pulumi previewalways fails when protected resources are removed from the code, e.g.:
$ pulumi preview
Previewing update (dev):
Type Name Plan Info
pulumi:pulumi:Stack infra-dev 1 error
- ├─ …
- └─ aws:iam:Role myRole delete 1 error
Diagnostics:
pulumi:pulumi:Stack (infra-dev):
error: preview failed
aws:iam:Role (myRole):
error: Preview failed: resource "urn:pulumi:dev::infra::aws:iam/role:Role::myRole" cannot be deleted
because it is protected. To unprotect the resource, either remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`, or use the command:
`pulumi state unprotect 'urn:pulumi:dev::infra::aws:iam/role:Role::myRole'`
While protection is cool and all during update, this is a pain in CICD pipelines or when I only need to check the effects of my changes without impacting the current state.
I cannot currently find a way to ignore the protection and still execute the preview.
I would like to be able to preview changes even when resources are protected, maybe with a dedicated option and an information message by the protected resource side, e.g.:
$ pulumi preview --warn-protected
Previewing update (dev):
Type Name Plan Info
pulumi:pulumi:Stack infra-dev 1 warning
- ├─ …
- └─ aws:iam:Role myRole delete [protected]
Diagnostics:
aws:iam:Role (myRole):
warning: resource "urn:pulumi:dev::infra::aws:iam/role:Role::myRole" cannot be deleted
because it is protected. To unprotect the resource, either remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`, or use the command:
`pulumi state unprotect 'urn:pulumi:dev::infra::aws:iam/role:Role::myRole'`
Resources:
- 4 to delete
473 unchanged
Affected feature
Would it be possible to equip the preview command with an option to only warn about protected resources and not fail?
This in my opinion should be the default behavior, but even just the ability to not fail on preview would help a lot.
pulumi previewalways fails when protected resources are removed from the code, e.g.:While protection is cool and all during update, this is a pain in CICD pipelines or when I only need to check the effects of my changes without impacting the current state.
I cannot currently find a way to ignore the protection and still execute the preview.
I would like to be able to preview changes even when resources are protected, maybe with a dedicated option and an information message by the protected resource side, e.g.:
Affected feature
Would it be possible to equip the
previewcommand with an option to only warn about protected resources and not fail?This in my opinion should be the default behavior, but even just the ability to not fail on preview would help a lot.