A solution I've used on more than one occasion is to trigger a separate application based on an important change, and keep all the imperative logic in a single imperative solution.
For example, we trigger our app migration app any time our Pulumi program creates a new AMI. The app does things like send API calls (to the auth service to pause logins), kick off a database migration, archives and flushes the app audit logs, restarts the auth service and starts the app in the new AMI. So we don't have to do any of those things directly from our Pulumi app.