I have a question, I am using C# with Azure Native and I am creating a key vault and secrets. I create my key vault var vault = new Vault(vaultName, new() { VaultName = vaultName, ResourceGroupName = resourceGroup.Name, Properties = new Pulumi.AzureNative.KeyVault.Inputs.VaultPropertiesArgs { //removed }, EnableSoftDelete = false, EnabledForDeployment = true, EnabledForDiskEncryption = true, EnabledForTemplateDeployment = true, Sku = new Pulumi.AzureNative.KeyVault.Inputs.SkuArgs { Family = "A", Name = Pulumi.AzureNative.KeyVault.SkuName.Standard, }, TenantId = identity.TenantId, }, }); and secrets like var newSecret = new Secret(Name, new() { ResourceGroupName = resourceGroup.Name, VaultName = keyVault.Name, SecretName = Name, Properties = new Pulumi.AzureNative.KeyVault.Inputs.SecretPropertiesArgs { // Only provide the value during an actual deployment. // This prevents updating the secret during a pulumi preview. Value = "SECRET VALUE", }, }, new CustomResourceOptions { DependsOn = keyVault, IgnoreChanges = { "Properties" } }); Everytime I run pulumi up it overrides the values in my keyvault, even thought I have ingore changes on. Anyone know why?? My goal here is to have Pulumi create the key vault and the secrets, and then we will go in manually to the keyvault and update the secrest with the real secret values, we only want Pulumi to create the outline of the secrets and a placeholder value Anyone know what I am doing wrong?

Maybe try something like this?

}, new CustomResourceOptions { DependsOn = keyVault, IgnoreChanges = { "properties.value" } });

I found this that answered my question https://github.com/pulumi/pulumi-azure-native/issues/1280#issuecomment-964139979

gotcha, so refresh before pulumi up and it’ll take your value. makes sense

Sorta - the second you make any changes to your resources in azure portal (or anywhere outside of code) the IngoreChanges flag doesnt work. It will only continue to ingorechanges for anything code via code.