How can one ensure that the `[org]/prod` stack for...
# general
How can one ensure that the
stack for a project never gets deleted (or has some relatively difficult guard against it)?
@thousands-hairdresser-72380 - you can protect the resources in the stack, is that what you're referring to?
If that were the case, that would look like adding
{ protect: stack === 'prod' }
to every resource we create, right? And that would prevent its deletion (but not modification?) But for ECS `TaskDefinition`s which are deleted on each update of the app, we couldn’t add protected there. Which, if someone did run
pulumi destroy
, it would destroy those (which is still very bad as the app would be down) The only other solution I could think of here was using the automation api as a layer to abort if someone is attempting to modify prod locally (not from CI). I’ve just found that masking functionality with the automation API provides a slightly less intuitive interface to working with a Pulumi project (especially for developers who are less familiar with Pulumi).
you can easily wrap the automation API into a command line tool which becomes a much more useful interface than any other IaC tool 😄
❤️ 1
Cool! So would my assumptions around `protect`ing be correct? And in that way, it would likely be best just to use the automation API (without using the
property) and in the start have some sort of condition:
Copy code
if(stack === 'prod' && weAreNotInCIorSuperSure()) {
  throw new Error('Updating prod outside of CI is not supported!')
yeah don't use the protect property for this, I wasn't aware you only wanted to protect the "prod" stack
I think it's fair to want to protect an entire stack, I'm going to file a feature request for that
looks like Aurel got in ahead of me:
Woohoo! Thank you so much! I greatly appreciate your immediate response and action! Have a great day!