Skip to main content

How to Protect Stax Workloads

Stax provides protection of both Workloads and the resources Workloads create. Be sure to specify the correct parameters to ensure your Workloads and their resources are appropriately protected.

By default, when deploying Workloads using Stax, your Workload and its resources can be deleted by anyone with permission to do so. Stax provides two mechanisms by which to protect either the Workload itself within the Stax Console/API, and/or the resources the Workload deploys into your AWS Accounts.

Protecting a Workload from Deletion

To prevent your Workload from being accidentally deleted, you can enable Workload Protection for the deployment. Workload Protection prevents against deletion from either the API or the Stax Console.

Workload Protection is applied by setting the Protection attribute to True when deploying or updating a Workload using either the API or SDK.

Deploy a Workload with Protection Enabled

When deploying a Workload using the Python SDK or API, set the Protection property to True to enable protection on the deployed Workload.

Consider the following code sample:

import os
from staxapp.config import Config
from staxapp.openapi import StaxClient

Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")

workloads = StaxClient("workloads")
response = workloads.CreateWorkload(
  Name="my-workload-name",
  CatalogueId="f3070e95-7100-40d5-bc20-ea38924c9e80",
  AccountId="123456789876",
  Region="ap-southeast-2",
  Parameters=[],
  Tags={"costCentre": "it"},
  Protection=True
)
print(response)

This will deploy the workload into the specified account and enable Protection. If an attempt to delete a protected Workload is made via the API or SDK, the following is returned within the response payload:

'Message': 'Workload 3b0ff08d-d531-4d57-b184-10902f183ff0 is Protected. Protection must be disabled before you can delete it.'

Any attempt to delete the Workload in the Stax Console will display an access denied error:

protecting-stax-workloads-0.png

Disable Protection for a Workload

To disable Workload Protection for a workload using the Python SDK, use the UpdateWorkload function, specifying workload_id, CatalogueVersionId, and Protection.

import os
from staxapp.config import Config
from staxapp.openapi import StaxClient

Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")

workloads = StaxClient("workloads")
response = workloads.UpdateWorkload(
  workload_id = os.getenv("WORKLOAD_ID"),
  CatalogueVersionId = os.getenv("CATALOG_VERSION_ID"),
  Protection=False
)
print(response)

Once Workload Protection is disabled for the workload, requests to delete it will succeed.

Protecting Workload Resources from Deletion or Modification

It is important to note that Workload Protection does not protect the CloudFormation stacks or resources within those CloudFormation stacks. To protect stack resources, you must define Stack Policies within your Workload manifest.

Best Practices

To most effectively protect your critical workloads against accidental deletion, Stax recommends using a combination of Workload Protection and Workload Resource Protection to protect both the Workload deployment and the resources within from deletion.