{"id":"62689c57-7304-477e-bb2c-ae6b7bc6e61f","task":"Implement a Pulumi Stack Reference pattern where an infrastructure stack exports VPC and subnet IDs consumed by an application stack in a different project","domain":"Pulumi","steps":["In the infrastructure Pulumi program, export the VPC ID and private subnet IDs as stack outputs using pulumi.export('vpcId', vpc.id) and pulumi.export('privateSubnetIds', pulumi.all(subnets).apply(ids => ids))","In the application Pulumi program, declare a StackReference pointing to the infrastructure stack using new pulumi.StackReference('org/infra-project/prod') and assign it to a constant","Retrieve the exported values using stackRef.getOutput('vpcId') and stackRef.requireOutput('privateSubnetIds'); use requireOutput for values that must exist to fail fast if the infrastructure stack has not been applied","Pass the retrieved values as inputs to application resources; Pulumi will automatically track the cross-stack dependency and the application stack's up will fail if the referenced infrastructure stack is not in a ready state","In CI, enforce that the infrastructure stack apply completes and succeeds before the application stack pipeline is triggered, using a pipeline dependency or artifact-passing mechanism to sequence the applies","Add a pulumi policy in the application stack that reads the StackReference outputs and validates the VPC CIDR falls within the approved range before allowing resources to be created, using Pulumi CrossGuard"],"gotchas":["StackReference outputs are resolved lazily at apply time; if the referenced stack is locked by a concurrent apply, the consuming stack will block until the lock is released, which can cause CI pipeline timeouts","getOutput returns undefined if the output key does not exist in the referenced stack; code that treats undefined as a valid value will silently provision resources with missing network configuration rather than failing early","Stack references are resolved using the Pulumi service backend; organizations using self-managed backends (S3 or Azure Blob) must use a fully qualified stack name that includes the backend URL prefix, and the consuming stack's service account must have read access to the referenced stack's state bucket"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/62689c57-7304-477e-bb2c-ae6b7bc6e61f"}