https://pulumi.com logo
#general
Title
# general
g

gray-yak-9058

04/09/2020, 4:06 PM
Hi all. I am working on a proof of concept of Pulumi to present to my team, but have a few questions. Let's assume I am going to use the Pulumi Service as a backend. 1. If I have a project with 3 stacks: sandbox, preprod, and prod. I want to allow anyone to run
pulumi up
on the sandbox and preprod stacks, but I want to lock down the prod stack so that only certain users can run
pulumi up
. Is this possible? 2. How does the Pulumi GitHub action work when it comes to multiple stacks? Does it cycle through all stacks within a project? I would like to be able to control when a
pulumi up
is run on a specific stack during CI/CD. While making infrastructure changes, I would obviously want to try it in the sandbox or preprod environments before making changes in production. Is this capable with the Pulumi GitHub action or do I need to look for another solution?
Further reading of the docs looks like I can control who has what actions on a per stack basis: https://www.pulumi.com/docs/intro/console/collaboration/stack-permissions/
g

green-morning-1318

04/09/2020, 4:44 PM
For #2, you can have different stacks for different branches: https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/#branch-mappings This allows you to have a branch for staging, and use master for prod (or something else that fits your workflow better 😇)
g

gray-yak-9058

04/09/2020, 5:02 PM
Hmm.. that is definitely an option. The only issue I can foresee with that is we currently have a github repo per environment that includes kubernetes yamls. If I were to merge all of the yamls into one repo, the yamls for a preprod cluster would do absolutely nothing when they're merged to the production branch. I think the other option would be to stick with the github repo per environment and create many projects with 1 stack each. For example:
{my_org}/sandbox-{app_name}/sandbox
g

green-morning-1318

04/09/2020, 5:17 PM
Hmm that’s a good point, the other thing that could work (if I read the code for the Pulumi Actions correctly) is setting the stack variable. The GitHub Actions container executes this script (https://github.com/pulumi/pulumi/blob/master/dist/actions/entrypoint.sh) so it seems you could set the arg to
up --stack dev
which would update the dev stack
Small side note, I haven’t tried this with GH Actions I’ve only used CircleCI to do that (which seems to work quite similar)