Forcefully prevent stacks from deletion (protected stacks)

[aureq]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, stacks can be deleted if the user has sufficient permissions, even if some resources remain in the stack, using --force flag and even if there still are some protected resources. This is a potential risk for customers who manage their business critical workloads via Pulumi as they don't want to loose the state of their stack.

For a stacks managed via the Pulumi service and similarly to the EC2 termination protection, a stack could not be deleted if stack termination protection is enabled (Updates should be allowed).

Either per stack or per organization, a toggle flag could be required as a separate CLI command to enable or disable the feature, as a way to avoid bundling options like --force on a single command.

• On pulumi stack rm, the command would immediately fail.
• On pulumi up or pulumi pre, a warning could be displayed to signal this stack is sensitive/protected.

Each time the flag is changed for a stack or at an organization level, this should also be recorded in the organization audit log.

Affected area/feature

• Pulumi Service (Web Console)
• Pulumi CLI

This is related to pulumi/pulumi#9172

[aureq]

To clarify the request above, Pulumi already has fine grained permissions as described here. RBAC allows setting the permissions for users.

The request above however, allows for organizations to have an extra layer of protection for critical stacks. If the flag was to be added or removed from a stack or at an org level, this should also be noted in the audit log

[aureq]

Related to https://github.com/pulumi/pulumi-service/issues/1255