Is this typo of error detectable during

pulumi preview

? We didn't get an error during

preview

for a new Route 53 record. But it failed during

up

* creating Route 53 Record: InvalidChangeBatch: [Invalid Resource Record: 'FATAL problem: InvalidCharacterString (Value should be enclosed in quotation marks) encountered with '""xxxxxxxx-domain-verification=xxxxxxxx""'']
    	status code: 400, request id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

It's a valid error and the root cause is similar to this. Not sure if this is something Pulumi (or perhaps any IaC) able to capture earlier?

You can detect it using Pulumi policies (https://www.pulumi.com/docs/using-pulumi/crossguard/) or by associating your own logic with your Route53 records - maybe using a builder or factory, or a wrapping resource with a proxy setter that includes extra validation, or anything along those lines.

Thanks Paul! It may solve this particular Route53 Record issue, but not others. There may be other ways that causes an invalid aws api call

Yes, always. Some of them are completely undetectable to Pulumi even with the most strict checks. S3 bucket names have to be globally unique: there's no way to check without actually attempting to create an S3 bucket (as far as I know).