I am trying to manage gcp.compute.ManagedSslCertificate in Pulumi. For some reason, Pulumi insists on delete+replace on it. I DO NOT WANT THIS. If I add an import for it, it still wants to replace it saying the diff is "~__defaults". Okay so I set that in ignoreChanges and it still wants to replace this. Replacing that certificate is very slow on GCP and would cause downtime. How do I get Pulumi to cooperate?

So you created a certificate in a Pulumi stack and now when you deploy the stack a second time it tries to replace the certificate even though you made no changes to it?

The certificate was created outside of Pulumi but imported into the stack

This seems to be a common problem for different Pulumi packages, here's a recent issue for GCP: https://github.com/pulumi/pulumi-gcp/issues/1065

Pulumi ended up destroying the certificate. I decided to not manage the certificate with Pulumi, so I have to create that resource manually. And now I just keep its ID in the config. It's a bit annoying but now I don't have to worry about Pulumi destroying it. I found no way to exclude a specific resource in

pulumi destroy

(except if it is already marked as protected which is error-prone)