I have a question and hoping some of you can help....
# general
I have a question and hoping some of you can help. I have a pulumi code that creates a bunch of resources like aws role and k8s secrets. Now, if i offline modify the role manually i.e maybe change some policy, pulumi reconciles this. Same with secrets, if a key or a value changes, pulumi reverts it back to the original state. Is this expected? The reason I am not sure is that when i manually test on a smaller code, i could not reproduce this. Is this controlled by some property? any help would be appreciated.
Pulumi is desired state configuration. If you change the state, Pulumi will change it back (if it detects the change). This is intentional and correct. If you have a different use-case, you can un-manage a resource (kick if out of Pulumi state), or (preferred) make the change in Pulumi and re-deploy.
Generally, the recommendation is to use code (version controlled, audited, backed-up, etc.) as your single point of truth, and to forbid all non-code changes to managed resources. The best way to do this is to ensure that no one has access to your managed resources: delete all users, etc.
@early-minister-86776 in case you never worked out why some out of band modifications got reconciled by pulumi and some didn't, it's possible you just happened to change something that isn't monitored by pulumi. There are a few properties which either the AWS api or pulumi don't include yet, could be that you by chance stumbled on one of them. Therefore since Pulumi doesn't know about the particular attribute you changed, it wouldn't change it back. Another possible explanation could be you mistakenly modified a resource that wasn't a Pulumi managed resource, therefore the change wasn't noticed by Pulumi. I've done this before by deploying to one region, then changing to another region and without noticing and making some changes, then wondering why Pulumi didn't notice