Hi Can anyone confirm what sort of config drift detection is in place for Pulumi. I have a case where I'm doing azure policies with pulumi, some policy assignments have been deleted outside of pulumi but Pulumi is not detecting anything amiss. My expectation was that when pulumi up is run then it would detect that some policy assignments are not longer present and replace them. But in practice it thinks they are still present and no changes need to be made. I ran a destroy and up again and it recreated everything. Then I intentionally deleted all the policy assignment and reran pulumi up and again it showed no changes being required. Is there something I'm missing here? or is there something I'm missing in my code?

@rhythmic-receptionist-62263 Pulumi doesn’t refresh the provisioned resource by default. You need to run pulumi up -r

Ah thanks, is there a reason why as a user that wants to run this on a schedule wouldn't want to have the refresh parameter specified?

nope, it’s just slightly quicker without refresh 🙂 you can configure refresh to run per stack in the config file as well

ah awesome, thanks @billowy-army-68599 didn't realise there was a config item for that.

here’s a github action that someone on here shared with me a while back that ive been using for months:

name: cron_azure_drift_pulumi_REDACTED

on:
  schedule:
    - cron: '0 0 * * 1'
  workflow_dispatch:

env:
  DOTNET_VERSION: '7.0.x'
  azure-creds: ${{ secrets.AZURE_CREDENTIALS_REDACTED }}
  stack: REDACTED

jobs:
  drift-check:
    name: Drift Check
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      # Log in to Azure
      - uses: azure/login@v1
        with:
          creds: ${{ env.azure-creds }}

      - uses: actions/setup-dotnet@v1
        with:
          dotnet-version: 7.x
      - name: Setup Pulumi CLI
        uses: pulumi/setup-pulumi@v2.0.0

      - name: Detect drift
        id: pulumi-drift
        working-directory: REDACTED
        shell: bash {0}
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
        run: |
          out=$(pulumi preview -v=0 --refresh --diff --expect-no-changes --stack "REDACTED/${{ env.stack }}")
          printf 'status=%s\noutput<<EOF\n%s\nEOF' $? "$out" >> $GITHUB_OUTPUT

      - name: Create Issue on Drift
        if: ${{ contains(steps.pulumi-drift.outputs.output, 'to update') }}
        uses: dacbd/create-issue-action@main
        with:
          token: ${{ github.token }}
          title: Drift Detected in `${{ env.stack }}`
          body: |
            ### Configuration Drift was Detected in `${{ env.stack }}`
            - [Failed Run](<https://github.com/${{> github.repository }}/actions/runs/${{ github.run_id }})
            - [Codebase](<https://github.com/${{> github.repository }}/tree/${{ github.sha }})
            ### Details
            `

${{ steps.pulumi-drift.outputs.output }}

`
          assignees: REDACTED
          labels: REDACTED

      # Log out of Azure
      - name: logout
        run: az logout