Resource option: protect
The protect resource option marks a resource as protected. A protected resource cannot be deleted directly, and it will be an error to do a Pulumi deployment which tries to delete a protected resource for any reason.
To delete a protected resource, it must first be unprotected. There are two ways to unprotect a resource:
- Set
protect: falseand then runpulumi up - Use the
pulumi state unprotectcommand
Once the resource is unprotected, it can be deleted as part of a following update.
The default is to inherit this value from the parent resource, and false for resources without a parent.
let db = new Database("db", {}, { protect: true });
db = Database("db", opts=ResourceOptions(protect=True))
db, _ := NewDatabase(ctx, "db", &DatabaseArgs{}, pulumi.Protect(true))
var db = new Database("db", new DatabaseArgs(),
new CustomResourceOptions { Protect = true });
var db = new Database("db",
DatabaseArgs.Empty,
CustomResourceOptions.builder()
.protect(true)
.build());
resources:
db:
type: Database
options:
protect: true
Overriding inherited protection
Child resources inherit the protect option from their parent resource. When a parent resource has protect: true, all of its children are also protected by default. To allow a specific child resource to be deleted independently of its protected parent, explicitly set protect: false on that child.
The following example creates a protected parent resource alongside a child resource with protection explicitly disabled:
const parent = new MyResource("parent", {}, { protect: true });
const child = new MyResource("child", {}, { parent: parent, protect: false });
parent = MyResource("parent", opts=ResourceOptions(protect=True))
child = MyResource("child", opts=ResourceOptions(parent=parent, protect=False))
parent, _ := NewMyResource(ctx, "parent", &MyResourceArgs{}, pulumi.Protect(true))
child, _ := NewMyResource(ctx, "child", &MyResourceArgs{}, pulumi.Parent(parent), pulumi.Protect(false))
var parent = new MyResource("parent", new MyResourceArgs(),
new CustomResourceOptions { Protect = true });
var child = new MyResource("child", new MyResourceArgs(),
new CustomResourceOptions { Parent = parent, Protect = false });
var parent = new MyResource("parent",
MyResourceArgs.Empty,
CustomResourceOptions.builder()
.protect(true)
.build());
var child = new MyResource("child",
MyResourceArgs.Empty,
CustomResourceOptions.builder()
.parent(parent)
.protect(false)
.build());
resources:
parent:
type: MyResource
options:
protect: true
child:
type: MyResource
options:
parent: ${parent}
protect: false
Applying protection to all resources
There is no built-in configuration flag to mark every resource in a stack as protected. To apply protect: true to all resources in a stack, use stack transforms. A stack transform is a callback that the Pulumi engine invokes for every resource during deployment; it can inspect and modify resource options, including protect, before the resource is created or updated.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.