Hi Guys just been having an initial play with Pulumi and it

Question

Hi Guys just been having an initial play with Pulumi and it really like the idea so far I had a question when running pulumi update does this compare against the current infrastructure configuration or the snapshot of what Pulumi s view of the last deployment i e would it know if someone made a manual change to the infrastructure outside of Pulumi

colossal-beach-47527 · Answer

When you run `pulumi update` it does the comparison against what is stored on i e the last time `pulumi update` was ran against that stack which may have been from a different user If changes to the infrastructure were made outside of Pulumi it s possible you can run into conflicts that would cause issues with the subsequent update You can run `pulumi refresh` which will sync the current state of cloud resources with what is stored on i e bring in any updates made manually However there isn t a way to just answer the question has a change been made outside of Pulumi

colossal-beach-47527 · Answer

Is there a particular scenario you had in mind It sounds like this is a feature we should consider adding

loud-nest-15724 · Answer

I m thinking of times where a quick manual change may be needed in production but then we want to bring that change back under version control Or just catching bad practices in test environments CloudFormation is planned to have a Drift Detection feature which sounds like it will be very useful but no idea when it will be released

white-balloon-205 · Answer

Note that `pulumi refresh` presents a preview prior to doing the refresh so it will tell you what changes have been made in the target environment which are not represented in the current checkpoint As Chris notes you can accept those and update the checkpoint to match the target cloud environment You would of course then need to decide what if any changes you want to make sense to the desired state represented in your Pulumi program depending on whether you wanted to make those manual patches permanent or wanted to intentionally overwrite them with another desired state

loud-nest-15724 · Answer

okay that sounds like it would be the equivalent Not sure if it s possible yet but I d really like to enforce a process in the CD pipeline which says no deployments are allow to an environment if manual uncontrolled changes are detected

white-balloon-205 · Answer

Absolutely in fact we are just about to add support for exactly that by using `refresh` with the ` expect no changes` flag and failing CI if that doesn t pass See <https github com pulumi pulumi pull 1394>

loud-nest-15724 · Answer

that s awesome slightly smiling face