Pulumi e-sign integration
Infrastructure teams manage cloud resources with Pulumi. Contract signing is not a cloud resource, but Pulumi can provision the middleware (Lambda, API Gateway, secrets) that calls Atlas and wires webhooks into your stack.
> Share: "Pulumi deploys the signing bridge. Atlas runs the ceremony."
What Pulumi should own
| Resource | Purpose |
|---|---|
| AWS Secrets Manager / GCP Secret Manager | Atlas API key |
| Lambda or Cloud Run service | Create + webhook handlers |
| API Gateway URL | Inbound Atlas webhooks |
| IAM roles | Least privilege for secret read |
| Optional SQS queue | Async webhook processing |
Do not put signing logic inside Pulumi programs as inline callbacks. Export a normal function artifact Pulumi deploys.
TypeScript example (AWS)
import * as aws from '@pulumi/aws';
import * as pulumi from '@pulumi/pulumi';
const atlasSecret = new aws.secretsmanager.Secret('atlas-api-key');
const webhookFn = new aws.lambda.Function('atlas-webhook', {
runtime: 'nodejs20.x',
handler: 'index.handler',
role: lambdaRole.arn,
environment: {
variables: {
ATLAS_SECRET_ARN: atlasSecret.arn,
},
},
code: new pulumi.asset.FileArchive('./webhook'),
});
const api = new aws.apigatewayv2.Api('atlas-hooks', { protocolType: 'HTTP' });
// ... integrate route POST /atlas → webhookFn
Webhook function verifies X-Atlas-Signature and updates DynamoDB or RDS envelope state.
Create path
Separate Lambda behind authenticated API for internal tools:
exports.create = async (event) => {
const key = await getSecret(process.env.ATLAS_SECRET_ARN);
const body = JSON.parse(event.body);
const res = await fetch('https://atlaswork.ai/api/envelope', {
method: 'POST',
headers: {
Authorization: `Bearer ${key}`,
'Content-Type': 'application/json',
'Idempotency-Key': event.requestContext.requestId,
},
body: JSON.stringify({
document_url: body.documentUrl,
webhook_url: process.env.WEBHOOK_PUBLIC_URL,
parties: body.parties,
}),
});
return { statusCode: res.status, body: await res.text() };
};
Stack outputs
Export webhook URL and create API URL as Pulumi stack outputs for other teams:
export const atlasWebhookUrl = pulumi.interpolate`${api.apiEndpoint}/atlas`;
Terraform comparison keyword
Teams evaluating Pulumi vs Terraform for the same bridge should pick one IaC tool. Atlas integration code is identical inside the compute layer. Pulumi wins when signing middleware shares types with your app in TypeScript.
Environment promotion
Use Pulumi stacks dev, staging, prod with different Atlas API keys and webhook URLs. Preview deployments should not share production webhook endpoints.
Policy as code
Store IAM policies in same Pulumi program as signing middleware. Security review sees Atlas secret access and outbound HTTPS in one pull request.
Cost visibility
Tag Lambda and API Gateway resources with service=atlas-bridge cost allocation tags. Finance can compare infra cost of webhook bridge versus per-envelope Atlas credits when modeling unit economics.
Disaster recovery
Export Pulumi state backup and Secrets Manager replica. If region fails, redeploy stack in secondary region and update Atlas webhook_url on new envelopes via config flag.
FAQ
Pulumi provider for Atlas? None needed. HTTP from your deployed functions.
Multi-cloud? Same pattern on GCP Cloud Functions or Azure Functions resources in Pulumi.
Signed PDF storage? Provision S3 bucket in same stack; webhook handler uploads after sign.
MCP? Engineers use MCP in IDE; Pulumi stack is for customer-facing automation.
Credits? Sends bill per Atlas org, unrelated to Pulumi Cloud billing.
Related
Extended FAQ
Pulumi Cloud vs self-managed state? Either works. Protect state files containing webhook URLs.
Lambda vs Fargate? Lambda for webhook ACK under ten seconds. Fargate if PDF processing is heavy.
Cross-stack references? Export webhook URL output for frontend stack consuming sign status API.
Atlas IP allowlist? Confirm with support if your security team requires fixed egress IPs on Lambda.
Destroy stack? Rotate Atlas API key after destroy if key was embedded in replaced infrastructure.
Module boundaries
Keep Pulumi programs focused on infra. Application code for HMAC verification belongs in Lambda zip asset versioned separately. Tag Lambda version in Pulumi so infra diffs do not hide application logic changes.
Run pulumi preview in CI on pull requests that touch Atlas bridge stacks so reviewers see security group and secret changes explicitly.
Document expected monthly Atlas credit burn from production signing volume next to Pulumi cost estimates so finance sees full picture.
Testing the stack
After pulumi up, run smoke tests:
- Invoke create Lambda with fixture JSON in dev stack
- Confirm review URL returns in response body
- POST sample webhook payload from Atlas docs through API Gateway
- Verify DynamoDB or RDS row updates
- Tear down dev envelopes with void API to conserve credits
Add Pulumi @pulumi/pulumi stack outputs to CI so application teams copy webhook URL without reading HCL.
When not to use Pulumi here
If signing middleware is a single Next.js app on Vercel, skip Pulumi for the bridge and deploy API routes directly. Pulumi pays off when signing glue shares IAM and secrets with the rest of your AWS estate managed as infrastructure code.