pulumi · joeduffy · Jun 18, 2026
diff --git a/content/docs/administration/self-hosting/_index.md b/content/docs/administration/self-hosting/_index.md
@@ -13,7 +13,7 @@ menu:
   administration:
     name: Self-Hosting
     parent: administration-home
-    weight: 40
+    weight: 25
     identifier: administration-self-hosting
 aliases:
   - /docs/guides/self-hosted/
@@ -33,6 +33,14 @@ sections:
 
     Pulumi can be deployed in any on-premise or cloud environment and integrated with your preferred identity provider: GitHub Enterprise, GitLab Enterprise, SAML SSO, or email/password authentication.
 
+- type: button-cards
+  heading: Get started
+  cards:
+  - icon: rocket-launch
+    heading: Install Self-Hosted Pulumi Cloud
+    link: /docs/administration/self-hosting/install/
+    description: Pick your platform and install. Evaluate with Docker Compose in minutes, or deploy to production on AWS, Azure, Google Cloud, or Kubernetes.
+
 - type: button-cards
   heading: Deployment options
   cards:

diff --git a/content/docs/administration/self-hosting/deployment-options/_index.md b/content/docs/administration/self-hosting/deployment-options/_index.md
@@ -14,9 +14,9 @@ aliases:
   - /docs/administration/self-hosting/pulumi-cloud/deployment-options/
   - /docs/pulumi-cloud/admin/self-hosted/deployment-options/
 ---
-Pulumi offers a number of deployment options for self-hosting the Pulumi Cloud.
+Pulumi offers a number of deployment options for self-hosting the Pulumi Cloud. To get started, see [Install Self-Hosted Pulumi Cloud](/docs/administration/self-hosting/install/), which walks you through each platform. Use Docker Compose to evaluate on a single host in minutes; the other options are production deployments.
 
-* [Docker Compose](quickstart-docker-compose/)
+* [Docker Compose](quickstart-docker-compose/) — evaluation and testing
 * [ECS](ecs-hosted/)
 * [EKS](eks-hosted/)
 * [AKS](aks-hosted/)

diff --git a/...ocs/administration/self-hosting/deployment-options/quickstart-docker-compose.md b/...ocs/administration/self-hosting/deployment-options/quickstart-docker-compose.md
@@ -1,8 +1,8 @@
 ---
-title_tag: Quickstart Docker Compose | Self-Hosting Pulumi 
-meta_desc: Quickstart Docker compose installer for testing of the self-hosted Pulumi Cloud.
+title_tag: Try Self-Hosted Pulumi Cloud with Docker Compose
+meta_desc: Evaluate self-hosted Pulumi Cloud in about ten minutes with the all-in-one Docker Compose stack.
 title: Docker Compose
-h1: Pulumi Cloud self-hosted Docker Compose install
+h1: Try Self-Hosted Pulumi Cloud with Docker Compose
 meta_image: /images/docs/meta-images/docs-meta.png
 menu:
   administration:
@@ -16,49 +16,72 @@ aliases:
   - /docs/pulumi-cloud/admin/self-hosted/deployment-options/quickstart-docker-compose/
 ---
 
-The Pulumi Cloud Docker container images can be run using any OCI-compatible container orchestrator. We provide sample docker-compose files that can help you get started with your self-evaluation quickly.
+The fastest way to try self-hosted Pulumi Cloud is the all-in-one Docker Compose stack. It runs the API, the web Console, a migrated MySQL database, and OpenSearch on a single host with working defaults, so you can evaluate the full platform in about ten minutes. Use it for evaluation and testing; for production, see the [production deployment options](/docs/administration/self-hosting/deployment-options/).
 
-> **Note**: docker-compose is not required to run these containers. We recommend that you choose a container orchestrator with which your IT team has experience.
+## Prerequisites
 
-In addition to the environment variables that each container exposes, the following can be set when using either of the quickstart solutions below. These are used by the `run-ee.sh` script provided to you as part of the self-evaluation package. If any of these variables are not set when you run `run-ee.sh`, the default values will be used.
+- [Docker Engine](https://docs.docker.com/engine/install/) with the Docker Compose plugin (v2).
+- A host with at least 2 CPU cores, 8 GB of memory, and 20 GB of free disk.
+- Ports `3000` (Console), `8080` (API), and `9200`/`5601` (OpenSearch) available on the host.
+- A Pulumi license key.
 
-`PULUMI_DATA_PATH`: The persistent path where the service should store the checkpoint objects. Default uses `/tmp/pulumi-ee/data`.
+{{% notes "info" %}}
+Self-hosted Pulumi Cloud requires a license key set in `PULUMI_LICENSE_KEY`. [Get an evaluation license](/product/self-hosted/#self-hosted-trial) to get started.
+{{% /notes %}}
 
-`PULUMI_LOCAL_DATABASE_NAME`: The database instance’s hostname. Default is `pulumi-db`.
+## Run the all-in-one stack
 
-`PULUMI_LOCAL_DATABASE_PORT`: The database instance’s port. Default is `3306`.
+1. Clone the installer and change into the quickstart directory:
 
-For example, `PULUMI_DATA_PATH=/my/persistent/dir LOCAL_DATABASE_NAME=my-db LOCAL_DATABASE_PORT=3306 ./scripts/run-ee.sh`.
+    ```bash
+    git clone https://github.com/pulumi/pulumi-self-hosted-installers.git
+    cd pulumi-self-hosted-installers/quickstart-docker-compose
+    ```
 
-Regardless of the quickstart option you choose below, `run-ee.sh` will be the way to start the necessary containers. There will be at most 3 containers (including the DB) for the system to be considered complete.
+1. Set your license key:
 
-## Quickstart Docker Compose Deployment Options
+    ```bash
+    export PULUMI_LICENSE_KEY=<your-license-key>
+    ```
 
-The [Quickstart Docker Compose Installer](https://github.com/pulumi/pulumi-self-hosted-installers/tree/master/quickstart-docker-compose) is used to deploy a test system using Docker.
+1. Start the stack:
 
-### Option #1 - Using the all-in-one approach
+    ```bash
+    ./scripts/run-ee.sh -f ./all-in-one/docker-compose.yml
+    ```
 
-If you would like to use Pulumi’s all-in-one solution, you just need to run `run-ee.sh` like this: `run-ee.sh -f ./all-in-one/docker-compose.yml`. This will start all components using working defaults, including a DB container that is migrated using our DB scripts.
+    This starts every component with working defaults, including a MySQL container that is migrated automatically. Checkpoint data is stored under `$HOME/pulumi-self-hosted-installers/data` by default; override it with `PULUMI_DATA_PATH`.
 
-{{% notes "info" %}}
-Environment variables should be set in the `./all-in-one/docker-compose.yml` file.
-{{% /notes %}}
+1. Open the Console at [http://localhost:3000](http://localhost:3000) and create the first account. The first user to register becomes an administrator.
 
-### Option #2 - Provide your own Database
+1. Point the CLI at your instance and follow the prompt to create an access token:
 
-The service is tested against a MySQL version 8.0 instance. It is assumed that you have a DB instance called `pulumi-db` running at port `3306` and accessible within a network called `pulumi-ee`.
+    ```bash
+    pulumi login http://localhost:8080
+    ```
 
-{{% notes "info" %}}
-You will need the `migrations` folder downloaded locally, which contains the DB scripts that need to be applied against your DB instance.
-Your Pulumi sales contact should be able to provide you with this.
-{{% /notes %}}
+1. Verify the connection:
+
+    ```bash
+    pulumi whoami
+    ```
+
+To stop the stack, press `Ctrl+C`, then remove the containers with `docker compose -f ./all-in-one/docker-compose.yml down`. Delete the data directory to discard evaluation state.
+
+## Advanced configuration
+
+The `run-ee.sh` script honors the following environment variables; unset variables fall back to working defaults:
+
+- `PULUMI_DATA_PATH`: persistent path for checkpoint objects. Defaults to `$HOME/pulumi-self-hosted-installers/data`.
+- `PULUMI_LOCAL_DATABASE_NAME`: the database hostname. Default is `pulumi-db`.
+- `PULUMI_LOCAL_DATABASE_PORT`: the database port. Default is `3306`.
 
-## Quickstart Docker Compose System Management and Maintenance
+Other settings — identity providers, object storage, encryption keys — are configured in the `environment` blocks of `./all-in-one/docker-compose.yml`. See [Components](/docs/administration/self-hosting/components/) for the full set of variables each container accepts.
 
-Since the quickstart option is meant to be used for testing purposes, there is no real maintenance or management needed other than perhaps updating the service containers with the latest versions.
+### Bring your own database
 
-### Updating the Pulumi Cloud Containers
+To run against an existing MySQL 8.0 instance instead of the bundled database, start the service with the base `docker-compose.yml` and point it at a database reachable as `pulumi-db:3306` on the `pulumi-ee` network. This path requires the `migrations` folder to apply the schema; contact [sales@pulumi.com](mailto:sales@pulumi.com) to obtain it.
 
-For testing purposes, it is recommended to use the `latest` image tag in the docker compose file and re-run the `run-ee.sh` script when there are newer versions of the service image pushed to docker hub.
+## Updating
 
-If you specified a specific image version in the docker compose file, then update the version tag and re-run the `run-ee.sh` script.
+For evaluation, pin the `latest` image tag in the compose file and re-run `run-ee.sh` to pull newer service images. If you pinned a specific version, update the tag and re-run the script.
diff --git a/content/docs/administration/self-hosting/install/_index.md b/content/docs/administration/self-hosting/install/_index.md
@@ -0,0 +1,85 @@
+---
+title_tag: Install Self-Hosted Pulumi Cloud
+meta_desc: Install self-hosted Pulumi Cloud on your platform — evaluate in minutes with Docker Compose, or deploy to production on AWS, Azure, Google Cloud, or Kubernetes.
+title: Install
+h1: Install Self-Hosted Pulumi Cloud
+meta_image: /images/docs/meta-images/docs-meta.png
+weight: 1
+menu:
+  administration:
+    name: Install
+    parent: administration-self-hosting
+    weight: 0
+    identifier: administration-self-hosting-install
+aliases:
+  - /self-hosted/install/
+---
+
+Run the full Pulumi Cloud platform in your own cloud account or data center. Start with the all-in-one Docker Compose stack to evaluate in about ten minutes, then choose a production deployment for your platform.
+
+{{% notes "info" %}}
+You can evaluate self-hosted Pulumi Cloud yourself — the Docker Compose stack below runs on your own machine in about ten minutes. You'll need an evaluation license key; [get one here](/product/self-hosted/#self-hosted-trial). For production, self-hosted Pulumi Cloud is available with the [Business Critical edition](/pricing/).
+{{% /notes %}}
+
+## Choose your platform
+
+{{< chooser cloud "docker,kubernetes,aws,azure,gcp" >}}
+
+{{% choosable cloud docker %}}
+
+The all-in-one Docker Compose stack runs the API, Console, database, and search on a single host — the fastest way to try self-hosted Pulumi Cloud.
+
+```bash
+git clone https://github.com/pulumi/pulumi-self-hosted-installers.git
+cd pulumi-self-hosted-installers/quickstart-docker-compose
+export PULUMI_LICENSE_KEY=<your-license-key>
+./scripts/run-ee.sh -f ./all-in-one/docker-compose.yml
+```
+
+Then open the Console at [http://localhost:3000](http://localhost:3000), create the first account, and run `pulumi login http://localhost:8080`.
+
+See the [Docker Compose quickstart](/docs/administration/self-hosting/deployment-options/quickstart-docker-compose/) for prerequisites, first login, verification, and teardown.
+
+{{% /choosable %}}
+
+{{% choosable cloud kubernetes %}}
+
+Deploy to your own Kubernetes cluster with MySQL and S3-compatible object storage. This is the most flexible production option and works in any environment, including air-gapped networks.
+
+See [Bring your own infrastructure](/docs/administration/self-hosting/deployment-options/byo-infra-hosted/) for the Kubernetes deployment guide.
+
+{{% /choosable %}}
+
+{{% choosable cloud aws %}}
+
+Deploy a production system on AWS. Two managed options are available:
+
+- [Amazon EKS](/docs/administration/self-hosting/deployment-options/eks-hosted/) — Kubernetes-based, with RDS Aurora, S3, and CloudWatch.
+- [Amazon ECS](/docs/administration/self-hosting/deployment-options/ecs-hosted/) — ECS and Fargate, with RDS Aurora, S3, and an Application Load Balancer.
+
+{{% /choosable %}}
+
+{{% choosable cloud azure %}}
+
+Deploy a production system on [Azure Kubernetes Service](/docs/administration/self-hosting/deployment-options/aks-hosted/) with Azure Database for MySQL and Azure Blob Storage.
+
+{{% /choosable %}}
+
+{{% choosable cloud gcp %}}
+
+Deploy a production system on [Google Kubernetes Engine](/docs/administration/self-hosting/deployment-options/gke-hosted/) with Cloud SQL for MySQL and Cloud Storage.
+
+{{% /choosable %}}
+
+{{< /chooser >}}
+
+## Before you go to production
+
+The deployment guides stand up a working system. Before you run production workloads, review the [Operations guide](/docs/administration/self-hosting/operations/) for high availability, backup and recovery, monitoring, sizing, and security hardening, and the [Network requirements](/docs/administration/self-hosting/network/) for ingress, egress, and air-gapped configurations.
+
+## Next steps
+
+- [Docker Compose quickstart](/docs/administration/self-hosting/deployment-options/quickstart-docker-compose/)
+- [All deployment options](/docs/administration/self-hosting/deployment-options/)
+- [Components and configuration](/docs/administration/self-hosting/components/)
+- [Operations guide](/docs/administration/self-hosting/operations/)
diff --git a/content/docs/iac/comparisons/terraform/_index.md b/content/docs/iac/comparisons/terraform/_index.md
@@ -50,8 +50,9 @@ Terraform is an infrastructure as code tool created by HashiCorp (acquired by IB
 | Modularity and reuse | [Component Resources](/docs/iac/concepts/components/) authored in any supported language; [Pulumi Packages](/docs/iac/concepts/packages/) let a component written in one language be consumed from any Pulumi language; language-native package managers (npm, PyPI, NuGet, Maven, Go modules); and the [Pulumi Registry](/registry/) for publicly available packages | [Terraform modules](https://developer.hashicorp.com/terraform/language/modules) (HCL) and the [Terraform Registry](https://registry.terraform.io/) for public modules |
 | Import existing resources | [`pulumi import`](/docs/iac/guides/migration/import/) and the [`import` resource option](/docs/iac/concepts/resources/options/import/), both of which generate code in your language | [`terraform import`](https://developer.hashicorp.com/terraform/cli/commands/import) and [`import` blocks](https://developer.hashicorp.com/terraform/language/import); HCL must be hand-authored, though `terraform plan -generate-config-out` can emit a draft |
 | Policy as code | [Pulumi Policies](/docs/insights/policy/) — open source, with rules written in Python, TypeScript, or Open Policy Agent Rego; Pulumi Cloud commercial plans add centralized policy management plus [Pulumi-maintained policy packs](/docs/insights/policy/policy-packs/pre-built-packs/) for compliance frameworks like CIS, HITRUST, NIST, and PCI DSS | [Sentinel](https://developer.hashicorp.com/sentinel) (proprietary, HCP Terraform / Enterprise only) and Open Policy Agent |
+| Self-hosting and on-prem | [Self-hosted Pulumi Cloud](/product/self-hosted/) runs the entire platform — state, secrets, RBAC, policy, and deployments — in your own cloud account or data center, including air-gapped environments, with the same capabilities as the SaaS | [Terraform Enterprise](https://developer.hashicorp.com/terraform/enterprise) is HashiCorp's self-managed offering; Sentinel policy, run tasks, and no-code provisioning are gated to HCP Terraform and Enterprise tiers |
 | Open source | Yes — [Apache License 2.0](https://github.com/pulumi/pulumi/blob/master/LICENSE) | No — [Business Source License 1.1](https://github.com/hashicorp/terraform/blob/main/LICENSE) |
-| Commercial option | [Pulumi Cloud](/docs/iac/guides/basics/pulumi-cloud-vs-oss/) | HCP Terraform / Terraform Enterprise |
+| Commercial option | [Pulumi Cloud](/docs/iac/guides/basics/pulumi-cloud-vs-oss/) — SaaS or [self-hosted](/product/self-hosted/) | HCP Terraform (SaaS) / Terraform Enterprise (self-managed) |
 
 ## Key differences
 
@@ -67,6 +68,10 @@ Both tools have large provider ecosystems. Pulumi can use any provider published
 
 Both tools provide a CLI and a managed remote-run service: Pulumi Cloud Deployments for Pulumi, and HCP Terraform for Terraform. Pulumi additionally exposes the [Automation API](/docs/iac/concepts/automation-api/), a programmatic SDK that lets you drive `up`, `preview`, and `destroy` from inside another program — for example, to ship a CLI that wraps Pulumi, build a self-service portal for application teams, or orchestrate many stacks dynamically from a higher-level service. Terraform does not have a programmatic equivalent.
 
+### Self-hosting and data control
+
+Both platforms offer a self-managed deployment for teams that can't use SaaS. Terraform Enterprise is HashiCorp's self-managed product. [Self-hosted Pulumi Cloud](/product/self-hosted/) runs the complete platform — state, secrets, RBAC, policy enforcement, and deployments — inside your own cloud account or data center, including fully air-gapped networks with no egress to the public internet. Data lives in a database and object store you control, and you integrate your own identity provider (GitHub Enterprise, GitLab, SAML SSO, and others). The self-hosted edition tracks the same capabilities as the SaaS, so teams evaluate features once and choose the deployment topology that fits their compliance posture. See the [self-hosting docs](/docs/administration/self-hosting/) for deployment options across AWS, Azure, Google Cloud, Kubernetes, and Docker.
+
 ### Secrets handling
 
 Pulumi treats secrets as a first-class primitive. Values marked as secrets are encrypted in transit and at rest in the state file, anything derived from a secret is also encrypted, and each stack has its own encryption key. The default encryption provider can be replaced with [AWS KMS, Azure Key Vault, Google Cloud KMS, or HashiCorp Vault](/docs/iac/concepts/secrets/#available-encryption-providers). Terraform does not encrypt sensitive values in its state file; the recommended approach is to integrate with HashiCorp Vault, which is a separate product. HCP Terraform encrypts state at rest, but values inside that state are still readable to anyone with access to the workspace.
@@ -144,9 +149,14 @@ Yes. [Pulumi Cloud as a Terraform state backend](/docs/iac/get-started/terraform
 
 [`pulumi refresh`](/docs/iac/cli/commands/pulumi_refresh/) compares the state file to the actual state in the cloud and reports differences, and `pulumi preview --diff` shows what would change on the next update. Pulumi Cloud commercial plans add [scheduled drift detection and remediation](/docs/deployments/deployments/drift/) that runs on a configurable cadence and can auto-remediate.
 
+### Can I run Pulumi on-prem like Terraform Enterprise?
+
+Yes. [Self-hosted Pulumi Cloud](/product/self-hosted/) runs the full platform in your own cloud account or data center, including air-gapped environments, with the same state, secrets, RBAC, policy, and deployment capabilities as the SaaS. It's available with the Business Critical edition; see the [self-hosting documentation](/docs/administration/self-hosting/) for deployment options and requirements.
+
 ## Next steps
 
 - [Get started with Pulumi](/docs/iac/get-started/)
+- [Migrating from Terraform Enterprise to self-hosted Pulumi Cloud](/docs/iac/comparisons/terraform/from-terraform-enterprise/)
 - [Pulumi terms and command equivalents for Terraform users](/docs/iac/comparisons/terraform/terminology/)
 - [Pulumi vs. OpenTofu](/docs/iac/comparisons/opentofu/)
 - [OpenTofu vs. Terraform](/docs/iac/comparisons/terraform/opentofu/)