Hi all. I am working on a proof of concept of Pulumi to present to my team, but have a few questions. Let's assume I am going to use the Pulumi Service as a backend. 1. If I have a project with 3 stacks: sandbox, preprod, and prod. I want to allow anyone to run

pulumi up

on the sandbox and preprod stacks, but I want to lock down the prod stack so that only certain users can run

pulumi up

. Is this possible? 2. How does the Pulumi GitHub action work when it comes to multiple stacks? Does it cycle through all stacks within a project? I would like to be able to control when a

pulumi up

is run on a specific stack during CI/CD. While making infrastructure changes, I would obviously want to try it in the sandbox or preprod environments before making changes in production. Is this capable with the Pulumi GitHub action or do I need to look for another solution?

For #2, you can have different stacks for different branches: https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/#branch-mappings This allows you to have a branch for staging, and use master for prod (or something else that fits your workflow better 😇)

Hmm.. that is definitely an option. The only issue I can foresee with that is we currently have a github repo per environment that includes kubernetes yamls. If I were to merge all of the yamls into one repo, the yamls for a preprod cluster would do absolutely nothing when they're merged to the production branch. I think the other option would be to stick with the github repo per environment and create many projects with 1 stack each. For example:

{my_org}/sandbox-{app_name}/sandbox

Hmm that’s a good point, the other thing that could work (if I read the code for the Pulumi Actions correctly) is setting the stack variable. The GitHub Actions container executes this script (https://github.com/pulumi/pulumi/blob/master/dist/actions/entrypoint.sh) so it seems you could set the arg to

up --stack dev

which would update the dev stack