Fixes: pulumi/pulumi-service#33815

Document and announce ESC deletion protection feature

Adds documentation for the deletion protection feature in Pulumi ESC
and a blog post announcing its availability.

The deletion protection feature prevents accidental deletion of
environments by requiring that protection be explicitly disabled before
deletion. This helps safeguard production environments and shared
configuration.

Changes:
- Add deletion protection documentation page in administration section
- Update administration index to include deletion protection
- Create blog post announcing the feature

Author: fnune

content/blog/esc-deletion-protection/index.md

@@ -0,0 +1,62 @@
+---
+title: "Deletion Protection for Pulumi ESC Environments"
+date: 2025-10-21T14:00:00-07:00
+draft: false
+meta_desc: "Prevent accidental deletion of critical environments with the new deletion protection feature for Pulumi ESC."
+meta_image: meta.png
+authors:
+    - fausto-nunez-alberro
+tags:
+    - esc
+    - features
+    - secrets
+---
+
+Pulumi ESC environments can now be protected from accidental deletion with a new deletion protection setting.
+<!--more-->
+
+Environments often contain configuration that supports production workloads or is shared across multiple stacks. Deleting these environments by mistake can disrupt services and require time-consuming recovery. Deletion protection provides a safeguard against these scenarios.
+
+## How it works
+
+When deletion protection is enabled for an environment, any attempt to delete it fails until protection is explicitly disabled. This applies to deletions from both the Pulumi Cloud console and the ESC CLI.
+
+Protected environments display a shield icon in the environment list and on stack pages where the environment is imported. The icon links directly to the deletion protection settings.
+
+## Managing deletion protection
+
+In the Pulumi Cloud console, navigate to your environment's settings to enable or disable deletion protection with a toggle.
+
+From the CLI, use the new `esc env settings` commands:
+
+```bash
+# Enable protection
+esc env settings set myorg/myproject/prod deletion-protected true
+
+# View current setting
+esc env settings get myorg/myproject/prod deletion-protected
+
+# Disable protection
+esc env settings set myorg/myproject/prod deletion-protected false
+```
+
+Attempting to delete a protected environment returns a clear error message with instructions.
+
+## When to use deletion protection
+
+Enable deletion protection for:
+
+- Production environments
+- Environments imported by multiple stacks
+- Environments shared across teams
+- Any environment containing configuration that should persist
+
+## Permissions
+
+Only environment admins can modify deletion protection settings. This ensures that protection cannot be removed without appropriate authorization.
+
+## Getting started
+
+Deletion protection is available now for all Pulumi ESC environments. Visit your environment settings or use the ESC CLI to enable it.
+
+For more information, see the [deletion protection documentation](/docs/esc/administration/deletion-protection/).

content/blog/esc-deletion-protection/meta.png

@@ -19,6 +19,7 @@ Learn how to configure organizations, monitor audit logs, bring your own encrypt
 - [Access tokens](/docs/administration/access-identity/access-tokens/): Securely authenticate and automate ESC operations.
 - [Audit logs](/docs/esc/administration/audit-logs/): Access and configure audit logs to track activities and ensure compliance.
 - [Approvals](/docs/esc/administration/approvals/): Require explicit review and sign-off before applying changes to ESC-managed environments.
+- [Deletion protection](/docs/esc/administration/deletion-protection/): Prevent accidental deletion of critical environments.
 - [Customer Managed Keys](/docs/esc/administration/customer-managed-keys/): Bring your own encryption keys for enhanced security and compliance.
 - [Access control](/docs/esc/administration/access-control/): Manage environment permissions with role-based access controls at the organization and team levels.
 - [OpenID Connect (OIDC)](/docs/administration/access-identity/oidc/): Integrate with trusted third-party identity providers to authenticate users.

content/docs/esc/administration/_index.md

@@ -0,0 +1,75 @@
+---
+title: Deletion protection
+title_tag: Deletion protection | Pulumi ESC
+h1: Deletion protection
+meta_desc: Prevent accidental deletion of critical environments with deletion protection.
+menu:
+  esc:
+    identifier: deletion-protection
+    parent: pulumi-esc-admin
+    weight: 5
+---
+
+Deletion protection prevents accidental deletion of environments containing sensitive configuration. When enabled for an environment, deletion attempts are blocked until protection is explicitly disabled.
+
+## Enabling deletion protection
+
+### In the Pulumi Cloud console
+
+Navigate to your environment's settings page and find the deletion protection tab. Toggle the setting to enable protection.
+
+When protection is enabled, the environment delete button is disabled and displays instructions for removing protection.
+
+### Using the ESC CLI
+
+Enable deletion protection using the `esc env settings set` command:
+
+```bash
+esc env settings set myorg/myproject/prod deletion-protected true
+```
+
+View the current protection status:
+
+```bash
+esc env settings get myorg/myproject/prod deletion-protected
+```
+
+View all environment settings:
+
+```bash
+esc env settings get myorg/myproject/prod
+```
+
+## Deleting protected environments
+
+Attempting to delete a protected environment returns an error:
+
+```bash
+$ esc env rm myorg/myproject/prod --yes
+error: deletion protection is enabled for this environment
+```
+
+To delete a protected environment, first disable protection:
+
+```bash
+esc env settings set myorg/myproject/prod deletion-protected false
+esc env rm myorg/myproject/prod
+```
+
+## Visual indicators
+
+Protected environments display an orange shield icon in the environment list and in stack overview pages where the environment is imported. The shield icon links to the deletion protection settings.
+
+## Permissions
+
+Only environment admins can modify deletion protection settings. This requires the `EnvironmentSettingsUpdate` permission.
+
+## Use cases
+
+Deletion protection helps prevent:
+
+- Accidental deletion of production environments
+- Removal of environments shared across multiple stacks
+- Loss of critical configuration during team transitions
+
+Enable deletion protection for environments that contain production secrets, are imported by multiple stacks, or represent stable configuration that should persist.

content/docs/esc/administration/deletion-protection.md

@@ -0,0 +1,3 @@
+id = "fausto-nunez-alberro"
+name = "Fausto Núñez Alberro"
+status = "active"