No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi,
We run `pulumi up` in our CI whenever a PR merges and we use Pulumi Github action. I want to send notifications, let's say Slack messages, after certain resources change. What are my options? I've learned Automation API can be useful for this: replace `pulumi up` with custom code that looks at before and after state and sends a notification when certain resources change, but I'm afraid most people in my team are used to Pulumi CLI and they may run `pulumi up` on their local machines, which I cannot prevent.
Is there any other way to run a _hook_ after certain resources are changed?

I'd do that from the Cloud service, probably. AWS can detect changes and send messages to SQS queues, for example. Or have a lambda listening for CloudWatch events.

This Provider is not a cloud-based provider. It's pulumi-tls, which is backed by terraform-provider-tls. It provides TLS certificate resources, and once certificates expire, it automatically renews them. I need to manually store these certificates in another service which doesn't have pulumi integration. So, I need to somehow get notified when the provider renews the certificates.

You want to know if a TLS certificate has changed? Isn't that knowable without getting Pulumi involved? If the input parameters have changed, then the certificate has changed. If they haven't, then it hasn't.

Our CI runs `pulumi up` frequently. The input lists some options by which pulumi-tls generates certificates. Sometimes, the input - e.g. Pulumi config - is not changed, but the validation date of the certificate is passed. In that case pulumit-tls (actually terraform-provider-tls) renews the certificate on `pulumi up`

Ok. Well, the options that I can think of are to put the hook in the cloud (the changed certificate gets deployed somewhere, right?) or else create a dynamic provider that is just a thin wrapper around the TLS provider, and does something else in the update method.