No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

If those are temporary stacks, why not auto-name the KeyVault with a random name?

it's temporary on its way to permanence.. I do realize that I should be doing this in a "throwaway" configuration, but it's also for testing reproducability and recovery and suchlike

but still, I think the --exclude-protect flag makes sense :slightly_smiling_face:

You could also purge old keyvaults (outside Pulumi)