Hi. I'm trying to add an annotation on a service account. The code seems to work fine, at least I can see that the annotation gets added by

setIamRoleArn

method but Pulumi doesn't detect any changes. I wonder if annotations attribute is being ignores as there is a high change of it being updated outside of Pulumi? If so is there a way to force adding specific annotation? Thank you!

private deployCloudWatchAgentDaemonset(): k8s.yaml.ConfigFile {
    let serviceAccounts = this.serviceAccounts;

    return new k8s.yaml.ConfigFile('cloudwatch-agent-setup', {
        file: ContainerInsights.CW_AGENT_TEMPLATE,
        transformations: [(obj: any, _opts: pulumi.CustomResourceOptions) => {
            if (typeof serviceAccounts !== 'undefined') {
                ContainerInsights.setIamRoleArn(obj, serviceAccounts);
            }
        }],
    },
    { providers: { kubernetes: this.k8sProvider } });
}

private static setIamRoleArn(obj: any, serviceAccounts: pulumi.Output<any>): void {
    if (obj !== undefined && obj.kind == 'ServiceAccount') {
        serviceAccounts.apply(serviceAccounts => {
            if (typeof serviceAccounts !== 'undefined' && Object.keys(serviceAccounts).includes(obj.metadata.name)) {
                if (!obj.metadata.annotations) {
                    obj.metadata['annotations'] = {}
                }
                obj.metadata.annotations['<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>'] = serviceAccounts[obj.metadata.name].role.arn;
            }
        });
    }
}