Hi, what would your approach be to do something that has the following dependency • create a resource A • create a resource B which depends on A • Use the output of B to update A the resource above are all k8s resources but they could also be aws infrastructure specific

Many Kubernetes resources can be patched, and Pulumi provides the necessary resources for that (e.g., PodPatch). In these cases, you create resource A, create resource B, and patch resource A with the information from resource B. What specific examples do you have in mind?

We have a base kyverno policy to set environment variables to all the pods. We then create a deployment + a service and we want all the pods to have those environment variables. After this service is created, we want to patch the kyverno policy with a new environment variable whose value is the service fqdn While I agree the fqdn format is generally fixed

<name>.<namespace>.svc.cluster.local

, we want to structure our IaC so as to not have global logic around namings and rather expect sub components to expose this information in their objects

I'm not familiar with Kyverno, so I can't speak to that. You can update existing deployments via DeploymentPatch, so you could create the original deployments, create the service, and patch the deployments to update their container's environment variables. Depending on what your code looks like and how dynamic/complex it is, something like the following can work as well:

import pulumi
import pulumi_kubernetes as k8s

service_name = "my-service"  # define a 'programming-language-native' variable (or config value)
service_namespace = k8s.core.v1.Namespace(...)

policy = some.Policy("my-policy-resource",
  env_vars={"SERVICE_HOST": pulumi.Output.concat(service_name, ".", service_namespace.metadata.name, ".svc.cluster.local")}  # use variable to assemble the FQDN
...)

deployment = k8s.apps.v1.Deployment("my-deployment-resource",
  # reference policy here
...)

service = k8s.core.v1.Service("my-service-resource",
   metadata=k8s.meta.v1.ObjectMetaArgs(name=service_name, namespace=service_namespace.metadata.name),  # use variable to set service name
...)

Curious to see if there are other/better patterns for this 🙂

If your resoruces don't support patching (which would be the best way), then the way I have dealt with this in the past is to call the rest API of resource A directly to patch it, it's not as nice as using Pulumi, but you can do it in the same code as your Pulumi deployment and make it depend on A and B using the Apply functionality. This is the benefit of using actual code for Pulumi.