I feel like I'm abusing the

command.local.Command

resource a lot, eg. writing files, setting key values in Redis, interacting with REST endpoints. I'm probably doing it all wrong but I'm not sure -- could this be a symptom of a bad practice?

Sometimes this is necessary, but in general you want to try to avoid imperative operations whenever you can. This is really one of those things, though, where sometimes you have to in order to make things work.

A solution I've used on more than one occasion is to trigger a separate application based on an important change, and keep all the imperative logic in a single imperative solution. For example, we trigger our app migration app any time our Pulumi program creates a new AMI. The app does things like send API calls (to the auth service to pause logins), kick off a database migration, archives and flushes the app audit logs, restarts the auth service and starts the app in the new AMI. So we don't have to do any of those things directly from our Pulumi app.