I'd like to run

pulumi up

with

--yes-if-nothing-dangerous

which, of course, doesn't exist. The idea would be to act like

--yes

but only if there are no deletions or replacements. • are there any plans to add this sort of functionality? • has anyone come up with something that does this short of dumping preview/etc output and glorified

grep

ing it?

I think the idea has come up before but I can't find any issue tracking it with a quick search. You could raise one, I think it would probably be ok to add, we've wanted to add something to replace --expect-no-changes for a while (because that makes the change and then errors), so maybe a new set of flags for disallowing certain operations would make sense.

Is it possible? Adding stuff can be "dangerous", so how could Pulumi tell? If I add an NACL rule that denies all traffic, then prod goes down...

True, true. A better name wouldn't include 'dangerous', but perhaps something meaning 'new things only, no changes to existing things nor deletions'

I think the correct tool for this task is

pulumi preview

, especially when it's run by your build pipeline as part of your PR.

I'm sure I could parse the

pulumi preview

output, I was just hoping to not need to do so.