No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

When you run `pulumi update`, it does the comparison against what is stored on <http://pulumi.com|pulumi.com>. (i.e. the last time `pulumi update` was ran against that stack, which may have been from a different user.)

If changes to the infrastructure were made outside of Pulumi, it’s possible you can run into conflicts that would cause issues with the subsequent update.

You can run `pulumi refresh` which will “sync” the current state of cloud resources with what is stored on <http://Pulumi.com|Pulumi.com>. i.e. bring in any updates made manually. 

However, there isn’t a way to just answer the question “has a change been made outside of Pulumi.”

Is there a particular scenario you had in mind? It sounds like this is a feature we should consider adding.

I'm thinking of times where a quick manual change may  be needed in production, but then we want to bring that change back under version control. Or just catching bad practices in test environments. CloudFormation is planned to have a Drift Detection feature which sounds like it will be very useful, but no idea when it will be released

Note that `pulumi refresh` presents a preview prior to doing the refresh - so it will tell you what changes have been made in the target environment which are not represented in the current checkpoint.  As Chris notes, you can accept those and update the checkpoint to match the target cloud environment.  You would of course then need to decide what if any changes you want to make sense to the desired state represented in your Pulumi program, depending on whether you wanted to make those manual patches permanent, or wanted to intentionally overwrite them with another desired state.

okay, that sounds like it would be the equivalent. Not sure if it's possible yet, but I'd really like to enforce a process in the CD pipeline which says no deployments are allow to an environment if manual uncontrolled changes are detected

Absolutely - in fact, we are just about to add support for exactly that by using `refresh` with the `--expect-no-changes` flag, and failing CI if that doesn't pass.

See <https://github.com/pulumi/pulumi/pull/1394>.