During a meeting with our engineers, one of them m...
# general
During a meeting with our engineers, one of them made the remark that there is no "plan file" like in terraform (I've seen that there is an experimental feature now in Pulumi that implements that). I never really thought about this and now I wonder what other people's opinions are about this.
Not sure exactly what you mean/what you want to use it for but there's
pulumi preview --save-plan=plan.json
for example
Then you can pass that file back in later to only do those updates
But maybe this is the 'experimental feature' you are talking about
I can see how it would be useful for e.g. a PR flow, where you could read the 'proposed' changes before approving/merging, but I think the current limitations might give a false sense of security because the diff at apply time may be slightly different. So I think it can be used for informational/nice to know purposes, but if you want to be really tight on changes for whatever (compliance? technical?) reasons, it might not give you all the guarantees you need
e.g. if you have an adversarial compliance model where you need to ensure a bad actor can't construct a plan that looks good but does something different, I don't think you could guarantee that
I agree. And while I always used "plan" files with Terraform (because..), I never really gave it much thought.
until now 🙂
Our CI/CD puts the plan/preview for each stack in comments on the PR - I couldn't tell you if this would make auditors happy (I am not one), but it is excellent for engineers. There is an edge case where the preview runs and the PR isn't merged until hours later - getting previews to expire is in our backlog