← Docs
Infrastructure

Pulumi Patterns

Reusable infrastructure-as-code recipes for shipping Meridian on AWS, GCP, and Azure with real TypeScript.

Component Resource

Wrap common infra in a Pulumi ComponentResource so every environment gets identical VPC, ECS, and RDS topology with a single class.

class MeridianStack extends pulumi.ComponentResource {
  constructor(name: string, args: StackArgs, opts?: pulumi.ComponentResourceOptions) {
    super("meridian:infra:Stack", name, {}, opts);
    const vpc = new awsx.ec2.Vpc(`${name}-vpc`, {}, { parent: this });
    const cluster = new aws.ecs.Cluster(`${name}-cluster`, {}, { parent: this });
    this.registerOutputs({ vpcId: vpc.vpcId });
  }
}

Stack References

Share outputs between stacks without hardcoding. Pull the shared VPC ID from the network stack into your app stack.

const network = new pulumi.StackReference("org/network/prod");
const vpcId = network.getOutput("vpcId");
const alb = new aws.lb.LoadBalancer("app-alb", {
  internal: false,
  subnets: network.getOutput("publicSubnetIds"),
});

Auto-tagging

Register a global transformation to tag every resource with the stack name and git SHA automatically.

pulumi.runtime.registerStackTransformation((args) => {
  if (args.type.startsWith("aws:")) {
    args.props.tags = {
      ...args.props.tags,
      "meridian:stack": pulumi.getStack(),
      "meridian:sha": process.env.GIT_SHA ?? "unknown",
    };
  }
  return { props: args.props, opts: args.opts };
});

Secrets from Vault

Never store secrets in plaintext. Pull them from your vault provider and pass as Pulumi secrets.

const dbPassword = pulumi.secret(
  vault.read("secret/data/meridian/prod").data.db_password
);
const db = new aws.rds.Instance("meridian-db", {
  engine: "postgres",
  password: dbPassword,
});

These patterns ship in every Meridian enterprise deployment. For the full reference, see the infrastructure guide.