https://pulumi.com logo
Title
l

loud-nest-15724

06/25/2018, 3:15 PM
Hi Guys, just been having an initial play with Pulumi, and it really like the idea so far. I had a question, when running pulumi update, does this compare against the current infrastructure configuration, or the snapshot of what Pulumi's view of the last deployment i.e. would it know if someone made a manual change to the infrastructure outside of Pulumi
c

colossal-beach-47527

06/25/2018, 3:18 PM
When you run
pulumi update
, it does the comparison against what is stored on pulumi.com. (i.e. the last time
pulumi update
was ran against that stack, which may have been from a different user.) If changes to the infrastructure were made outside of Pulumi, it’s possible you can run into conflicts that would cause issues with the subsequent update. You can run
pulumi refresh
which will “sync” the current state of cloud resources with what is stored on Pulumi.com. i.e. bring in any updates made manually. However, there isn’t a way to just answer the question “has a change been made outside of Pulumi.”
Is there a particular scenario you had in mind? It sounds like this is a feature we should consider adding.
l

loud-nest-15724

06/25/2018, 3:22 PM
I'm thinking of times where a quick manual change may be needed in production, but then we want to bring that change back under version control. Or just catching bad practices in test environments. CloudFormation is planned to have a Drift Detection feature which sounds like it will be very useful, but no idea when it will be released
w

white-balloon-205

06/25/2018, 3:25 PM
Note that
pulumi refresh
presents a preview prior to doing the refresh - so it will tell you what changes have been made in the target environment which are not represented in the current checkpoint. As Chris notes, you can accept those and update the checkpoint to match the target cloud environment. You would of course then need to decide what if any changes you want to make sense to the desired state represented in your Pulumi program, depending on whether you wanted to make those manual patches permanent, or wanted to intentionally overwrite them with another desired state.
👍 1
l

loud-nest-15724

06/25/2018, 3:31 PM
okay, that sounds like it would be the equivalent. Not sure if it's possible yet, but I'd really like to enforce a process in the CD pipeline which says no deployments are allow to an environment if manual uncontrolled changes are detected
w

white-balloon-205

06/25/2018, 3:47 PM
Absolutely - in fact, we are just about to add support for exactly that by using
refresh
with the
--expect-no-changes
flag, and failing CI if that doesn't pass. See https://github.com/pulumi/pulumi/pull/1394.
👍 1
l

loud-nest-15724

06/25/2018, 4:11 PM
that's awesome 🙂