Protecting Stax Workloads

Stax provides protection of both Workloads and the resources Workloads create. Be sure to specify the correct parameters to ensure your Workloads and their resources are appropriately protected

Article Tags
On This Page
Protecting a Workload from DeletionProtecting Workload Resources from Deletion/ModificationBest PracticesSee also

By default, when deploying Workloads using Stax, your Workload and its resources can be deleted by anyone with permission to do so. Stax provides two mechanisms by which to protect either the Workload itself within the Stax Customer Console/API, and/or the resources the Workload deploys into your AWS Accounts.

Protecting a Workload from Deletion

To prevent your Workload from being accidentally deactivated, you can enable Workload Protection for the deployment. Workload Protection prevents against deletion from either the API or the Stax Console.

Workload Protection is applied by setting the Protection attribute to True when deploying or updating a Workload using either the API or SDK.

Deploy a Workload with Protection Enabled

Set Protection to True when using the Python SDK:

import os
from staxapp.config import Config
from staxapp.openapi import StaxClient

Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")

workloads = StaxClient("workloads")
response = workloads.CreateWorkload(
  Name="my-workload-name",
  CatalogueId="f3070e95-7100-40d5-bc20-ea38924c9e80",
  AccountId="123456789876",
  Region="ap-southeast-2",
  Parameters=[],
  Tags={"costCentre": "it"},
  Protection=True
)
print(response)

This will deploy the workload into the specified account and enable Protection. If an attempt to delete a protected Workload is made via the API or SDK, the following is returned within the response payload:

'Message': 'Workload 3b0ff08d-d531-4d57-b184-10902f183ff0 is Protected. Protection must be disabled before you can delete it.'

Any attempt to deactivate the Workload in the Stax Customer Console will display an access denied error:

Access Denied Deleting Workload

Disable Protection for a Workload

To disable Workload Protection for a workload using the Python SDK, use the UpdateWorkload function, specifying workload_id, CatalogueVersionId, and Protection.

import os
from staxapp.config import Config
from staxapp.openapi import StaxClient

Config.access_key = os.getenv("STAX_ACCESS_KEY")
Config.secret_key = os.getenv("STAX_SECRET_KEY")

workloads = StaxClient("workloads")
response = workloads.UpdateWorkload(
  workload_id = os.getenv("WORKLOAD_ID"),
  CatalogueVersionId = os.getenv("CATALOG_VERSION_ID"),
  Protection=False
)
print(response)

Once Workload Protection is disabled for the workload, requests to delete it will succeed.

Protecting Workload Resources from Deletion/Modification

It is vital to note that Workload Protection does not protect the CloudFormation stacks or resources within those CloudFormation stacks. To protect stack resources, you must define Stack Policies within your Workload manifest.

Best Practices

To most effectively protect your critical workloads against accidental deletion, Stax recommends using a combination of Workload Protection and Workload Resource Protection to protect both the Workload deployment and the resources within from deletion.

See also