Precise Resource Replacement with Pulumi State Taint
Posted on
Sometimes infrastructure needs a clean slate. A VM with a corrupted disk, an expired certificate, or a stuck Kubernetes object. Pulumi CLI v3.192.0 introduces pulumi state taint and pulumi state untaint commands that let you mark resources for replacement—especially valuable when you have state access but restricted cloud permissions.
The New Commands
pulumi state taint <resource-urn>- Mark a resource for replacementpulumi state untaint <resource-urn>- Cancel the replacement (use--allto untaint all resources)
Note: This provides the same functionality as
pulumi up --replace <urn>, but lets you mark resources upfront and preview changes before the update. This can be preferred when thepulumi uphappens later in CI/CD, where arranging for--replaceflags would be tedious.
Why This Matters
The taint and untaint commands solve several infrastructure management challenges. For example, many organizations restrict direct cloud access to production environments, allowing changes only through CI/CD pipelines. In these cases, you can access Pulumi state but not cloud APIs directly—taint lets you mark problematic resources for replacement and let the next automated deployment handle the actual changes, no emergency access requests required.
Workflow
# 1. Find the resource URN
pulumi stack --show-urns
# 2. Mark for replacement
pulumi state taint urn:pulumi:production::webapp::aws:ec2/instance:Instance::web-server
# 3. Preview the changes
pulumi preview
# 4. Apply the replacement
pulumi up
# Optional: Cancel the taint
pulumi state untaint urn:pulumi:production::webapp::aws:ec2/instance:Instance::web-server
Get Started
Available now in Pulumi CLI v3.192.0. Try it in a development stack first to get familiar with the workflow.
This feature originated from feedback in issue #11657. See the v3.192.0 release notes for full details. Have feedback or ideas? Join the discussion in the Pulumi CLI repository.
