is it possible to add some custom validation to a pulumi stack? I'd like to be able to hook into various points: 1. Run a function over all defined resources. I was able to do this by registering a custom transformer that does some validation, but it's a bit of a hack and when I try to throw an error from the transformer it causes the entire pulumi process to hang (I literally have to kill it in task manager...) 2. Run a function over a proposed update plan.

There's unit testing and integration testing options to ensure that code won't Do Bad Stuff (tm) in the future when it's run. Or policies to prevent deployment, which run during a deployment -- this sounds like what you've had a go at implementing.

It doesn't look like either of those achieve what I'm after: • Policies have two types: the first runs on each resource individually, so can't enforce rules across the whole stack, the second runs across the whole stack but runs too late (after the deploy). • Testing can detect problems across resources, but there doesn't seem to be a way to run the tests as a pre-deploy check? • Neither option allows to validate the upgrade plan itself?

> Testing can detect problems across resources, but there doesn't seem to be a way to run the tests as a pre-deploy check? You mean the if test fail then don't run

pulumi up

logic? Yes, that logic probably would have to be run elsewhere. Perhaps in your deployment pipelne?