Run Pulumi Insights on Your Own Infrastructure
Source: Pulumi Blog
Insights at a glance
Insights provides two complementary capabilities that together form a governance lifecycle for your cloud infrastructure.
- Discovery scans cloud accounts across AWS, Azure, GCP, and more to catalog every resource regardless of how it was provisioned: Pulumi, Terraform, CloudFormation, or manual creation. Once cataloged, you can search, filter, group, and export your resource data. You can also import unmanaged resources into Pulumi to bring them under IaC management.
- Policy enforces compliance with policy‑as‑code written in TypeScript or Python. Pulumi ships pre‑built compliance packs for CIS, NIST, PCI DSS, HITRUST, and other frameworks so you can start evaluating without writing any code. Audit policy groups continuously evaluate all discovered resources and IaC stacks, while preventative policies block non‑compliant deployments before they reach production.
This enables you to map out your cloud estate, evaluate compliance, and then remediate any issues uncovered by policy.
Why self‑hosted?
Running Insights on your own infrastructure with customer‑managed workflow runners gives you:
- Data residency – Scan execution and policy evaluation run entirely within your private network.
- Private infrastructure access – Scan resources in VPCs and environments that are not accessible from the public internet.
- Compliance – Cloud provider credentials can stay internal to your network, meeting regulatory requirements for credential handling.
- Flexible hosting – Run workflow runners on any environment that meets your needs, including Linux, macOS, Docker, and Kubernetes.
How it works
Customer‑managed workflow runners are lightweight agents that poll Pulumi Cloud for pending work, execute it locally, and report results back. You can configure runners to handle specific workflow types: discovery scans, policy evaluations, deployments, or all three.
- The same approach works for both SaaS Pulumi Cloud and self‑hosted installations.
- The runner communicates with the Pulumi Cloud API over HTTPS, so no inbound connectivity is required, making it well‑suited for restricted network environments.
- Under the hood, a distributed work scheduling system routes activities to the appropriate runner pool, handles lease‑based execution, and recovers automatically from failures.
- For a deep dive on the architecture, see How We Built a Distributed Work Scheduling System for Pulumi Cloud.
If your team already uses customer‑managed workflow runners for Pulumi Deployments, your existing runner pools can handle Insights workflows with no additional infrastructure.
Get started
Self‑hosted Insights is available on the Business Critical edition of Pulumi Cloud. To learn more or get set up:
- Self‑hosted Insights documentation – configuration and setup for discovery scans and audit policy evaluations on your own infrastructure.
- Customer‑managed workflow runners – runner installation, configuration reference, and pool management.
- Insights & Governance overview – full documentation for discovery and policy capabilities.
Contact sales to enable self‑hosted Insights for your organization.