No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Effectively, I want to do a one-off "delete if exists and not managed by pulumi", that should then be a no-op during subsequent runs so it's safe to leave this code in, and in fact it will still be needed if the eks cluster is ever rebuilt.

What don’t you just use the k8s sdk to do that ? I had a similar issue with updating the existing aws-auth in an eks cluster and that’s how I solved it.

Yeah, don’t have computer in front of me to get the link, but the EKS lib does something like that using a dynamic provider to update an existing configmap 

You could likely use a dynamic provider to wrap that logic based on a native SDK or kubectl 

We do have an open issue for that as well - you can search for “kubectl apply -f” in the k8s provider issues. 

Yeah I <https://github.com/pulumi/pulumi-kubernetes/issues/264#issuecomment-537637057|commented> on that issue, ~1 year ago now, with a need for read-modify-write of external resources (not managed by pulumi)

Also, I'm doing everything in dotnet/c# now and AFAIK dynamic resources are not supported yet

So somehow I need to run a conditional side effect and have a pulumi managed resource depend on that side effect having run before itself running.

(I avoid the issue with modifying the aws auth config map by waiting for the api server before creating the nodes, so the config map doesn't exist before I create it with pulumi.)