Skip to content
stack
Get started
Comparison

Stack vs Pulumi

Pulumi generates cloud infrastructure. Stack provisions SaaS services. They live at different layers — here's the honest breakdown.

TL;DR

Stack and Pulumi solve adjacent problems at different layers of the stack. Pulumi is infrastructure-as-code for cloud primitives: you write Python, TypeScript, Go, or C# that describes AWS VPCs, GCP buckets, Azure Functions, Kubernetes clusters — Pulumi reconciles state and talks to the cloud provider's API. Stack provisions and wires third-party SaaS services: one command creates a real Supabase project, a Stripe account, a Clerk application, drops the secrets into an E2E-encrypted vault (Phantom), and regenerates your .env and .mcp.json. Neither tool replaces the other. Most teams shipping a modern SaaS end up using both.

When to pick each

Pick Pulumi when Pick Stack when
You need real cloud infra: VPCs, subnets, IAM roles, load balancers, RDS, Lambda, CloudFront. You need SaaS services wired end-to-end: Supabase + Stripe + Clerk + PostHog for a product.
Multi-cloud, multi-region, state file, stack-per-environment, drift detection. You want stack add supabase to create the project, fetch keys, and store them safely.
Compliance needs explicit resource tagging, policy-as-code (CrossGuard), and audit trails. You are an indie dev, a YC startup, or an agency shipping a SaaS in a week rather than a quarter.

Pulumi is the right answer when "infrastructure" means AWS/GCP/Azure primitives your team owns and operates. Stack is the right answer when "infrastructure" means "the ten third-party SaaS services a modern app depends on." If you catch yourself writing a Pulumi Custom­Resource to POST to api.stripe.com, you're in Stack territory.

At-a-glance

Capability Stack Pulumi
Category SaaS control plane Cloud IaC (infrastructure-as-code)
Primary surface CLI + MCP server + Claude Code plugin CLI + language SDKs (Python / TS / Go / C# / Java / YAML)
What it provisions Supabase, Vercel, Stripe, Clerk, PostHog, Sentry, GitHub repos, Resend, etc. (29 providers) AWS, GCP, Azure, Kubernetes, Cloudflare, Docker, 150+ cloud providers
Describes state with .stack.toml (declarative, slot-name only — secrets live in Phantom) Programs in a real language; state persisted to Pulumi Cloud or self-hosted backend
Secrets handling E2E-encrypted via Phantom; never written to disk plaintext; phm_* tokens in .env Pulumi ESC (Environments, Secrets, Configuration) — encrypted via passphrase or KMS
AI surface Native stack recommend + MCP tools + Claude Code plugin Pulumi AI (LLM generates Pulumi programs from prompts)
OAuth automation Built-in: OAuth dance per provider, Ashlr-managed OAuth apps on paid tier You manage provider credentials yourself
License MIT · pre-alpha v0.1.1 Apache 2.0 (core) with paid Pulumi Cloud
Free tier Full CLI, MCP, plugin — free forever Individual tier free; Team/Enterprise paid
Best for SaaS composition, agentic workflows, Claude Code users Platform engineers, SREs, compliance-heavy infra

Where they overlap

Both tools claim to "set up your infrastructure" with one command, and both model desired state declaratively. In edge cases, Pulumi's registry has thin wrappers around a few SaaS providers — there's a community Stripe provider, a partial Vercel provider, a Supabase token resource. In theory you could use those to create a Stripe product or a Vercel project from a Pulumi program. In practice, nobody does, because the Pulumi ergonomic belongs to cloud infra — writing a 200-line index.ts to provision a Stripe webhook is the wrong shape. Stack collapses that to stack add stripe.

Where Stack wins

Stack is purpose-built for the "rent, don't own" half of modern infrastructure. Concrete wins:

  • Real upstream projects, not just API tokens. stack add supabase calls Supabase's Management API to create a new project, wait for it to come online, pull the service-role key, and store it in Phantom. Pulumi's Supabase providers generally expect you to already have a project and a PAT.
  • OAuth, not API tokens. Stack handles OAuth across many providers via Ashlr-managed app registrations — you click "Authorise" in a browser. Pulumi expects you to have already created a long-lived access token in the provider's dashboard.
  • MCP-native. Stack ships 19 MCP tools. A Claude Code session can call stack_recommend, then stack_add, then stack_doctor — provisioning an entire SaaS from a single prompt. Pulumi AI generates Pulumi programs but doesn't operate existing stacks agentically.
  • No state server. Stack stores slot names in a checked-in .stack.toml; Phantom holds the actual secrets. There is no "stack state" file, no backend to self-host, no state-lock contention.

Where Pulumi wins

Honest concessions. Pulumi is the right tool when:

  • You need real cloud infrastructure. Stack does not create VPCs, subnets, security groups, IAM roles, or RDS databases. If your app runs on AWS primitives, Pulumi (or Terraform, or CDK) is the answer.
  • Multi-cloud, multi-region, drift detection. Pulumi has mature state management, stack references across environments, drift detection, and policy-as-code (CrossGuard). Stack is a single-environment-per-project tool in v0.1.
  • Enterprise compliance. Pulumi Cloud has SOC2, SAML SSO, audit logs, and team RBAC. Stack is pre-alpha and MIT; those controls are on the roadmap for stack cloud, not shipped.
  • You already have a Pulumi monorepo. Don't re-platform. Extend Pulumi with an ESC environment that pulls Phantom secrets, and keep shipping.

Can I use both?

Yes — and it's the recommended path for any team with serious cloud infra. A realistic division of labor:

  • Pulumi owns your AWS account: VPC, ECS cluster, RDS, CloudFront, IAM, WAF, Route53.
  • Stack owns the SaaS your app composes on top: Supabase for auth/DB, Stripe for billing, Clerk for user management, PostHog for product analytics, Sentry for errors, Resend for email.

Hand-off: Pulumi emits outputs (e.g. an ALB DNS) that Stack reads as environment inputs; Stack writes secrets into Phantom, which Pulumi ESC can import via Phantom Cloud when Pulumi programs need them at apply-time. Use stack doctor in CI to catch drift in the SaaS layer; use pulumi preview to catch drift in the cloud layer.

Migration and caveats

Stack is pre-alpha — these comparisons reflect v0.1.1 as of April 2026. Features like multi-env stacks, team-shared recipes, and audit logs are on the roadmap but not shipped. If you're an enterprise with strict audit requirements today, Pulumi is the mature choice; revisit Stack when you want to reduce the glue code between your cloud infra and the SaaS services on top of it. Browse the 29-provider catalog to see what Stack actually automates today.

FAQ

Does Stack replace Pulumi?

No. Pulumi provisions cloud primitives — VPCs, Lambdas, S3 buckets, RDS databases — using your AWS, GCP, or Azure credentials. Stack provisions third-party SaaS services — Supabase, Stripe, Clerk, Vercel — using their Management APIs and OAuth. They operate at different layers and most teams shipping serious software need both.

Can I use Pulumi and Stack together?

Yes, and it's the common case. A typical SaaS uses Pulumi for the AWS account it owns (networking, S3, IAM) and Stack for the SaaS services it rents (Supabase for Postgres, Stripe for billing, PostHog for analytics). Pulumi outputs can feed Stack config, and Stack-managed env vars can be passed into Pulumi ESC.

Why doesn't Stack just use the Pulumi SaaS providers?

Pulumi's registry has partial coverage for a handful of SaaS providers but lacks the provisioning depth Stack does end-to-end — OAuth onboarding, Management-API project creation, secret extraction, Phantom vault write, .env and .mcp.json generation, doctor checks, and rotation envelopes. Stack is the purpose-built SaaS control plane, not a general IaC engine.