Resource option: protect
The protect resource option marks a resource as protected. A protected resource cannot be deleted directly, and it will be an error to do a Pulumi deployment which tries to delete a protected resource for any reason.
protect resource option applies to both custom resources and component resources. It is defined on the base resource-options type in every Pulumi SDK. Setting protect: true on a component propagates protect: true to every child custom resource. The engine refuses to delete any protected resource in the subtree until the flag is removed (or the resource is unprotected with pulumi state unprotect).To delete a protected resource, it must first be unprotected. There are two ways to unprotect a resource:
- Set
protect: falseand then runpulumi up - Use the
pulumi state unprotectcommand
Once the resource is unprotected, it can be deleted as part of a following update.
The default is to inherit this value from the parent resource, and false for resources without a parent.
let db = new Database("db", {}, { protect: true });
db = Database("db", opts=ResourceOptions(protect=True))
db, _ := NewDatabase(ctx, "db", &DatabaseArgs{}, pulumi.Protect(true))
var db = new Database("db", new DatabaseArgs(),
new CustomResourceOptions { Protect = true });
var db = new Database("db",
DatabaseArgs.Empty,
CustomResourceOptions.builder()
.protect(true)
.build());
resources:
db:
type: Database
options:
protect: true
Overriding inherited protection
Child resources inherit the protect option from their parent resource. When a parent resource has protect: true, all of its children are also protected by default. To allow a specific child resource to be deleted independently of its protected parent, explicitly set protect: false on that child.
The following example creates a protected parent resource alongside a child resource with protection explicitly disabled:
const parent = new MyResource("parent", {}, { protect: true });
const child = new MyResource("child", {}, { parent: parent, protect: false });
parent = MyResource("parent", opts=ResourceOptions(protect=True))
child = MyResource("child", opts=ResourceOptions(parent=parent, protect=False))
parent, _ := NewMyResource(ctx, "parent", &MyResourceArgs{}, pulumi.Protect(true))
child, _ := NewMyResource(ctx, "child", &MyResourceArgs{}, pulumi.Parent(parent), pulumi.Protect(false))
var parent = new MyResource("parent", new MyResourceArgs(),
new CustomResourceOptions { Protect = true });
var child = new MyResource("child", new MyResourceArgs(),
new CustomResourceOptions { Parent = parent, Protect = false });
var parent = new MyResource("parent",
MyResourceArgs.Empty,
CustomResourceOptions.builder()
.protect(true)
.build());
var child = new MyResource("child",
MyResourceArgs.Empty,
CustomResourceOptions.builder()
.parent(parent)
.protect(false)
.build());
resources:
parent:
type: MyResource
options:
protect: true
child:
type: MyResource
options:
parent: ${parent}
protect: false
Applying protection to all resources
There is no built-in configuration flag to mark every resource in a stack as protected. To apply protect: true to all resources in a stack, use stack transforms. A stack transform is a callback that the Pulumi engine invokes for every resource during deployment; it can inspect and modify resource options, including protect, before the resource is created or updated.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.