Skip to main content
The unit block provisions a single cloud resource. Maps 1:1 to a Pulumi provider resource. Equivalent to Terraform’s resource block.

Syntax

unit "resource_type" "name" {
  attribute = value
}

Example

unit "aws_rds_instance" "db" {
  engine              = "postgres"
  engine_version      = "15"
  instance_class      = "db.t3.micro"
  allocated_storage   = 20
  username            = "admin"
  password            = secret("aws_secrets_manager", "prod/db/password")
  skip_final_snapshot = true
}
Compiled to: 
const db = new aws.rds.Instance("db", {
    engine: "postgres",
    instanceClass: "db.t3.micro",
    allocatedStorage: 20,
    // ...
});

Referencing Outputs

Use ~ to reference a unit’s output attributes (Pending<T>): 
unit "aws_s3_bucket_v2" "backup" {
  bucket = "${~unit.aws_rds_instance.db.identifier}-backups"
}

count

unit "aws_s3_bucket_v2" "replicas" {
  count  = 3
  bucket = "replica-${count.index}"   # 0-based
}
count and for_each are mutually exclusive.

for_each

unit "aws_s3_bucket_v2" "regional" {
  for_each = { "us-east-1" = "primary", "eu-west-1" = "secondary" }
  bucket   = "${each.key}-assets"
  tags     = { role = each.value }
}

lifecycle

unit "aws_rds_instance" "db" {
  engine         = "postgres"
  instance_class = "db.t3.micro"

  lifecycle {
    prevent_destroy       = true
    ignore_changes        = ["password"]
    create_before_destroy = false
  }
}
RuleEffect
prevent_destroy = trueBlock destruction
create_before_destroy = trueCreate new before deleting old
ignore_changes = [...]Ignore drift on these attributes

depends_on

unit "aws_s3_bucket_v2" "logs" {
  bucket     = "app-logs"
  depends_on = [unit.aws_iam_role.logger]
}

when

input "enable_logging" { default = "true" }

unit "aws_s3_bucket_v2" "logs" {
  when   = input.enable_logging == "true"
  bucket = "app-logs"
}

cost_limit

unit "aws_rds_instance" "db" {
  instance_class = "db.r6g.4xlarge"
  cost_limit     = 500   # $500/month maximum
}
Requires UBX_AI_API_KEY. ubx validate --cost warns if estimate exceeds limit; ubx apply blocks if exceeded.

dynamic Blocks

unit "aws_security_group" "web" {
  name = "web-sg"

  dynamic "ingress" {
    for_each = [80, 443]
    content {
      from_port = val
      to_port   = val
      protocol  = "tcp"
    }
  }
}

Secrets in Attributes

unit "aws_rds_instance" "db" {
  password = secret("aws_secrets_manager", "prod/db/password")
  api_key  = secret("vault", "secret/prod/api#key")
  debug    = secret("env", "DEBUG_MODE")
}
See secret() for all backends.

View Available Fields

ubx docs aws_s3_bucket_v2 --list
ubx docs aws_rds_instance --list
ubx schema list

Supported Providers

AWS (1,672+ resources), GCP (1,217+ resources), Azure (2,334+ resources).