No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

*Background*
We are deploying an Azure API Management Service.
The APIM Service is using a custom domain.
The cert for the domain is stored in a key vault.
The permissions for access to the key vault are being applied for the APIM's SystemAssigned identity.

So the workflow I have to follow is:
• Deploy the APIM without the custom domain.
• Apply an Access Policy against the Key Vault for the APIM identity.
• Modify the APIM code to now use the custom domain again.
• re-deploy.
If I try to do it all in the same deployment the APIM can't deploy using the custom domain because it doesn't have access to the key vault.

*Questions*
1. Is there a "Pulumi way" to handle this workflow of "deploy something, deploy something else, go back and modify the first thing?"
2. Is the only correct solution here to use a different, user defined, identity for the APIM? 