https://pulumi.com logo
Title
t

thousands-hairdresser-72380

03/10/2022, 2:33 PM
How can one ensure that the
[org]/prod
stack for a project never gets deleted (or has some relatively difficult guard against it)?
b

billowy-army-68599

03/10/2022, 3:02 PM
@thousands-hairdresser-72380 - you can protect the resources in the stack, is that what you're referring to?
t

thousands-hairdresser-72380

03/10/2022, 3:11 PM
If that were the case, that would look like adding
{ protect: stack === 'prod' }
to every resource we create, right? And that would prevent its deletion (but not modification?) But for ECS `TaskDefinition`s which are deleted on each update of the app, we couldn’t add protected there. Which, if someone did run
pulumi destroy
, it would destroy those (which is still very bad as the app would be down) The only other solution I could think of here was using the automation api as a layer to abort if someone is attempting to modify prod locally (not from CI). I’ve just found that masking functionality with the automation API provides a slightly less intuitive interface to working with a Pulumi project (especially for developers who are less familiar with Pulumi).
b

billowy-army-68599

03/10/2022, 3:15 PM
you can easily wrap the automation API into a command line tool which becomes a much more useful interface than any other IaC tool 😄
❤️ 1
t

thousands-hairdresser-72380

03/10/2022, 3:17 PM
Cool! So would my assumptions around `protect`ing be correct? And in that way, it would likely be best just to use the automation API (without using the
protect
property) and in the start have some sort of condition:
if(stack === 'prod' && weAreNotInCIorSuperSure()) {
  throw new Error('Updating prod outside of CI is not supported!')
}
b

billowy-army-68599

03/10/2022, 3:18 PM
yeah don't use the protect property for this, I wasn't aware you only wanted to protect the "prod" stack
I think it's fair to want to protect an entire stack, I'm going to file a feature request for that
looks like Aurel got in ahead of me: https://github.com/pulumi/pulumi/issues/9172
t

thousands-hairdresser-72380

03/10/2022, 3:40 PM
Woohoo! Thank you so much! I greatly appreciate your immediate response and action! Have a great day!