configuration keys.
  - [automation/*] Consume `config set-all` and `config rm-all` from automation API.
  - [sdk/dotnet] C Automation API.
  - [sdk/dotnet] F API to specify stack options.
  Bug Fixes
  - [sdk/nodejs] Don't error when loading multiple copies of the same version of a Node.js
  component package. [6387](
  - [cli] Skip unnecessary state file writes to address performance regression introduced in 2.16.2.


Bug Fixes
  - [sdk/python] Fixed a change to `Output.all()` that raised an error if no inputs are passed in.


  - [cli] Added pagination options to `pulumi stack history` [6292](
  This is used as follows:
  `pulumi stack history --page-size=20 --page=1`
  - [automation/*] Added pagination options for stack history in Automation API SDKs to improve
  performance of stack updates. [6257](
  This is used similar to the following example in go:
  func ExampleStack_History() {
  ctx := context.Background()
  stackName := FullyQualifiedStackName("org", "project", "stack")
  stack, _ := SelectStackLocalSource(ctx, stackName, filepath.Join(".", "program"))
  pageSize := 0
  page := 0
  hist, _ := stack.History(ctx, pageSize, page)
  - [pkg/testing/integration] Changed the default behavior for Python test projects to use `UseAutomaticVirtualEnv` by
  default. `UsePipenv` is now the way to use pipenv with tests.
  Bug Fixes
  - [automation/go] Exposed the version in the UpdateSummary for use in understanding the version of a stack update
  - [cli] Changed the behavior for Python on Windows to look for `python` binary first instead of `python3`.
  - [sdk/python] Gracefully handle monitor shutdown in the python runtime without exiting the process.
  - [sdk/python] Fixed a bug in `contains_unknowns` where outputs with a property named "values" failed with a TypeError.
  - [sdk/python] Allowed keyword args in Output.all() to create a dict.
  - [sdk/python] Defined `__all__` in modules for better IDE autocomplete.
  - [automation/python] Fixed a bug in nested configuration parsing.


- [sdk/python] Fix `Output.from_input` to unwrap nested output values in input types (args classes), which addresses
  an issue that was preventing passing instances of args classes with nested output values to Provider resources.


- [sdk/nodejs] Always read and write NodeJS runtime options from the environment.
  - [sdk/go] Take a breaking change to remove unidiomatic numerical types and drastically improve build performance (binary size and compilation time).
  - [cli] Ensure `pulumi stack change-secrets-provider` allows rotating the key from hashivault to passphrase provider


- [CLI] Fix malformed resource value bug.
  - [sdk/dotnet] Fix `RegisterResourceOutputs` to serialize resources as resource references
  only when the monitor reports that resource references are supported.
  - [CLI] Avoid panic for diffs with invalid property paths.
  - Enable resource reference feature by default.


- Revert [6125]( as it caused a which introduced a bug with serializing resource IDs


- [CLI] Add the ability to log out of all Pulumi backends at once.
  - [sdk/go] Added `pulumi.Unsecret` which will take an existing secret output and
  create a non-secret variant with an unwrapped secret value. Also adds,
  `pulumi.IsSecret` which will take an existing output and
  determine if an output has a secret within the output.


- .NET: Allow `IMock.NewResourceAsync` to return a null ID for component resources.
  Note that this may require mocks written in C to be updated to account for the
  change in nullability.
  - [automation/go] Add debug logging settings for common automation API operations
  - [automation/go] Set DryRun on previews so unknowns are identified correctly.
  - [sdk/python] Fix python 3.6 support by removing annotations import.
  - [sdk/nodejs] Added `pulumi.unsecret` which will take an existing secret output and
  create a non-secret variant with an unwrapped secret value. Also adds,
  `pulumi.isSecret` which will take an existing output and
  determine if an output has a secret within the output.
  - [sdk/python] Added `pulumi.unsecret` which will take an existing secret output and
  create a non-secret variant with an unwrapped secret value. Also adds,
  `pulumi.is_secret` which will take an existing output and
  determine if an output has a secret within the output.


- Fix an issue with go sdk generation where optional strict enum values
  could not be omitted. Note - this is a breaking change to go sdk's enum
  values. However we currently only support strict enums in the azure-nextgen provider's schema.
  - Fix an issue where python debug messages print unexpectedly.
  - [CLI] Add `version` to the stack history output to be able to
  correlate events back to the Pulumi SaaS
  - Fix a typo in the unit testing mocks to get the outputs
  while registering them
  - [sdk/dotnet] Moved urn value retrieval into if statement
  for MockMonitor
  - [sdk/dotnet] Added `Pulumi.Output.Unsecret` which will
  take an existing secret output and
  create a non-secret variant with an unwrapped secret value.
  - [sdk/dotnet] Added `Pulumi.Output.IsSecretAsync` which will
  take an existing output and
  determine if an output has a secret within the output.
  - [sdk/dotnet] Fix looking up empty version in
  - Python Automation API.
  - Support recovery workflow (import/export/cancel) in Python Automation API.


- Respect the `version` resource option for provider resources.
  - Allow `serializeFunction` to capture secrets.
  - [CLI] Allow `pulumi console` to accept a stack name
  - Support recovery workflow (import/export/cancel) in NodeJS Automation API.
  - [CLI] Add a confirmation prompt when using `pulumi policy rm`
  - [CLI] Ensure errors with the Pulumi credentials file
  give the user some information on how to resolve the problem
  - [sdk/go] Support maps in Invoke outputs and Read inputs


- Fix a bug in the core engine that could cause previews to fail if a resource with changes had
  unknown output property values.


- Fix a panic due to unsafe concurrent map access.
  - Fix regression in `venv` creation for python policy packs.


- Do not read plugins and policy packs into memory prior to extraction, as doing so can exhaust
  the available memory on lower-end systems.
  - Fix a bug in the core engine where deleting/renaming a resource would panic on update + refresh.
  - Fix a bug in the core engine that caused `ignoreChanges` to fail for resources being imported.
  - Fix a bug in the core engine that could cause resources references to marshal improperly
  during preview.
  - [sdk/dotnet] Add collection initializers for smooth support of Union<T, U> as element type
  - Fix a bug in the core engine where ComponentResource state would be accessed before initialization.
  - Prevent a panic by not attempting to show progress for zero width/height terminals.


- Fix a bug in the Go SDK that could result in dropped resource dependencies.
  - Temporarily disable resource ref feature.


- Re-apply fix for running multiple `pulumi` processes concurrently.
  - [cli] Prevent a panic when using `pulumi import` with local filesystems
  - [sdk/nodejs] Fix issue that would cause unit tests using mocks to fail with unhandled errors when
  a resource references another resources that's been registered with `registerResourceModule`.
  - Enable resource reference feature by default.
  - [codegen/go] Fix Input/Output methods for Go resources.
  - [sdk/python] Implement getResource in the mock monitor.
  - [sdk/dotnet] Implement getResource in the mock monitor and fix some issues around
  deserializing resources.


- Fix a problem where `pulumi import` could panic on an import error due to missing error message.
  - Correct the system name detected for Jenkins CI. [5891](
  - Fix python execution for users running Python installed through the Windows App Store
  on Windows 10 [5874](


- Fix errors when running `pulumi` in Windows-based CI environments.


- Fix a problem where `pulumi import` could panic on importing arrays and sets, due to
  incorrect array resizing logic. [5872](


- Address potential issues when running multiple `pulumi` processes concurrently.
  - Automatically install missing Python dependencies.
  - [cli] Ensure `pulumi stack change-secrets-provider` allows rotating the key for a passphrase provider


- [sdk/python] Add deserialization support for enums.
  - Correctly rename `Pulumi.*.yaml` stack files during a rename that includes an
  organization in its name [5812](
  - Respect `PULUMI_PYTHON_CMD` in scripts.
  - Add `PULUMI_BACKEND_URL` environment variable to configure the state backend.
  - [sdk/dotnet] Add support for dependency injection into TStack instance by adding an overload to `Deployment.RunAsync`. The overload accepts an `IServiceProvider` that is used to create the instance of TStack. Also added a new method `Deployment.TestWithServiceProviderAsync` for testing stacks that use dependency injection.
  - [cli] Ensure `pulumi stack change-secrets-provider` allows rotating the key in Azure KeyVault


- Propagate secretness of provider configuration through to the statefile. This ensures
  that any configuration values marked as secret (i.e. values set with
  `pulumi config set --secret`) that are used as inputs to providers are encrypted
  before they are stored.
  - Fix a bug that could prevent `pulumi import` from succeeding.
  - [Docs] Add support for the generation of Import documentation in the resource docs.
  This documentation will only be available if the resource is importable.
  - [codegen/go] Add support for ResourceType and isComponent to enable multi-language
  components in Go. This change also generates Input/Output types for all resources
  in downstream Go SDKs.
  - Support python 3.9 on Windows.
  - `pulumi-language-go` and `pulumi new` now explicitly requires Go 1.14.0 or greater.
  - Update .NET `Grpc` libraries to 2.33.1 and `Protobuf` to 3.13.0 (forked to increase
  the recursion limit) [5757](
  - Fix plugin install failures on Windows.
  - .NET: Report plugin install errors during `pulumi new`.
  - Correct error message on KeyNotFoundException against StackReference.
  - [cli] Small UX change on the policy violations output to render as `type: name`


- Fix a bug that was causing errors when (de)serializing custom resources.


- [cli] Ensure `pulumi history` annotes when secrets are unable to be decrypted
  - Fix a bug in the Python SDK that caused incompatibilities with versions of the CLI prior to


- Add internal scaffolding for using cross-language components from Go.
  - Support python 3.9.
  - [cli] Ensure that the CLI doesn't panic when using pulumi watch and using ComponentResources with non-standard naming
  - [cli] Ensure that the CLI doesn't panic when trying to assemble a graph on a stack that has no snapshot available
  - Add boolean values to Go SDK


- [cli] Ensure that the CLI doesn't panic when using pulumi watch and policies are enabled
  - [cli] Ensure that the CLI doesn't panic when using the JSON output as part of previews
  and policies are enabled


- NodeJS Automation API.
  - Improve the accuracy of previews by allowing providers to participate in determining what
  the impact of a change will be on output properties. Previously, Pulumi previews
  conservatively assumed that any output-only properties changed their values when an update
  occurred. For many properties, this was guaranteed to not be the case (because those
  properties are immutable, for example), and by suggesting the value might change, this could
  lead to the preview suggesting additional transitive updates of even replaces that would not
  actually happen during an update. Pulumi now allows the provider to specify the details of
  what properties will change during a preview, allowing them to expose more accurate
  provider-specific knowledge. This change is less conservative than the previous behavior,
  and so in case it causes preview results which are not deemed correct in some case - the
  `PULUMI_DISABLE_PROVIDER_PREVIEW` flag can be set to a truthy value (e.g. `1`) to enable the
  previous and more conservative behavior for previews.
  - Add an import command to the Pulumi CLI. This command can be used to import existing resources
  into a Pulumi stack.
  - [cli] Remove eternal loop if a configured passphrase is invalid.
  - Correctly validate project names during 'pulumi new'
  - Fixing gzip compression for alternative backends.
  - Add internal scaffolding for using cross-language components from .NET.
  - Support self-contained executables as binary option for .NET programs.
  - [cli] Ensure old secret provider variables are cleaned up when changing between secret providers
  - [cli] Respect logging verbosity as part of pulumi plugin install commands
  - [cli] Accept `-f` as a shorthand for `--skip-preview` on `pulumi up`, `pulumi refresh` and `pulumi destroy` operations
  - [cli] Validate cloudUrl formats before `pulumi login` and throw an error if incorrect format specified
  - [automation api] Add support for passing a private ssh key for git authentication that doesn't rely on a file path
  - [cli] Improve user experience when pulumi plugin rm --all finds no plugins
  to remove. The previous behaviour was an error and should not be so.
  - [sdk/python] Fix ResourceOptions annotations and doc strings.
  - [sdk/dotnet] Fix HashSet concurrency issue.


- feat(autoapi): expose EnvVars LocalWorkspaceOption to set in ctor
  - [sdk/python] Fix secret regression: ensure unwrapped secrets during deserialization
  are rewrapped before being returned.


- Add internal scaffolding for using cross-language components from Python.


- Do not oversimplify types for display when running an update or preview.
  - Pulumi Windows CLI now uploads all VCS information to console
  (fixes [5014](
  - .NET SDK: Support `Output<object>` for resource output properties
  (fixes [5446](


- [sdk/go] Add missing Version field to invokeOptions
  - Add `pulumi console` command which opens the currently selected stack in the Pulumi console.
  - Python SDK: Cast numbers intended to be integers to `int`.


- feat(autoapi): add GetPermalink for operation result
  - Relax stack name validations for Automation API [5337](
  - Allow Pulumi to read a passphrase file, via `PULUMI_CONFIG_PASSPHRASE_FILE` to interact
  with the passphrase secrets provider. Pulumi will first try and use the `PULUMI_CONFIG_PASSPHRASE`
  to get the passphrase then will check `PULUMI_CONFIG_PASSPHRASE_FILE` and then all through to
  asking interactively as the final option.
  - feat(autoapi): Add support for working with private Git repos. Either `SSHPrivateKeyPath`,
  `PersonalAccessToken` or `UserName` and `Password` can be pushed to the `auto.GitRepo` struct
  when interacting with a private repo
  - Revise the design for connecting an existing language runtime to a CLI invocation.
  Note that this is a protocol breaking change for the Automation API, so both the
  API and the CLI must be updated together.
  - Automation API - support streaming output for Up/Refresh/Destroy operations.
  - Automation API - add recovery APIs (cancel/export/import)


- feat(autoapi): add Upsert methods for stacks
  - Add IsSelectStack404Error and IsCreateStack409Error
  - Add internal scaffolding for cross-language components.
  - feat(autoapi): add workspace scoped envvars to LocalWorkspace and Stack
  - refactor(autoapi-gitrepo): use Workspace in SetupFn callback
  - Fix Go SDK plugin acquisition for programs with vendored dependencies
  - Python SDK: Add support for `Sequence[T]` for array types
  - feat(autoapi): Add support for non default secret providers in local workspaces
  - .NET SDK: Prevent a task completion race condition


- Alpha version of the Automation API for Go
  - Python SDK: Avoid raising an error when internal properties don't match the
  expected type.
  - Added `--suppress-permalink` option to suppress the permalink output
  (fixes [4103](


- Python SDK: Avoid raising an error when an output has a type annotation of Any
  and the value is a list or dict.


- Fix support for CheckFailures in Python Dynamic Providers
  - Upgrade version of ``. This ensures that 'AWSKMS' secrets
  providers can now be used with full ARNs rather than just Aliases
  - Ensure the 'history' command is a subcommand of 'stack'.
  This means that `pulumi history` has been deprecated in favour
  of `pulumi stack history`.
  - Add support for extracting jar files in archive resources
  - SDK changes to support Python input/output classes


- Add nuget badge to README [5117](
  - Support publishing and consuming Policy Packs using any runtime
  - Fix regression where any CLI integration for any stack with a default
  secrets provider would sort the config alphabetically and new stacks created
  would get created with an empty map `{}` in the config file


- Fix a bug where passphrase managers were not being
  recognised correctly when getting the configuration
  for the current stack.
  **Please Note:**
  This specific bug may have caused the stack config
  file to remove the password encryption salt.


- Add missing MapMap and ArrayArray types to Go SDK
  - Switch os/user package with luser drop in replacement
  - Update pip/setuptools/wheel in virtual environment before installing dependencies
  - Add ability to change a secrets provider for the current stack
  - Add ability to create a stack based on the config from an existing stack
  - Python: Improved error message when `virtualenv` doesn't exist
  - Enable pushing to Artifact Registry in actions


- Fix logic to parse pulumi venv on github action


- Add pluginDownloadURL field to package definition
  - Add support for streamInvoke during update
  - Add ability to copy configuration values between stacks
  - Add logic to parse pulumi venv on github action
  - Better performance for stacks with many resources using the .NET SDK
  - Output PDB files and enable SourceLink integration for .NET assemblies


- Fix a panic in the display during CLI operations


- Go program gen: Improved handling for pulumi.Map types
  - Go SDK: Input type interfaces should declare pointer type impls where appropriate
  - Fixes issue where base64-encoded GOOGLE_CREDENTIALS causes problems with other commands


- Go program gen: prompt array conversion, unused range vars, id handling
  - Go program gen handling for prompt optional primitives
  - Go program gen All().Apply rewriter
  - Go program gen improvements (multiline strings, get/lookup disambiguation, invoke improvements)
  - Go program gen improvements (splat, all, index, traversal, range)
  - Go program gen improvements (resource range, readDir, fileArchive)
  - Set default config namespace for Get/Try/Require methods in Go SDK.
  - Handle invalid UTF-8 characters before RPC calls
  - Improve typing for Go SDK secret config values
  - Fix panic on `pulumi up` prompt after preview when filtering and hitting arrow keys.
  - Ensure GitHub Action authenticates to GCR when `$GOOGLE_CREDENTIALS` specified
  - Fix `pylint(no-member)` when accessing ``.
  - Fix GitHub Actions environment detection for PRs.
  - Adding language sdk specific docker containers.
  - Workaround bug in grcpio v1.30.0 by excluding this version from required dependencies.


- Turn program generation NYIs into diagnostic errors
  - Improve dev version detection logic
  - Export `CustomTimeouts` in the Python SDK
  - Add GitHub Actions CI detection
  - Allow users to specify base64 encoded strings as GOOGLE_CREDENTIALS
  - Install and use dependencies automatically for new Python projects.


- Add F operators for InputUnion.
  - Add support for untagged outputs in Go SDK.
  - Update go-cloud to support all Azure regions
  - Fix a Regression in .NET unit testing.
  - Allow `pulumi.export` calls from Python unit tests.
  - Add support for publishing Python policy packs.
  - Improve download perf by fetching plugins from a CDN.


- Add new brew target to fix homebrew builds


- Fixed ResourceOptions issue with stack references in Python SDK
  - Add runTask to F Deployment module
  - Add support for generating Fish completions
  - Support map-typed inputs in RegisterResource for Go SDK
  - Don't call IMocks.NewResourceAsync for the root stack resource
  - Add ResourceOutput type to Go SDK
  - Allow secrets to be decrypted when exporting a stack
  - Commands checking for a confirmation or requiring a `--yes` flag can now be
  skipped by setting `PULUMI_SKIP_CONFIRMATIONS` to `1` or `true`.


- Add retry support when writing to state buckets


- Fix infinite recursion bug for Go SDK
  - Order secretOutputNames when used in stack references
  - Add support for a `PULUMI_CONSOLE_DOMAIN` environment variable to override the
  behavior for how URLs to the Pulumi Console are generated.
  - Protect against panic when unprotecting non-existant resources
  - Add flag to `pulumi stack` to output only the stack name
  - Ensure Go accessor methods correctly support nested fields of optional outputs
  - Improve `ResourceOptions.merge` type in Python SDK
  - Ensure generated Python module names are keyword-safe.
  - Explicitly set XDG_CONFIG_HOME and XDG_CACHE_HOME env vars for helm in the
  pulumi docker image
  - Increase the MaxCallRecvMsgSize for all RPC calls.


- CLI behavior change.  Commands in non-interactive mode (i.e. when `pulumi` has its output piped to
  another process or running on CI) will not default to assuming that `--yes` was passed in.  `--yes` is now
  explicitly required to proceed in non-interactive scenarios. This affects:
  * `pulumi destroy`
  * `pulumi new`
  * `pulumi refresh`
  * `pulumi up`
  - Fixed [crashes and hangs]( introduced by usage of
  another library.
  - pulumi/pulumi now requires Node.js version >=10.10.0.
  - All data-source invocations are now asynchronous (Promise-returning) by default.
  - C code generation switched to schema.
  - .NET API: replace `IDeployment` interface with `DeploymentInstance` class.
  - Fix Go SDK secret propagation for Resource inputs/outputs.
  - Fix Go codegen to emit config packages
  - Treat config values set with `--path` that start with '0' as strings rather than numbers.
  - Switch .NET projects to .NET Core 3.1
  - Avoid unexpected replace on resource with `import` applied on second update.


- Propagate `additionalSecretOutputs` opt to Read in NodeJS.
  - Fix handling of `nil` values in Outputs in Go.
  - Include usage hints for Input types in Go SDK
  - Fix secretness propagation in Python `apply`.
  - Fix the `call` mock in Python.
  - Fix handling of secret values in mock-based tests.
  - Automatic plugin acquisition for Go
  - Define merge behavior for resource options in Go SDK
  - Add overloads to Output.All in .NET
  - Make prebuilt executables opt-in only for the Go SDK
  - Support the `binary` option (prebuilt executables) for the .NET SDK
  - Add helper methods for stack outputs in the Go SDK
  - Add additional overloads to Deployment.RunAsync in .NET API.
  - Automate execution of `go mod download` for `pulumi new` Go templates
  - Fix `pulumi up -r -t $URN` not refreshing only the target
  - Fix logout with file backend when state is deleted
  - Fix specific flags for `pulumi stack` being global
  - Fix error when setting config without value in non-interactive mode
  - Propagate unknowns in Go SDK during marshal operations
  - Fix Go SDK stack reference helpers to handle nil values
  - Fix propagation of unknown status for secrets


- Fix error related to side-by-side versions of `pulumi/pulumi`.
  - Allow users to specify an alternate backend URL when using the GitHub Actions container with the env var `PULUMI_BACKEND_URL`.


- Move to a multi-module repo to enable modules for the Go SDK
  - Report compile time errors for Go programs during plugin acquisition.
  - Add missing builtin `MapArray` to Go SDK.
  - Add aliases to Go SDK codegen pkg.
  - Discontinue testing on Node 8 (which has been end-of-life since January 2020), and start testing on Node 13.
  - Add support for enabling Policy Packs with configuration.
  - Remove obsolete .NET serialization attributes.
  - Add support for validating Policy Pack configuration.


- Add support for plugin acquisition for Go programs
  - Display resource type in PAC violation output
  - Update to Helm v3 in pulumi Docker image
  - Add ArrayMap builtin types to Go SDK
  - Improve documentation of URL formats for `pulumi login`
  - Add support for stack transformations in the .NET SDK.
  - Fix `pulumi stack ls` on Windows
  - Add support for running Python policy packs.


- Fix Kubernetes YAML parsing error in .NET.
  - Avoid projects beginning with `Pulumi` to stop cyclic imports
  - Ensure we can locate Go created application binaries on Windows
  - Ensure Python overlays work as part of our SDK generation
  - Fix terminal gets into a state where UP/DOWN don't work with prompts.
  - Ensure old provider is not used when configuration has changed
  - Support for unit testing and mocking in the .NET SDK.


- Avoid Configuring providers which are not used during preview.
  - Fix missing module import on Windows platform.
  - Add support for mocking the resource monitor to the NodeJS and Python SDKs.
  - Reinstate caching of TypeScript compilation.
  - Remove the need to set PULUMI_EXPERIMENTAL to use the policy and watch commands.
  - Fix type annotations for `Output.all` and `Output.concat` in Python SDK.
  - Add support for configuring policies.


- Fix a regression for CustomTimeouts in Python SDK.
  - Avoid panic when displaying failed stack policies.
  - Add support for secrets in the Go SDK.
  - Add support for transformations in the Go SDK.


- Allow oversize protocol buffers for Python SDK.
  - Avoid duplicated messages in preview/update progress display.
  - Improve CPU utilization in the Python SDK when waiting for resource operations.
  - Expose resource options, parent, dependencies, and provider config to policies.
  - Move .NET SDK attributes to the root namespace.
  - Support exporting older stack versions.
  - Disable interactive progress display when no terminal size is available.
  - Mark `ResourceOptions` class as abstract in the .NET SDK. Require the use of derived classes.


- Support stack references in the Go SDK.
  - Fix the Windows release process.


- Avoid writing checkpoints to backend storage in common case where no changes are being made.
  - Add information about an in-flight operation to the stack command output, if applicable.
  - Update `SummaryEvent` to include the actual name and local file path for locally-executed policy packs.
  - Add support for aliases in the Go SDK
  - Fix Python Dynamic Providers on Windows.


- Fix a stack reference regression in the Python SDK.
  - Fix a buggy assertion in the Go SDK.
  - Add `--latest` flag to `pulumi policy enable`.
  - Breaking change for Policy which removes requirement for version when running `pulumi policy disable`. Add `--version` flag if user wants to specify version of Policy Pack to disable.
  - Fix rendering of Policy Packs to ensure they are always displayed.
  - Primitive input types in the Go SDK (e.g. Int, String, etc.) now implement the corresponding Ptr type e.g. IntPtr,
  StringPtr, etc.). This is consistent with the output of the Go code generator and is much more ergonomic for
  optional inputs than manually converting to pointer types.
  - Add ability to specify all versions when removing a Policy Pack.
  - Breaking change to Policy command: Change enable command to use `pulumi policy enable <org-name>/<policy-pack-name> latest` instead of a `--latest` flag.


- Publish python types for PEP 561
  - Lock dep ts-node to v8.5.4
  - Improvements to `pulumi policy` functionality. Add ability to remove & disable Policy Packs.
  - Breaking change for Policy which is in Public Preview: Change `pulumi policy apply` to `pulumi policy enable`, and allow users to specify the Policy Group.
  - Add Permalink to output when publishing a Policy Pack.
  - Add `pulumi policy ls` and `pulumi policy group ls` to list Policy related resources.
  - Add `BuildNumber` to CI vars and backend metadata property bag for CI systems that have separate ID and a user-friendly number. [3766](
  - Breaking changes for the Go SDK. Complete details are in [3506](


- Fix a panic in `pulumi stack select`.


- Update version of TypeScript used by Pulumi to `3.7.3`.
  - Add support for GOOGLE_CREDENTIALS when using Google Cloud Storage backend.
  export GOOGLE_CREDENTIALS="$(cat ~/service-account-credentials.json)"
  pulumi login gs://my-bucket
  - Support for using `Config`, `getProject()`, `getStack()`, and `isDryRun()` from Policy Packs.
  - Top-level Stack component in the .NET SDK.
  - Add the .NET Core 3.0 runtime to the `pulumi/pulumi` container.
  - Add `pulumi preview` support for `--refresh`, `--target`, `--replace`, `--target-replace` and
  `--target-dependents` to align with `pulumi up`.
  - `ComponentResource`s now have built-in support for asynchronously constructing their children.
  - `Output.apply` (for the JS, Python and .Net sdks) has updated semantics, and will lift dependencies from inner Outputs to the returned Output.
  - Fix bug in determining PRNumber and BuildURL for an Azure Pipelines CI environment.
  - Improvements to `pulumi policy` functionality. Add ability to remove & disable Policy Packs.
  - Breaking change for Policy which is in Public Preview: Change `pulumi policy apply` to `pulumi policy enable`, and allow users to specify the Policy Group.


- Fix [SxS issue]( introduced in 1.7.0 when assigning
  `Output`s across different versions of the `pulumi/pulumi` SDK.


- A Pulumi JavaScript/TypeScript program can now consist of a single exported top level function. This
  allows for an easy approach to create a Pulumi program that needs to perform `async`/`await`
  operations at the top-level.
  // JavaScript
  module.exports = async () => {
  export = async () => {


- Support passing a parent and providers for `ReadResource`, `RegisterResource`, and `Invoke` in the go SDK. [3563](
  - Fix go SDK ReadResource.
  - Fix go SDK DeleteBeforeReplace.
  - Support for setting the `PULUMI_PREFER_YARN` environment variable to opt-in to using `yarn` instead of `npm` for
  installing Node.js dependencies.
  - Fix regression that prevented relative paths passed to `--policy-pack` from working.


- Support for config.GetObject and related variants for Golang.
  - Add support for IgnoreChanges in the go SDK.
  - Support for a `go run` style workflow. Building or installing a pulumi program written in go is
  now optional.
  - Re-apply "propagate resource inputs to resource state during preview, including first-class unknown values." The new
  set of changes have additional fixes to ensure backwards compatibility with earlier code. This allows the preview to
  better estimate the state of a resource after an update, including property values that were populated using defaults
  calculated by the provider.
  - Validate StackName when passing a non-default secrets provider to `pulumi stack init`
  - Add support for go1.13.x
  - `pulumi update --target` and `pulumi destroy --target` will both error if they determine a
  dependent resource needs to be updated, destroyed, or created that was not was specified in the
  `--target` list.  To proceed with an `update/destroy` after this error, either specify all the
  reported resources as `--target`s, or pass the `--target-dependents` flag to allow necessary
  changes to unspecified dependent targets.
  - Support for node 13.x, building with gcc 8 and newer.
  [3512] (
  - Codepaths which could result in a hang will print a message to the console indicating the problem, along with a link
  to documentation on how to restructure code to best address it.
  - `StackReference.getOutputSync` and `requireOutputSync` are deprecated as they may cause hangs on
  some combinations of Node and certain OS platforms. `StackReference.getOutput` and `requireOutput`
  should be used instead.


- `pulumi policy publish` now determines the Policy Pack name from the Policy Pack, and the
  the `org-name` CLI argument is now optional. If not specified; the current user account is
  - Refactor the Output API in the Go SDK.


- Include the .NET language provider in the Windows SDK.


- Gracefully handle errors when resources use duplicate aliases.
  - Use the update token for renew_lease calls and update the API version to 5.
  - Improve startup time performance by 0.5-1s by checking for a newer CLI release in parallel.
  - Add an experimental `pulumi watch` command.


- Adds a **preview** of .NET support for Pulumi. This code is an preview state and is subject
  to change at any point.
  - Fix another colorizer issue that could cause garbled output for messages that did not end in colorization tags.
  - Verify deployment integrity during import and issue an error if verification fails. The state file can still be
  imported by passing the `--force` flag.
  - Omit unknowns in resources in stack outputs during preview.
  - `pulumi update` can now be instructed that a set of resources should be replaced by adding a
  `--replace urn` argument.  Multiple resources can be specified using `--replace urn1 --replace urn2`. In order to
  replace exactly one resource and leave other resources unchanged, invoke `pulumi update --replace urn --target urn`,
  or `pulumi update --target-replace urn` for short.
  - `pulumi stack` now renders the stack as a tree view.
  - Support for lists and maps in config.
  - `ResourceProviderStreamInvoke` implemented, will be the basis for streaming
  APIs in `pulumi query`.


- `FileAsset` in the Python SDK now accepts anything implementing `os.PathLike` in addition to `str`.
  - Fix colorization on Windows 10, and fix a colorizer bug that could cause garbled output for resources with long
  status messages.


- Remove unintentional console outupt introduced in 1.3.3.


- Fix an issue with first-class providers introduced in 1.3.2.


- Fix hangs and crashes related to use of `getResource` (i.e. `aws.ec2.getSubnetIds(...)`) methods,
  including frequent hangs on Node.js 12. This fixes
  and [hangs](
  Some less common existing styles of using `getResource` calls are also deprecated as part of this
  change, and users should see for
  details on adjusting their code if needed.


- Revert "propagate resource inputs to resource state during preview". These changes had a critical issue that needs
  further investigation.


- Propagate resource inputs to resource state during preview, including first-class unknown values. This allows the
  preview to better estimate the state of a resource after an update, including property values that were populated
  using defaults calculated by the provider.
  - Fetch version information from the Homebrew JSON API for CLIs installed using `brew`.
  - Support renaming stack projects via `pulumi stack rename`.
  - Add `helm` to `pulumi/pulumi` Dockerhub container
  - Make the location of `.pulumi` folder configurable with an environment variable.
  [3300]( (Fixes [#2966](
  - `pulumi update` can now be scoped to update a single resource by adding a `--target urn` or `-t urn`
  argument.  Multiple resources can be specified using `-t urn1 -t urn2`.
  - Adds the ability to provide transformations to modify the properties and resource options that
  will be used for any child resource of a component or stack.
  - Add resource transformations support in Python. [3319](


- Support emitting high-level execution trace data to a file and add a debug-only command to view trace data.
  - Fix parsing of GitLab urls with subgroups.
  - `pulumi refresh` can now be scoped to refresh a subset of resources by adding a `--target urn` or
  `-t urn` argument.  Multiple resources can be specified using `-t urn1 -t urn2`.
  - `pulumi destroy` can now be scoped to delete a single resource (and its dependents) by adding a
  `--target urn` or `-t urn` argument.  Multiple resources can be specified using `-t urn1 -t urn2`.
  - Avoid re-encrypting secret values on each checkpoint write. These changes should improve update times for stacks
  that contain secret values.
  - Add Codefresh CI detection.
  - Add `-c` (config array) flag to the `preview` command.


- Fix a bug that caused the Python runtime to ignore unhandled exceptions and erroneously report that a Pulumi program executed successfully.
  - Read operations are no longer considered changes for the purposes of `--expect-no-changes`.
  - Increase the MaxCallRecvMsgSize for interacting with the gRPC server.
  - Do not ask for a passphrase in non-interactive sessions (fix [2758](
  - Support combining the filestate backend (local or remote storage) with the cloud-backed secrets providers (KMS, etc.).
  - Moved `pulumi/pulumi` to target `es2016` instead of `es6`.  As `pulumi/pulumi` programs run
  inside Nodejs, this should not change anything externally as Nodejs already provides es2016
  support. Internally, this makes more APIs available for `pulumi/pulumi` to use in its implementation.
  - Fix the --stack option of the `pulumi new` command.
  ([3131]( fixes [#2880](


- No significant changes.


- Print a Welcome to Pulumi message for users during interactive logins to the Pulumi CLI.
  - Filter the list of templates shown by default during `pulumi new`.


- Fix a crash when using StackReference from the `1.0.0-beta.3` version of
  `pulumi/pulumi` and `1.0.0-beta.2` or earlier of the CLI.
  - Allow Un/MashalProperties to reject Asset and AssetArchive types. (partial fix


- When using StackReference to fetch output values from another stack, do not mark a value as secret if it was not
  secret in the stack you referenced. (fixes [2744](
  - Allow resource IDs to be changed during `pulumi refresh` operations
  - Do not crash when renaming a stack that has never been updated, when using the local backend. (fixes
  - Fix intermittet "NoSuchKey" issues when using the S3 based backend. (fixes [2714](
  - Support filting stacks by organization or tags when using `pulumi stack ls`. (fixes [2712](,
  - Explicitly setting `deleteBeforeReplace` to `false` now overrides the provider's decision.
  - Fail read steps (e.g. the step generated by a call to `aws.s3.Bucket.get()`) if the requested resource does not exist.


- Fix the package version compatibility checks in the NodeJS language host.


- Do not propagate input properties to missing output properties during preview. The old behavior can cause issues that
  are difficult to diagnose in cases where the actual value of the output property differs from the value of the input
  property, and can cause `apply`s to run at unexpected times. If this change causes issues in a Pulumi program, the
  original behavior can be enabled by setting the `PULUMI_ENABLE_LEGACY_APPLY` environment variable to `true`.
  - Fix a bug in the GitHub Actions program preventing errors from being rendered in the Actions log on
  - Fix a bug in the Node.JS SDK that caused failure details for provider functions to go unreported.
  - Fix a bug in the Python SDK that caused crashes when using asynchronous data sources.
  - Fix crash when exporting secrets from a pulumi app
  - Fix a panic in logger when a secret contains non-printable characters
  - Check the uniqueness of the project name during pulumi new


- Retry renaming a temporary folder during plugin installation
  - Add support for additional Pulumi secrets providers using AWS KMS, Azure KeyVault, Google Cloud
  KMS and HashiCorp Vault.  These secrets providers can be configured at stack creation time using
  `pulumi stack init b --secrets-provider="awskms://alias/LukeTesting?region=us-west-2"`, and ensure
  that all encrypted data associated with the stack is encrypted using the target cloud platform
  encryption keys.  This augments the previous choice between using the
  secrets encryption or a fully-client-side local passphrase encryption.
  - Add `Output.concat` to Python SDK [3006](
  - Add `requireOutput` to `StackReference` [3007](
  - Arbitrary values can now be exported from a Python app. This includes dictionaries, lists, class
  instances, and the like. Values are treated as "plain old python data" and generally kept as
  simple values (like strings, numbers, etc.) or the simple collections supported by the Pulumi data model (specifically, dictionaries and lists).
  - Fix `get_secret` in Python SDK always returning None.
  - Make `pulumi.runtime.invoke` synchronous in the Python SDK [3019](
  - Fix a bug in the Python SDK that caused input properties that are coroutines to be awaited twice.
  - Deprecated functions in `pulumi/pulumi` will now issue warnings if you call them.  Please migrate
  off of these functions as they will be removed in a future release.  The deprecated functions are.
  1. `function computeCodePaths(extraIncludePaths?: string[], ...)`.  Use the `computeCodePaths`
  overload that takes a `CodePathOptions` instead.
  2. `function serializeFunctionAsync`. Please use `serializeFunction` instead.


- Fix an error message from the logging subsystem which was introduced in v0.17.26
  - Add support for property paths in `ignoreChanges`, and pass `ignoreChanges` to providers
  [3005]( This allows differences between the actual and desired
  state of the resource that are not captured by differences in the resource's inputs to be ignored (including
  differences that may occur due to resource provider bugs).


- Add `get_object`, `require_object`, `get_secret_object` and `require_secret_object` APIs to Python
  `config` module [2959](
  - Fix unexpected provider replacements when upgrading from older CLIs and older providers
  - Add *Python* support for renaming resources via the `aliases` resource option.  Adding aliases
  allows new resources to match resources from previous deployments which used different names,
  maintaining the identity of the resource and avoiding replacements or re-creation of the resource.
  This was previously added to the *JavaScript* sdk in 0.17.15.


- Support for Dynamic Providers in Python [2900](


- Fix a crash when two different versions of `pulumi/pulumi` are used in the same Pulumi program


- `pulumi new` allows specifying a local path to templates (resolves
  - Fix an issue where a file archive created on Windows would contain back-slashes
  - Fix an issue where output values of a resource would not be present when they
  contained secret values, when using Python.
  - Fix an issue where emojis are printed in non-interactive mode. (fixes
  - Promises/Outputs can now be directly exported as the top-level (i.e. not-named) output of a Stack.
  (fixes [2910](
  - Add support for importing existing resources to be managed using Pulumi. A resource can be imported
  by setting the `import` property in the resource options bag when instantiating a resource. In order to
  successfully import a resource, its desired configuration (i.e. its inputs) must not differ from its
  actual configuration (i.e. its state) as calculated by the resource's provider.
  - Better error message for missing npm on `pulumi new` (fixes [1511](
  - Add the ability to pass a customTimeouts object from the providers across the engine
  to resource management. (fixes [2655](
  Breaking Changes
  - Defer to resource providers in all cases where the engine must determine whether or not a resource
  has changed. Note that this can expose bugs in the resources providers that cause diffs to be
  present even if the desired configuration matches the actual state of the resource: in these cases,
  users can set the `PULUMI_ENABLE_LEGACY_DIFF` environment variable to `1` or `true` to enable the
  old diff behavior. lists the known provider bugs
  exposed by these changes and links to appropriate workarounds or tracking issues.


- Improve update performance in cases where a large number of log messages are
  reported during an update.


- Python SDK fix for a crash resulting from a KeyError if secrets were used in configuration.
  - Fix an issue where a secret would not be encrypted in the state file if it was
  a property of a resource which was used as a stack output (fixes


- SDK fix for crash that could occasionally happen if there were multiple identical aliases to the
  same Resource.


- Engine fix for crash that could occasionally happen if there were multiple identical aliases to
  the same Resource.


- Allow setting backend URL explicitly in `Pulumi.yaml` file
  - `StackReference` now has a `.getOutputSync` function to retrieve exported values from an existing
  stack synchronously.  This can be valuable when creating another stack that wants to base
  flow-control off of the values of an existing stack (i.e. importing the information about all AZs
  and basing logic off of that in a new stack). Note: this only works for importing values from
  Stacks that have not exported `secrets`.
  - When the environment variable `PULUMI_TEST_MODE` is set to `true`, the
  Python runtime will now behave as if
  `pulumi.runtime.settings._set_test_mode_enabled(True)` had been called. This
  mirrors the behavior for NodeJS programs (fixes [2818](
  - Resources that are only 'read' will no longer be displayed in the terminal tree-display anymore.
  These ended up heavily cluttering the display and often meant that programs without updates still
  showed a bunch of resources that weren't important.  There will still be a message displayed
  indicating that a 'read' has happened to help know that these are going on and that the program is making progress.


  - docs(login): escape codeblocks, and add object store state instructions
  - The API for passing along a custom provider to a ComponentResource has been simplified.  You can
  now just say `new SomeComponentResource(name, props, { provider: awsProvider })` instead of `new
  SomeComponentResource(name, props, { providers: { "aws" : awsProvider } })`
  - Fix a bug where the path provided to a URL in `pulumi login` is lost are dropped, so if you `pulumi login
  s3://bucketname/afolder`, the Pulumi files will be inside of `s3://bucketname/afolder/.pulumi` rather than
  `s3://bucketname/.pulumi` (thanks, [bigkraig](!).  **NOTE**: If you have been
  logging in to the s3 backend with a path after the bucket name, you will need to either move the .pulumi
  folder in the bucket to the correct location or log in again without the path prefix to see your previous
  - Fix a crash that would happen if you ran `pulumi stack output` against an empty stack (fixes
  - Unparented Pulumi `CustomResource`s now support calling `.getProvider(...)` on them.


  - Fixed a bug that caused an assertion when dealing with unchanged resources across version upgrades.


  - Pulumi now allows Python programs to "read" existing resources instead of just creating them. This feature enables
  Pulumi Python packages to expose ".get()" methods that allow for reading of resources that already exist.
  - Support for referencing the outputs of other Pulumi stacks has been added to the Pulumi Python libraries via the
  `StackReference` type.
  - Add CI system detection for Bitbucket Pipelines.
  - Pulumi now tolerates changes in default providers in certain cases, which fixes an issue where users would see
  unexpected replaces when upgrading a Pulumi package.
  - Add support for renaming resources via the `aliases` resource option.  Adding aliases allows new resources to match
  resources from previous deployments which used different names, maintaining the identity of the resource and avoiding
  replacements or re-creation of the resource.
  - `pulumi plugin install` gained a new optional argument `--server` which can be used to provide a custom server to be
  used when downloading a plugin.


  - `pulumi refresh` now tries to install any missing plugins automatically like
  `pulumi destroy` and `pulumi update` do (fixes [pulumi/pulumi2669](
  - `pulumi whoami` now outputs the URL of the currently connected backend.
  - Correctly suppress stack outputs when serializing previews to JSON, i.e. `pulumi preview --json --suppress-outputs`.
  Fixes [pulumi/pulumi2765](


  - Fix an issue where creating a first class provider would fail if any of the
  configuration values for the providers were secrets. (fixes [pulumi/pulumi2741](
  - Fix an issue where when using `--diff` or looking at details for a proposed
  updated, the CLI might print text like: `<{%reset%}>
  --outputs:--<{%reset%}>` instead of just `--outputs:--`.
  - Fixes local login on Windows.  Specifically, windows local paths are properly understood and
  backslashes `\` are not converted to `__5c__` in paths.
  - Fix an issue where some operations would fail with `error: could not deserialize deployment: unknown secrets provider type`.
  - Fix an issue where pulumi might try to replace existing resources when upgrading to the newest version of some resource providers.


  - Pulumi now tells you much earlier when the `--secrets-provider` argument to
  `up` `init` or `new` has the wrong value. In addition, supported values are
  now listed in the help text. (fixes [pulumi/pulumi2727](
  - Pulumi no longer prompts for your passphrase twice during operations when you
  are using the passphrase based secrets provider. (fixes [pulumi/pulumi2729](
  - Fix an issue where complex inputs to a resource which contained secret values
  would not be stored correctly.
  - Fix a panic during property diffing when comparing two secret arrays.


Major Changes
  Secrets and Pluggable Encryption
  - The Pulumi engine and Python and NodeJS SDKs now have support for tracking values as "secret" to ensure they are
  encrypted when being persisted in a state file. `[pulumi/pulumi397](`
  Any existing value may be turned into a secret by calling `pulumi.secret(<value>)` (NodeJS) or
  `Output.secret(<value>`) (Python).  In both cases, the returned value is an output which may be passed around
  like any other.  If this value flows into a resource, the plaintext will not be stored in the state file, but instead
  It will be encrypted, just like values added to config with `pulumi config set --secret`.
  You can verify that values are being stored as you expect by running `pulumi stack export`, When values are encrypted
  in the state file, they appear as an object with a special signature key and a ciphertext property.
  When outputs of a stack are secrets, `pulumi stack output` will show `[secret]` as the value, by default.  You can
  pass `--show-secrets` to `pulumi stack output` in order to see the actual raw value.
  - When storing state with the Pulumi Service, you may now elect to use the passphrase based encryption for both secret
  configuration values and values that are encrypted in a state file.  To use this new feature, pass
  `--secrets-provider passphrase` to `pulumi new` or `pulumi stack init` when you initally create the stack. When you
  create the stack, you will be prompted for a passphrase (or if `PULUMI_CONFIG_PASSPHRASE` is set, it will be used).
  This passphrase is used to generate a unique key for your stack, and config values and encrypted state values are
  encrypted using AES-256-GCM. The key is derived from your passphrase, and while information to re-create it when
  provided with your passphrase is stored in both the `Pulumi.<stack-name>.yaml` file and the state file for your stack,
  this information can not be used to recover the key. When using this mode, the Pulumi Service is unable to decrypt
  either your secret configuration values or and secret values in your state file.
  We will be adding gestures to move existing stacks managed by the service to use passphrase based encryption soon
  as well as gestures to change the passphrase for an existing stack.
  ** Note **
  Stacks with encrypted secrets in their state files can only be managed by 0.17.11 or later of the CLI. Attempting
  to use a previous version of the CLI with these stacks will result in an error.
  Fixes 397
  - Add support for Azure Pipelines in CI environment detection.
  - Minor fix to how Azure repository information is extracted to allow proper grouping of Azure
  repositories when various remote URLs are used to pull the repository.


  - Fixes issue introduced in 0.17.9 where local-login broke on Windows due to the new support for
  `s3://`, `azblob://` and `gs://` save locations.
  - Minor contributing document improvement.
  - Warnings from `npm` about missing description, repository, and license fields in package.json are
  now suppressed when `npm install` is run from `pulumi new` (via `npm install --loglevel=error`).
  - Depend on newer version of gRPC package in the NodeJS SDK. This version has
  prebuilt binaries for Node 12, which should make installing `pulumi/pulumi`
  more reliable when running on Node 12.


  - `pulumi login` now supports `s3://`, `azblob://` and `gs://` paths (on top of `file://`) for
  storing stack information. These are passed the location of a desired bucket for each respective
  cloud provider (i.e. `pulumi login s3://mybucket`).  Pulumi artifacts (like the
  `xxx.checkpoint.json` file) will then be stored in that bucket.  Credentials for accessing the
  bucket operate in the normal manner for each cloud provider.  i.e. for AWS this can come from the
  environment, or your `.aws/credentials` file, etc.
  - The pulumi version update check can be skipped by setting the environment variable
  `PULUMI_SKIP_UPDATE_CHECK` to `1` or `true`.
  - Fix an issue where the stack would not be selected when an existing stack is specified when running
  `pulumi new <template> -s <existing-stack>`.
  - Add a `--json` flag (`-j` for short) to the `preview` command. This allows basic serialization of a plan,
  including the anticipated set of deployment steps, list of diagnostics messages, and summary information.
  Each step includes deeply serialized information about the resource state and step metadata itself. This
  is part of ongoing work tracked in [pulumi/pulumi2390](


  - Add a new `ignoreChanges` option to resource options to allow specifying a list of properties to
  ignore for purposes of updates or replacements.  [2657](
  - Fix an engine bug that could lead to incorrect interpretation of the previous state of a resource leading to
  unexpected Update, Replace or Delete operations being scheduled. [2650]
  - Build/push `pulumi/actions` container to [DockerHub]( with new SDK releases [#2646](


  - A new "test mode" can be enabled by setting the `PULUMI_TEST_MODE` environment variable to
  `true` in either the Node.js or Python SDK. This new mode allows you to unit test your Pulumi programs
  using standard test harnesses, without needing to run the program using the Pulumi CLI. In this mode, limited
  functionality is available, however basic resource object allocation with input properties will work.
  Note that no actual engine operations will occur in this mode, and that you'll need to use the
  `PULUMI_CONFIG`, `PULUMI_NODEJS_PROJECT`, and `PULUMI_NODEJS_STACK` environment variables to control settings
  the CLI would have otherwise managed for you.


  - `refresh` will now warn instead of returning an error when it notices a resource is in an
  unhealthy state. This is in service of


  - Correctly handle the case where we would fail to detect an archive type if the filename included a dot in it. (fixes [pulumi/pulumi2589](
  - Make `Config`'s constructor's `name` argument optional in Python, for consistency with our Node.js SDK. If it isn't
  supplied, the current project name is used as the default.
  - `pulumi logs` will now display log messages from Google Cloud Functions.


  - Don't print the `error:` prefix when Pulumi exists because of a declined confirmation prompt (fixes [pulumi/pulumi458](
  - Fix issue where `Outputs` produced by `pulumi.interpolate` might have values which could
  cause validation errors due to them containing the text `<computed>` during previews.


  - A new command, `pulumi stack rename` was added. This allows you to change the name of an existing stack in a project. Note: When a stack is renamed, the `pulumi.getStack` function in the SDK will now return a new value. If a stack name is used as part of a resource name, the next `pulumi up` will not understand that the old and new resources are logically the same. We plan to support adding aliases to individual resources so you can handle these cases. See [pulumi/pulumi458]( for discussion on this new feature. For now, if you are unwilling to have `pulumi up` create and destroy these resources, you can rename your stack back to the old name. (fixes [pulumi/pulumi#2402](
  - Fix two warnings that were printed when using a dynamic provider about missing method handlers.
  - A bug in the previous version of the Pulumi CLI occasionally caused the Pulumi Engine to load the incorrect resource
  plugin when processing an update. This bug has been fixed in 0.17.3 by performing a deterministic selection of the
  best set of plugins available to the engine before starting up. See
  - Add support for serializing JavaScript function that capture [BigInts](
  - Support serializing arrow-functions with deconstructed parameters.


  - Show `brew upgrade pulumi` as the upgrade message when the currently running `pulumi` executable
  is running on macOS from the brew install directory.
  - Resource diffs that are rendered to the console are now filtered to properties that have semantically-meaningful
  changes where possible.
  - `pulumi new` no longer runs an initial deployment after a project is generated for nodejs projects.
  Instead, instructions are printed indicating that `pulumi up` can be used to deploy the project.
  - Differences between the state of a refreshed resource and the state described in a Pulumi program are now properly
  detected when using newer providers.
  - Differences between a resource's provider-internal properties are no longer displayed in the CLI.
  - Pulumi will now install missing plugins on startup. Previously, Pulumi would error if a required plugin was not
  present and a bug in the Pulumi CLI made it common for users using Pulumi in their continuous integration setup to have problems with missing plugins. Starting with 0.17.2, if Pulumi detects that required plugins are missing, it will make an attempt to install the missing plugins before proceeding with the update.


  - Slight tweak to `Output.apply` signature to help TypeScript infer types better.


This update includes several changes to core `pulumi/pulumi` constructs that will not play nicely
  in side-by-side applications that pull in prior versions of this package.  As such, we are rev'ing
  the minor version of the package from 0.16 to 0.17.  Recent version of `pulumi` will now detect,
  and warn, if different versions of `pulumi/pulumi` are loaded into the same application.  If you
  encounter this warning, it is recommended you move to versions of the `pulumi/...` packages that
  are compatible.  i.e. keep everything on 0.16.x until you are ready to move everything to 0.17.x.
  - `Output<T>` now 'lifts' property members from the value it wraps, simplifying common coding patterns.
  For example:
  interface Widget { text: string, x: number, y: number };
  var v: Output<Widget>;
  var widgetX = v.x;
  // `widgetX` has the type Output<number>.
  // This is equivalent to writing `v.apply(w => w.x)`
  Note: this 'lifting' only occurs for POJO values.  It does not happen for `Output<Resource>`s.
  Similarly, this only happens for properties.  Functions are not lifted.
  - Depending on a **Component** Resource will now depend on all other Resources parented by that
  Resource. This will help out the programming model for Component Resources as your consumers can
  just depend on a Component and have that automatically depend on all the child Resources created
  by that Component.  Note: this does not apply to a **Custom** resource.  Depending on a
  CustomResource will still only wait on that single resource being created, not any other Resources
  that consider that CustomResource to be a parent.


- Rolled back change where calling toString/toJSON on an Output would cause a message
  to be logged to the `pulumi` diagnostics stream.


- Fix an issue where the Pulumi CLI would load the newest plugin for a resource provider instead of the version that was
  requested, which could result in the Pulumi CLI loading a resource provider plugin that is incompatible with the
  program. This has the potential to disrupt users that previously had working configurations; if you are experiencing
  problems after upgrading to 0.16.17, you can opt-in to the legacy plugin load behavior by setting the environnment
  variable `PULUMI_ENABLE_LEGACY_PLUGIN_SEARCH=1`. You can also install plugins that are missing with the command
  `pulumi plugin install resource <name> <version> --exact`.
  - Attempting to convert an [Output<T>] to a string or to JSON will now result in a warning
  message being printed, as well as information on how to rectify the situation.  This is
  to help with diagnosing cryptic problems that can occur when Outputs are accidentally
  concatenated into a string in some part of the program.
  - Fixes incorrect closure serialization issue (
  - `pulumi` will now check that all versions of `pulumi/pulumi` are compatible in your node_modules
  folder, and will issue a warning message if not.  To be compatible, the versions of
  `pulumi/pulumi` must agree on their major and minor versions.  Running incompatible versions is
  not something that will be blocked, but it is discouraged as it may lead to subtle problems if one
  version of `pulumi/pulumi` is loaded and passes objects to/from an incompatible version.


  - Rolling back the change:
  "Depending on a Resource will now depend on all other Resource's parented by that Resource."
  Unforeseen problems cropped up that caused deadlocks.  Removing this change until we can
  have a high quality solution without these issues.


  - Fix deadlock with resource dependencies (


  - When trying to `stack rm` a stack managed by that has resources, the error message now informs you to pass `--force` if you really want to remove a stack that still has resources under management, as this would orphan these resources (fixes [pulumi/pulumi2431](
  - Enabled Python programs to delete resources in parallel (fixes [pulumi/pulumi2382]( If you are using Python 2, you should upgrade to Python 3 or else you may experience problems when deleting resources.
  - Fixed an issue where Python programs would occasionally fail during preview with errors about empty IDs being passed
  to resources. ([pulumi/pulumi2450](
  - Return an error from `pulumi stack tag` commands when using the `--local` mode.
  - Depending on a Resource will now depend on all other Resource's parented by that Resource.
  This will help out the programming model for Component Resources as your consumers can just
  depend on a Component and have that automatically depend on all the child Resources created
  by that Component.


  - Fix a regression in `pulumi/pulumi` introduced by 0.16.13 where an update could fail with an error like:
  pulumi:pulumi:Stack (my-great-stack):
  TypeError: resproto.InvokeRequest is not a constructor
  at Object.<anonymous> (.../node_modules/pulumi/pulumi/runtime/invoke.js:58:25)
  at (<anonymous>)
  at fulfilled (.../node_modules/pulumi/pulumi/runtime/invoke.js:17:58)
  at <anonymous>
  We appologize for the regression.  (fixes [pulumi/pulumi2414](
  - Individual resources may now be explicitly marked as requiring delete-before-replace behavior. This can be used e.g. to handle explicitly-named resources that may not be able to be replaced in the usual manner.


Major Changes
  - When used in conjunction with the latest versions of the various language SDKs, the Pulumi CLI is now more precise about the dependent resources that must be deleted when a given resource must be deleted before it can be replaced (fixes [pulumi/pulumi2167](
  **NOTE**: As part of the above change, once a stack is updated with v0.16.13, previous versions of `pulumi` will be unable to manage it.
  - Issue a more prescriptive error when using StackReference and the name of the stack to reference is not of the form `<organization>/<project>/<stack>`.


Major Changes
  - When using the cloud backend, stack names now must only be unique within a project, instead of across your entire account. Starting with version of 0.16.12 the CLI, you can create stacks with duplicate names. If an account has multiple stacks with the same name across different projects, you must use 0.16.12 or later of the CLI to manage them.
  **BREAKING CHANGE NOTICE**: As part of the above change, when using the 0.16.12 CLI (or a later version) the names passed to `StackReference` must be updated to be of the form (`<organization>/<project>/<stack>`) e.g. `acmecorp/infra/dev` to refer to the `dev` stack of the `infra` project in the `acmecorp` organization.
  - Add `--json` to `pulumi config`, `pulumi config get`, `pulumi history` and `pulumi plugin ls` to request the output be in JSON.
  - Changes to `pulumi new`'s output to improve the experience.


  - In the nodejs SDK, `pulumi.interpolate` and `pulumi.concat` have been added as convenient ways to combine Output values into strings.
  - Added `pulumi history` to show information about the history of updates to a stack.
  - When creating a project with `pulumi new` the generated `Pulumi.yaml` file no longer contains the template section, which was unused after creating a project
  - In the Python SDK, the `is_dry_run` function just always returned `true`, even when an update (and not a preview) was being preformed. This has been fixed.
  - Python programs will no longer deadlock due to exceptions in functions run during applies.


  - Support for first-class providers in Python.
  - Fix a bug where `StackReference` outputs were not updated when changes occured in the referenced stack.
  - Added `pulumi stack tag` commands for managing stack tags stored in the cloud backend.
  - Link directly to /account/tokens when prompting for an access token.
  - Exporting a Resource from an application Stack now exports it as a rich recursive pojo instead of just being an opaque URN (fixes


  - Update the error message when When `pulumi` commands fail to detect your project to mention that `pulumi new` can be used to create a new project (fixes [pulumi/pulumi2234](
  - Added a `--stack` argument (short form `-s`) to `pulumi stack`, `pulumi stack init`, `pulumi state delete` and `pulumi state unprotect` to allow operating on a different stack than the currently selected stack. This brings these commands in line with the other commands that operate on stacks and already provided a `--stack` option (fixes [pulumi/pulumi1648](
  - Added `Output.all` and `Output.from_input` to the Python SDK.
  - During previews and updates, read operations (i.e. calls to `.get` methods) are no longer shown in the output unless they cause any changes.
  - Fix a performance regression where `pulumi preview` and `pulumi up` would hang for a few moments at the end of a preview or update, in addition to the overall operation being slower.


  - Fix an issue that caused panics due to shutting the Jaeger tracing infrastructure down before all traces had finished ([pulumi/pulumi1850](


  - Configuration and stack commands now take a `--config-file` options. This option allows the user to override the file used to fetch and store config information for a stack during the execution of a command.
  - Fix an issue where ANSI escape codes would appear in messages printed from the CLI when running on Windows.
  - Fix an error about a bad icotl when trying to read sensitive input from the console and standard in was not connected to a terminal.
  - The dynamic provider would fail to launch if your `node_modules` folder was non in the default location or had a non standard layout. This has been fixed so we correctly find your `node_modules` folder in the same way node does. (fixes [pulumi/pulumi2261](


Major Changes
  - When running a Python program, pulumi will now run `python3` instead of `python`, since `python` often points at Python 2.7 binary, and Pulumi requires Python 3.6 or later. The environment variable `PULUMI_PYTHON_CMD` can be used to provide a different binary to run.
  - Allow `Output`s in the dependsOn property of `ResourceOptions` (fixes [pulumi/pulumi991](
  - Add a new `StackReference` type to the node SDK which allows referencing an output of another stack (fixes [pulumi/pulumi109](
  - Fix an issue where `pulumi` would not respect common `NO_PROXY` settings (fixes [pulumi/pulumi2134](
  - The CLI wil now correctly report any output from a Python program which writes to `sys.stderr` (fixes [pulumi/pulumi1542](
  - Don't install packages by default for Python projects when creating a new project from a template using `pulumi new`. Previously, `pulumi` would install these packages using `pip install` and they would be installed globally when `pulumi` was run outside a virtualenv.
  - Fix an issue where `pulumi` could panic during a peview when using a first class provider which was constructed using an output property of another resource (fixes [pulumi/pulumi2223](
  - Fix an issue where `pulumi` would fail to load resource plugins for newer dev builds.
  - Fix an issue where running two copies of `pulumi plugin install` in parallel for the same plugin version could cause one to fail with an error about renaming a directory.
  - Fix an issue where if the directory containing the `pulumi` executable was not on the `$PATH` we would fail to load language plugins. We now will also search next to the current running copy of Pulumi (fixes [pulumi/pulumi1956](
  - Fix an issue where passing a key of the form `foo:config:bar:baz` to `pulumi config set` would succeed but cause errors later when trying to interact with the stack. Setting this value is now blocked eagerly (fixes [pulumi/pulumi2171](


  - Fix an issue where `pulumi plugin install` would fail on Windows with an access deined message.


Major Changes
  - If you're using Pulumi with Python, this release removes Python 2.7 support in favor of Python 3.6 and greater. In addition, some members have been renamed. For example the `stack_output` function has been renamed to `export`. All major features of Pulumi work with this release, including parallelism!
  - Download plugins to a temporary folder during `pulumi plugin install` to ensure if the operation is canceled, the have downloaded plugin is not used.
  - If an update is in progress when `pulumi stack ls` is run, don't show its last update time as "a long time ago".
  - Add `--preserve-config` to `pulumi stack rm` which causes Pulumi to keep the `Pulumi.<stack-name>.yaml` when removing a stack.
  - Support passing template names to `pulumi up` the same as `pulumi new` does.
  - When `-g` or `--generate-only` is passed to `pulumi new`, don't show a confusing message that says it will update a stack.
  - Fix an issue where an output property of a resource would change its type during an update in some cases.
  - Provide richer detail on the properties during a multi-stage replace.
  - Fix `pulumi logs` so it can collect log messages from Lambdas on AWS.
  - Pulumi now reports metadata during CI runs on CircleCI, for later display on
  - Fix an assert that could fire if a checkpoint had multiple resources with the same URN (which could happen in cases where a delete operation was pending on an old copy of a resource).
  - When `$TERM` is set to `dumb`, Pulumi should no longer try to use interactive reading from the terminal, which would fail.
  - When displaying elapsed time for an update, round to the nearest second.
  - Add the `--json` flag to the `pulumi logs` command.
  - Add an `iterable` module to `pulumi/pulumi` with two helpful combinators `toObject` and `groupBy` to help combine multiple `Output<T>`'s into a single object.
  - Pulumi no longer prompts you for confirmation when `--skip-preview` is passed to `pulumi up`. Instead, it just preforms the update as requested.
  - Add the `--json` flag to the `pulumi stack ls` command.
  - The `--color=always` flag should now be respected in all cases.
  - Pulumi now reports metadata about GitLab repositories when doing an update, so they can be shown on
  - Pulumi now uses compression when uploading your checkpoint file to the Pulumi service, which should speed up updates where your stack has many resources.
  - "First Class" providers used to be shown as changing during previews. This is no longer the case.


  - Fully support Node 11 [pulumi/pulumi2101](


  - Fix a regression that would cause resource operations to not be processed in parallel when using the latest CLI with a `pulumi/pulumi` older than 0.16.1 [pulumi/pulumi2123](
  - Fail with a better error message (and in fewer cases) on Node 11. We hope to have complete support for Node 11 later this week, but for now recommend using Node 10 or earlier. [pulumi/pulumi2098](


  - A new top-level CLI command “pulumi state” was added to assist in making targeted edits to the state of a stack. Two subcommands, “pulumi state delete” and “pulumi state unprotect”, can be used to delete or unprotect individual resources respectively within a Pulumi stack. [pulumi/pulumi2024](
  - Default to allowing as many parallel operations as possible [pulumi/pulumi2065](
  - Fixed an issue with the generated type for an Unwrap expression when using TypeScript [pulumi/pulumi2061](
  - Improve error messages when resource plugins can't be loaded or when a checkpoint is invalid [pulumi/pulumi2078](
  - Fix link to the Pulumi Web Console in the CLI for a stack [pulumi/pulumi2075](
  - Attach git commit metadata to Pulumi updates in some additional cases [pulumi/pulumi2062]( and [pulumi/pulumi#2069](


Major Changes
  Improvements to CLI output
  Default colors that fit better for both light and dark terminals.  Overall updates to rendering of previews/updates for consistency and simplicity of the display.
  Parallelized resource deletion
  Parallel resource creation and updates were added in `0.15`.  In `0.16`, this has been extended to include deletions, which are now conservatively parallelized based on dependency information. [pulumi/pulumi1963](
  Support for any CI system in the Pulumi GitHub App
  The Pulumi GitHub App previously supported just TravisCI.  With this release the `pulumi` CLI now supports configurable CI providers via environment variables.  Thanks [jen20](!
  In addition to the above features, we've made a handfull of day to day improvements in the CLI:
  - Support for `zsh` completions. Thanks to [Tirke](!) [pulumi/pulumi#1967](
  - JSON formatting support for `pulumi stack output`. [pulumi/pulumi2000](
  - Added a `Dockerfile` for the Pulumi CLI and development environment for use in hosted environments.
  - Many improvements for Go development.  Thanks to [justone](!. [pulumi/pulumi#1954]( [pulumi/pulumi#1955]( [pulumi/pulumi#1965](
  - Extend `pulumi.output` to deeply unwrap `Input`s.  This significantly simplifies working with `Inputs` when building Pulumi components.  [pulumi/pulumi1915](


  - Fix an assert in display code when a resource property transitions from an asset to an archive or the other way around


  - Improved performance of `pulumi stack ls`
  - Fix build authoring so the dynamic provider works for the CLI built by Homebrew (thanks to **[Tirke](**!)


Major Changes
  Major features of this release include:
  Ephemeral status messages
  Providers are now able to register "ephmeral" update messages which are shown in the "Info" column in the CLI during an update, but which are not printed at the end of the update. The new version of the `pulumi/kubernetes` package uses this when printing messages about resource initialization.
  Local backend
  The local backend (which stores your deployment's state file locally, instead of on has been improved. You can now use `pulumi login --local` or `pulumi login file://<path-to-storage-root>` to select the local backend and control where state files are stored. In addition, older versions of the CLI would behave slightly differently when using the local backend vs, for example, some operations would not show previews before running.  This has been fixed.  When using the local backend, updates print the on disk location of the checkpoint file that was written. The local backend is covered in more detail in [here](
  `pulumi refresh`
  We've made a bunch of improvements in `pulumi refresh`. Some of these improve the UI during a refresh (for example, clarifying text about the underyling operations) as well fixing bugs with refreshing certain types of objects (for example CloudFront CDNs).
  `pulumi up` and `pulumi new`
  You can now pass a URL to a Git repository to `pulumi up <url>` to deploy a project without having to manage its source code locally. This works like `pulumi new <url>`, but configures and deploys the project from a temporary directory that will be cleaned up automatically after the update.
  `pulumi new` now outputs an error when the current working directory (or directory specified explicitly via the `--dir` flag) is not empty. Additionally, `pulumi new` now runs a preview of an initial update at the end of its operation and asks if you would like to perform the update.
  Both `pulumi up` and `pulumi new` now support `-c` flags for specifying config values as arguments (e.g. `pulumi up <url> -c aws:region=us-east-1`).
  In addition to the above features, we've made a handfull of day to day improvements in the CLI:
  - Support `pulumi` in a projects in a Yarn workspaces. [pulumi/pulumi1893](
  - Improve error message when there are errors decrypting secret configuration values. [pulumi/pulumi1815](
  - Don't fail `pulumi up` when plugin discovery fails. [pulumi/pulumi1745](
  - New helpers for extracting and validating values from `pulumi.Config`. [pulumi/pulumi1843](
  - Support serializng "factory" functions. [pulumi/pulumi1804](


Major Changes
  Pulumi now performs resource creates and updates in parallel, driven by dependencies in the resource graph. (Parallel deletes are coming in a future release.) If your program has implicit dependencies that Pulumi does not already see as dependencies, it's possible parallel will cause ordering issues. If this happens, you may set the `dependsOn` on property in the `resourceOptions` parameter to any resource. By default, Pulumi allows 10 parallel operations, but the `-p` flag can be used to override this. `-p=1` disables parallelism altogether. Parallelism is supported for Node.js and Go programs, and Python support will come in a future release.
  First Class Providers
  Pulumi now allows creation and configuration of resource providers programmatically. In addition to the default provider instance for each resource, you can also create an explicit version of the provider and configure it explicitly. This can be used to create some resources in a different region from your main deployment, or deploy resources to a programmatically configured Kubernetes cluster, for example. We have [a multi-region deployment example]( for illustrative purposes.
  Status Rich Updates
  The Pulumi CLI is now able to report more detailed information from individual resources during an update. This is used, for instance, in the Kubernetes provider, to provide incremental progress output for steps that may take a while to comeplete (such as deployment orchestration). We anticipate leveraging this feature in more places over time.
  Improved Templating Support
  You can now pass a URL to a Git repository to `pulumi new` to install a custom template, enabling you to share common templates across your team. If you pass a simple name, or omit arguments altogether, `pulumi new` behaves as before, using the [templates hosted by Pulumi](
  Native TypeScript support
  By default, Pulumi now natively supports TypeScript, so you do not need to run `tsc` explicitly before deploying. (We often forget to do this too!) Simply run `pulumi up`, and the program will be recompiled on the fly before running it.
  To use this new support, upgrade your `pulumi/pulumi` version to 0.15.0, in addition to the CLI. Pulumi prefers JavaScript source to TypeScript source, so if you had been using TypeScript previously, we recommend you make the following changes:
  1. Remove the `main` and `typings` directives from `package.json`, as well as the `build` script.
  2. Remove the `bin` folder that contained your previously compiled code.
  3. You may remove the dependency on `typescript` from your `package.json` as well, since `pulumi/pulumi` has one.
  While a `tsconfig.json` file is no longer required, as Pulumi uses intelligent defaults, other tools like VS Code behave
  better when it is present, so you'll probably want to keep it.
  Closure capturing improvements
  We've improved our closure capturing logic, which should allow you to write more idiomatic code in lambda functions that are uploaded to the cloud. Previously, if you wanted to use a module, we required you to write either `require('module')` or `await import('module')` inside your lambda function. In addition, if you wanted to use a helper you defined in another file, you had to require that module in your function as well. With these changes, the following code now works:
  import * as axios from "axios";
  import * as cloud from "pulumi/cloud-aws";
  const api = new cloud.API("api");
  api.get("/", async (req, res) => {
  const statusText = (await axios.default.get("")).statusText;
  res.write(`GET == ${statusText}`).end();
  Default value for configuration package
  The `pulumi.Config` object can now be created without an argument. When no argument is supplied, the value of the current project is used. This means that application level code can simply do `new pulumi.Confg()` without passing any argument. For library authors, you should continue to pass the name of your package as an argument.
  Pulumi GitHub App (preview)
  The Pulumi GitHub application bridges the gap between GitHub (source code, pull requests) and Pulumi (cloud resources, stack updates). By installing
  the Pulumi GitHub application into your GitHub organization, and then running Pulumi as part of your CI build process, you can now see the results of
  stack updates and previews as part of pull requests. This allows you to see the potential impact a change would have on your cloud infrastructure before
  merging the code.
  The Pulumi GitHub application is still in preview as we work to support more CI systems and provide richer output. For information on how to install the
  GitHub application and configure it with your CI system, please [visit our documentation]( page.
  - The CLI no longer emits warnings if it can't detect metadata about your git enlistement (for example, what GitHub project it coresponds to).
  - The CLI now only warns about adding a plaintext configuration in cases where it appears likely you may be storing a secret.


  - Support empty text assets ([pulumi/pulumi1599](
  - When printing message in non-interactive mode, do not keep printing out the worst diagnostic ([pulumi/pulumi1640]( When run in non interactive environments (e.g. docker) Pulumi would print duplicate messages to the screen related to a resource when the running Pulumi program was writing to standard out (e.g. if it was invoking a docker build). This no longer happens. The full output from the program continues to be printed at the end of execution.
  - Work around a potentially bad assert in the engine ([pulumi/pulumi1640]( In some cases, when Pulumi failed to delete a resource as part of an update, future updates would crash with an assert message. This is no longer the case and Pulumi will try to delete the resource it had marked as should be deleted.
  - Print out a 'still working' message every 20 seconds when in non-interactive mode ([pulumi/pulumi1616]( When Pulumi is waiting for a long running resource operation to create (e.g. waiting for an ECS service to become stable after creation), print some output to the console even when running non-interactively. This helps for cases like TravsCI where if output is not written for a while the job is assumed to have hung and is aborted.
  - Support the NO_COLOR env variable to suppress any colored output ([pulumi/pulumi1594]( Pulumi now respects the `NO_COLOR` environment variable. When set to a truthy value, colors are suppressed from the CLI. In addition, the `--color` flag can now be passed to all `pulumi` commands.


  - Support -s in `stack {export, graph, import, output}` ([pulumi/pulumi1572]( `pulumi stack export`, `pulumi stack graph`, `pulumi stack import` and `pulumi stack output` now support a `-s` or `--stack` flag, which allows them to operate on a different stack that the currently selected one.


  - Add `pulumi whoami` ([pulumi/pulumi1572]( `pulumi whoami` will report the account name of the current logged in user. In addition, we now display the name of the current user after `pulumi login`.
  - Don't require `PULUMI_DEBUG_COMMANDS` to be set to use local backend ([pulumi/pulumi1575](
  - Improve misleading `pulumi new` summary message ([pulumi/pulumi1571](
  - Fix printing out outputs in a pulumi program ([pulumi/pulumi1531]( Pulumi now shows the values of output properties after a `pulumi up` instead of requiring you to run `pulumi stack output`.
  - Do a better job preventing serialization of unnecessary objects in closure serialization ([pulumi/pulumi1543](  We've improved our analysis when serializing functions. This yeilds smaller code when a function is serialized and prevents errors around unused native code being captured in some cases.


  - Publish to ([pulumi/pulumi1497]( Pulumi packages are now public on!
  - Add optional `--dir` flag to `pulumi new` ([pulumi/pulumi1459]( The `pulumi new` command now has an optional flag `--dir`, for the directory to place the generated project. If it doesn't exist, it will be created.
  - Support Pulumi programs written in Go ([pulumi/pulumi1456]( Initial version for Pulumi programs written in Go. While it is not complete, basic resource registration works.
  - Allow overriding config location ([pulumi/pulumi1379]( Support a new `config` member in `Pulumi.yaml`, which specifies a relative path to a folder where per-stack configuration is stored. The path is relative to the location of `Pulumi.yaml` itself.
  - Delete existing resources before replacing, for resources that must be singletons ([pulumi/pulumi1365]( For resources where the cloud vendor does not allow multiple resources to exist, such as a mount target in EFS, Pulumi now deletes the existing resource before creating a replacement resource.
  - Compute required packages during closure serialization ([pulumi/pulumi1457]( Closure serialization now keeps track of the `require`'d packages it sees in the function bodies that are serialized during a call to `serializeFunction`. So, only required packages are uploaded to Lambda.
  - Support browser based logins to the CLI ([pulumi/pulumi1439]( The Pulumi CLI now has an option to login via a browser. When you are prompted for an access token, you can just hit enter. The CLI then opens a browser to []( so that you can authenticate.
  - Support better previews in Python by mocking out Unknown values ([pulumi/pulumi1482]( During the preview phase of a deployment, computed values were `Unknown` in Python, causing the preview to be empty. This issue is now resolved.
  - Issue a better error message if you capture a V8 intrinsic ([pulumi/pulumi1423]( It's possible to accidentally take a dependency on a Pulumi deployment-time library, which causes problems when creating a runtime function for AWS Lambda. There is now a better error message when this situation occurs.


  - Improve the promise leak experience ([pulumi/pulumi1374]( Fixes an issue where a promise leak could be erroneously reported. Also, show simple error message by default, unless the environment variable `PULUMI_DEBUG_PROMISE_LEAKS` is set.


  - A new all-in-one installer script is now available at [](
  - Many enhancements to `pulumi new` ([pulumi/pulumi1307](  The command now interactively walks through creating everything needed to deploy a new stack, including selecting a template, providing a name, creating a stack, setting default configuration, and installing dependencies.
  - Several improvements to the `pulumi up` CLI experience ([pulumi/pulumi1260]( a tree view display, more details from logs during deployments, and rendering of stack outputs at the end of updates.
  - (**Breaking**) Remove the `--preview` flag in `pulumi up`, in favor of reintroducing `pulumi preview` ([pulumi/pulumi1290]( Also, to accept an update without the interactive prompt, use the `--yes` flag, rather than `--force`.
  - Significant performance improvements for `pulumi up` ([pulumi/pulumi1319](
  - JavaScript `async` functions in Node 7.6+ now work with Pulumi function serialization ([pulumi/pulumi1311](
  - Support installation on Windows in folders which contain spaces in their name ([pulumi/pulumi1300](


  - Add a `pulumi cancel` command ([pulumi/pulumi1230]( This command cancels any in-progress operation for the current stack.
  - (**Breaking**) Eliminate `pulumi init` requirement ([pulumi/pulumi1226]( The `pulumi init` command is no longer required and should not be used for new stacks. For stacks created prior to the v0.12.0 SDK, `pulumi init` should still be run in the project directory if you are connecting to an existing stack. For new projects, stacks will be created under the currently logged in account. After upgrading the CLI, it is necessary to run `pulumi stack select`, as the location of bookkeeping files has been changed. For more information, see [Creating Stacks](
  - (**Breaking**) Remove the explicit 'pulumi preview' command ([pulumi/pulumi1170]( The `pulumi preview` output has now been merged in to the `pulumi up` command. Before an update is run, the preview is shown and you can choose whether to proceed or see more update details. To see just the preview operation, run `pulumi up --preview`.
  - Switch to a more streamlined view for property diffs in `pulumi up` ([pulumi/pulumi1212](
  - Allow multiple versions of the `pulumi/pulumi` package to be loaded ([pulumi/pulumi1209]( This allows packages and dependencies to be versioned independently.
  - When running a `pulumi up` or `destroy` operation, a single ctrl-c will cancel the current operation, waiting for it to complete. A second ctrl-c will terminate the operation immediately. ([pulumi/pulumi1231](
  - When getting update logs, get all results ([pulumi/pulumi1220]( Fixes a bug where logs could sometimes be truncated in the console.


- Switch to a resource-progress oriented view for pulumi preview, update, and destroy operations ([pulumi/pulumi1116]( The operations `pulumi preview`, `update` and `destroy` have far simpler output by default, and show a progress view of ongoing operations. In addition, there is a structured component view, showing a parent operation as complete only when all child resources have been created.
  - Remove strict dependency on Node v6.10.x ([pulumi/pulumi1139]( It is now no longer necessary to use a specific version of Node to run Pulumi programs. Node versions after 6.10.x are supported, as long as they are under **Active LTS** or are the **Current** stable release.


  - (Breaking) Require `pulumi login` before commands that need a backend ([pulumi/pulumi1114]( The `pulumi` CLI now requires you to log in to for most operations.
  - Improve the error message arising from missing required configurations for resource providers ([pulumi/pulumi1097]( The error message now prints all missing configuration keys, along with their descriptions.


  - Add a `pulumi new` command to scaffold a project ([pulumi/pulumi1008]( Usage is `pulumi new [templateName]`. If template name is not specified, the CLI will prompt with a list of templates. Currently, the templates `javascript`, `python` and `typescript` are available. Templates are defined in the GitHub repo [pulumi/templates]( and contributions are welcome!
  - Python is now a supported language in Pulumi ([pulumi/pulumi800]( For more information, see [Python documentation](
  - (Breaking) Change the way that configuration is stored ([pulumi/pulumi986]( To simplify the configuration model, there is no longer a separate notion of project and workspace settings, but only stack settings. The switches `--all` and `--save` are no longer supported; any common settings across stacks must be set on each stack directly. Settings for a stack are stored in a file that is a sibling to `Pulumi.yaml`, named `Pulumi.<stack-name>.yaml`. On first run `pulumi`, will migrate projects from the previous configuration format to the new one. The recommended practice is that developer stacks that are not shared between team members should be added to `.gitignore`, while stack setting files for shared stacks should be checked in to source control. For more information, see the section [Defining and setting stack settings](
  - (Breaking) Eliminate the superfluous `:config` part of configuration keys ([pulumi/pulumi995]( `pulumi` no longer requires configuration keys to have the string `:config` in them. Using the `:config` string in keys for the object `pulumi/pulumi.Config` is deprecated and `preview` and `update` show warnings when it is used. Additionally, it is preferred to set keys in the form `aws:region` rather than `aws:config:region`. For compatibility, the old behavior is also supported, but will be removed in a future release. For more information, see the article [Configuration](
  - (Breaking) Modules are treated as normal values when serialized ([pulumi/pulumi1030]( If you need to use a module at runtime, consider either using `require` or `await import` at runtime, or pre-compute what you need and capture the resulting data or objects.
  <!-- NOTE: the programming-model article below is still all todos. -->
  - (Breaking) Serialize resource registration after inputs resolve ([pulumi/pulumi964]( Previously, resources were most often created/updated in the order they were seen during the Pulumi program execution. In preparation for supporting parallel resource operations, these operations now run in an order that respects the dependencies between resources (via [`Output`](, but may not match the order of program execution. This is mostly transparent to Pulumi program authors, but does mean that any missing dependencies will cause your program to fail in unexpected ways. For more information on how such failures manifest and what to do about them, see the article [Programming Model](
  - Hide secrets from CLI output ([pulumi/pulumi1002]( To prevent secret values from being accidentally disclosed in command output or logs, `pulumi` replaces secret values with the string `[secret]`. Inspired by the behavior of [Travis CI](
  - Change default of where stacks are created ([pulumi/pulumi971]( If currently logged in to the Pulumi CLI, `stack init` creates a managed stack; otherwise, it creates a local stack. To force a local or remote stack, use the flags `--local` or `--remote`.
  - Improve error messages output by the CLI ([pulumi/pulumi1011]( RPC endpoint errors have been improved. Errors such as "catastrophic error" and "fatal error" are no longer duplicated in the output.
  - Produce better error messages when the main module is not found ([pulumi/pulumi976]( If you're running TypeScript but have not run `tsc` or your main JavaScript file does not exist, the CLI will print a helpful `info:` message that points to the possible source of the error.


> **Note:** The v0.10.0 SDK has a strict dependency on Node.js 6.10.2.
  - Support "force" option when deleting a managed stack.
  - Add a `pulumi history` command ([pulumi636]( For a managed stack, use the `pulumi history` to view deployments of that stack's resources.
  - (Breaking) Use `npm install` instead of `npm link` to reference the Pulumi SDK `pulumi/aws`, `pulumi/cloud`, `pulumi/cloud-aws`. For more information, see [Pulumi npm packages](
  - (Breaking) Explicitly track resource dependencies via `Input` and `Output` types. This enables future improvements to the Pulumi development experience, such as parallel resource creation and enhanced dependency visualization. When a resource is created, all of its output properties are instances of a new type [`pulumi.Output<T>`]( `Output<T>` contains both the value of the resource property and metadata that tracks resource dependencies. Inputs to a resource now accept `Output<T>` in addition to `T` and `Promise<T>`.
  - Managed stacks sometimes return a 500 error when requesting logs
  - Error when using `float64` attributes using SDK v0.9.9 ([pulumi-terraform95](
  - `pulumi logs` entries only return first line ([pulumi857](


  - Added the ability to control the upload context to the Pulumi Service. You may now set a `context` property in `Pulumi.yaml`, which is combined with the location of `Pulumi.yaml`. This new path is the root of what is uploaded and can be used during deployment. This allows you to, for example, share common code that is located in a folder in your source tree above the directory `Pulumi.yaml` for the project you are deploying.
  - Added additional configuration for docker builds for a container. The `build` property of a container may now either be a string (which is treated as a path to the folder to do a `docker build` in) or an object with properties `context`, `dockerfile` and `args`, which are passed to `docker build`. If unset, `context` defaults to the current working directory, `dockerfile` defaults to `Dockerfile` and `args` default to no arguments.


  - Added the ability to import or export a stack's deployment in the Pulumi CLI. This command can be used for either local or managed stacks. There are two new verbs under the command `stack`:
  - `export` writes the current stack's latest deployment to stdout in JSON format.
  - `import` reads a new JSON deployment from stdin and applies it to the current stack.
  - A basic progress spinner is displayed during deployment operations.
  - When the Pulumi CLI is run in interactive mode, it displays an animated ASCII spinner
  - When run in non-interactive mode, CLI prints a message that it is still working. For CI systems that kill jobs when there is no CLI output (such as TravisCI), this eliminates the need to create shell scripts that periodically print output.
  - To make the behavior of local and managed stacks consistent, the Pulumi CLI uses a separate encryption key for each stack, rather than one shared for all stacks. You can now use a different passphrase for different stacks. Similar to managed stacks, you cannot copy and paste an encrypted value from one stack to another in `Pulumi.yaml`. Instead you must manage the value via `pulumi config`.
  - The default behavior for `--color` is now `always`. To change this, specify `--color always` or `--color never`. Previously, the value was based on the presence of the flag `--debug`.
  - The command `pulumi logs` now defaults to returning one hour of logs and outputs the start time that is  used.
  - When a stack is removed, `pulumi` now deletes any configuration it had saved in either the `Pulumi.yaml` file or the workspace.


  Pulumi Console and managed stacks
  New in this release is the [Pulumi Console]( and stacks that are managed by Pulumi. This is the recommended way to safely deploy cloud applications.
  - `pulumi stack init` now creates a Pulumi managed stack. For a local stack, use `--local`.
  - All Pulumi CLI commands now work with managed stacks. Login to Pulumi via `pulumi login`.
  - The [Pulumi Console]( provides a management experience for stacks. You can view the currently deployed resources (along with the AWS ARNs) and see logs from the last update operation.
  Components and output properties
  - Support for component resources([pulumi 340](, enabling grouping of resources into logical components. This provides an improved view of resources during `preview` and `update` operations in the CLI ([pulumi #417](
  + pulumi:pulumi:Stack: (create)
  + cloud:table:Table: (create)
  + aws:dynamodb/table:Table: (create)
  - A stack can have *output properties*, defined as `export let varName = val`. You can view the last deployed value for the output property using `pulumi stack output varName` or in the Pulumi Console.
  Resource naming
  Resource naming is now more consistent, but there is a new file format for checkpoint files for both local and managed stacks.
  > If you created stacks in the 0.8 release, you should destroy them with the 0.8 CLI, then recreate with the 0.9.x CLI.
  Support for configuration secrets
  - Store secrets securely in configuration via `pulumi config set --secret`. chris
  - The verbs for `config` are now consistent, via `get`, `set`, and `rm`. See [Consistent config verbs 552](
  - [**experimental**] Support for the `pulumi logs` command ([pulumi 527]( These features now work:
  - To see new logs as they arrive, use `--follow`
  - Use `--since` to limit to recent logs, such as `pulumi logs --since=1h`
  - Filter to specific resources with `--resource`. This filters to a particular component and its child resources (if any), such as `pulumi logs --resource examples-todoc57917fa --since 1h`
  Other features
  - Support for `.pulumiignore`, for files that should not be uploaded when deploying a managed stack through Pulumi.
  - [Allow overriding a `Pulumi.yaml`'s entry point 575]( To specify the entry directory, specify `main` in `Pulumi.yaml`. For instance, `main: a/path/to/main/`.
  - Support for *protected* resources. A resource can be marked as `protect: true`, which prevents deletion of the resource. For example, `let res = new MyResource("precious", { .. }, { protect: true });`. To "unprotect" the resource, change `protect: false` then run `pulumi up`. See [Allow resources to be flagged "protected" 689](
  - Changed defaults for workspace and stack configuration. See [Workspace configuration is error prone 714](
  - [Save configuration under the stack by default](
  - Improved SDK installer. It automatically creates directories as needed, configures node modules, and prints out friendly error messages.
  - [Better diffing in CLI output, especially for Lambdas \454](
  - [`main` does not set working dir correctly for Lambda zip 667](
  - [Better error when invalid access token is used in `pulumi login` 640](
  - [Eliminate the top-level Stack from all URNs 647](
  - Service API for Encrypting and Decrypting secrets
  - [Make CLI resilient to network flakiness 763](
  - Support --since and --resource on `pulumi logs` when targeting the service
  - [Pulumi unable to serialize non-integers 694](
  - [Stop buffering CLI output 660](