Example: a FusionAuth IDP provides login with Google, or SAML, or Linkedin. A FusionAuth Application can be thought of as a protected property, such as a wiki or intranet. The FA IDP API takes a list of the Applications that should be enabled for it. This API is the only way to know or change which applications are enabled for an IDP. These enabled applications are a list named

applicationConfigurations

on the object. My ideal model would look like this: 1. In idp-google stack, provision IDP parameters google 2. In idp-linkedin stack, provision IDP parameters for linkedin 3. In application-wiki stack, provision the application and enable the google idp on it 4. In application-intranet stack, provision the application and enable the google and linkedin idps on it Unfortunately you can't do an enable selectively - you need to update the entire google/linkedin objects with the full list of associated applications. First thought: I'll just re-read the idps (using the exported id from step 1) in step 3 and add the new app as enabled to the list Problem: now stacks 1 and 4 are out of sync. If I update 4 then 3 and 4 are in sync. If I update 1 then they are both removed again. Second thought: do a 'firsttime' pass for step one which creates the google idp object without any

ignore_changes

, then rerun without firsttime enabled where it uses

ignore_changes

on `application_configurations`` and thus won't remove the existing applications. Trying that I'm unable to get

ignore_changes

to work properly on it The code

idp_google = fusionauth.FusionAuthIdpGoogle(
   resource_name="idp-google",
     application_configurations=[
         fusionauth.FusionAuthIdpGoogleApplicationConfigurationArgs(
             application_id=application_id
             enabled=True,
         )
     ],
     ...
     opts=pulumi.ResourceOptions(
        ignore_changes=['applicationConfigurations', 'application_configurations']
    )
     ...

But if you get up to step 3, do a

pulumi refresh

and re-try step 1:

~ fusionauth:index/fusionAuthIdpGoogle:FusionAuthIdpGoogle: (update)
        [id=82339786-3dff-42a6-aac6-1f1ceecb6c46]
        [urn=urn:pulumi:fusionauthdeployment::foo-prod::fusionauth:index/fusionAuthIdpGoogle:FusionAuthIdpGoogle::idp-google]
        [provider=urn:pulumi:fusionauthdeployment.dev::foo-prod::pulumi:providers:fusionauth::fusionauth::abcdabcd-1234-1234-1234-abcdabcdabcd]
      ~ applicationConfigurations: [
          - [1]: {'enabled': true, 'application_id': 1234 }   <== a new app was enabled outside of the IDP creation stack and found via pulumi refresh
        ]

Thoughts?

And of course the worry is that even if I ignore changes, if I did change parameters on the IDP the next time I wanted an update it would forcibly disable all those applications it didn't know about because the terraform uses PUT not PATCH under the hood.