Locking of pulumi stacks

Question

I am new to Pulumi. Is there any option to lock a particular stack in Pulumi to prevent accidental updates or deletion? I understand that RBAC is enforced to provide this functionality to only members with required permissions.However, I still want to prevent accidental changes to the stack even when the persons with all necessary permissions attempt to do it.

Answer 1

Another option to protect your stack from changes is to protect your resources. However, this only prevents their removal.

This is mostly useful if you want to ensure that your resources are not deleted by accident, by e.g. an update that would require them to be replaced, or by someone trying to destroy wrong stack:

https://www.pulumi.com/docs/concepts/options/protect/

Still, if you want to make sure no changes are done at all, then unfrotunately you'd need to deal with it at identity level on the cloud side. Pulumi doesn't seem to offer such fine grained RBAC setup unfortunately.

Also remember, that such protection only comes from Pulumi side, if you want to make sure that resources are safe, you can add stuff like locks in Azure

Answer 2

You're correct in that only members of teams with the correct permissions on stacks can update them or destroy them. There's no way to lock a stack.

What I would do is have a separate stack for your production deployment and then only give access to your CI/CD pipeline tool of choice so that no one else can do the update.

This is also why Pulumi has previews so that you can see what is being changed before you agree to the update.

Recently, Pulumi announced "Update Plans" (blog post announcing this: https://www.pulumi.com/blog/announcing-public-preview-update-plans/) that might help you out.