Prevent Deletion of Critical AI Infrastructure Components

Question

Pulumi · Accepted Answer

To prevent the accidental deletion of critical AI infrastructure components, we can use resource protection features provided by cloud providers. For example, in Azure, we can use resource locks, specifically `ManagementLockByScope` to lock a subscription, resource group, or resource to prevent its deletion.

Here's a Pulumi program in Python that demonstrates how you can create a `CanNotDelete` lock on a resource group in Azure. This lock will ensure that the resource group cannot be accidentally deleted. You will need to have the Azure Pulumi provider set up and configured with appropriate credentials.

```python
import pulumi
import pulumi_azure_native as azure_native

# Replace these variables with your specific resource group and lock details.
resource_group_name = "your_resource_group_name"
lock_name = "cannot_delete_lock"

# Instantiate the Azure Resource Group to be protected.
resource_group = azure_native.resources.ResourceGroup(resource_group_name)

# Apply a CanNotDelete lock to the resource group to prevent accidental deletion.
lock = azure_native.authorization.ManagementLockByScope("lockProtection",
    lock_name=lock_name,
    scope=resource_group.id,
    level="CanNotDelete"  # This level prevents deletion of the locked resource.
)

# Export the lock's ID to reveal the lock status in the pulumi stack output.
pulumi.export('lock_id', lock.id)
```

What we are doing with this program:

1. We import the necessary Pulumi libraries for working with Azure (`pulumi_azure_native`).
2. We set up variables with the names of the resource group and the lock we want to create.
3. We instantiate the resource group using `ResourceGroup` which gets its name assigned.
4. We then create a `ManagementLockByScope`, which takes several parameters:
    - `lock_name`: The name of the lock.
    - `scope`: The ID of the resource to lock, which we get from the `resource_group` object.
    - `level`: The level of lock. Setting it to `"CanNotDelete"` will prevent the resource from being deleted.
5. We export the ID of the lock, allowing us to track it from the Pulumi stack outputs.

Run this program using the Pulumi CLI by navigating to the directory containing the Python file and executing the `pulumi up` command. Pulumi will take care of communicating with Azure to set up the lock. Once the program is applied, your resource group will be protected against accidental deletion. Remember, to delete the lock or the resource in the future, you must explicitly remove the lock first.