Introducing the Terraform State Provider for Pulumi ESC

Enterprises that have built extensive Terraform foundations often struggle to surface critical outputs—VPC IDs, database endpoints, or kubeconfig files—to downstream tools. Traditional approaches rely on ad‑hoc scripts, environment variables, or manual copy‑pasting, introducing risk of drift and secret leakage. Pulumi ESC’s new Terraform State provider directly addresses this gap by treating Terraform state as a first‑class data source, enabling consistent, programmatic access to outputs across the entire deployment pipeline.

The provider leverages the fn::open::terraform-state function to read state files from a variety of backends, including S3 buckets and Terraform Cloud workspaces. By configuring backend credentials via the aws-login provider or a secret token, teams can securely fetch state without exposing credentials. All outputs become available under the terraform.outputs namespace, and any field flagged as sensitive is automatically promoted to an ESC secret, ensuring compliance with secret‑management policies. This seamless integration means that a Pulumi stack can ingest VPC IDs or subnet lists directly, while tools like kubectl and helm can consume generated KUBECONFIG files without additional glue code.

From a business perspective, the Terraform State provider reduces operational friction and accelerates time‑to‑value for multi‑cloud initiatives. Organizations can now maintain a single source of truth for infrastructure data, cut down on maintenance overhead, and enforce consistent secret handling across teams. As IaC ecosystems continue to converge, Pulumi’s approach positions ESC as a central hub for configuration and secret management, paving the way for tighter automation, lower risk, and more agile cloud operations.