I'm sure I'm doing something dumb here, but any suggestions apprecited. Trying to migrate an AKS component resource to Azure Native, the following code sets permissions on the vNet to the ACI plugin identity, which is not known until the AKS cluster is created:

new Authorization.RoleAssignment($"{name}-aks-subnet-aci-role", new Authorization.RoleAssignmentArgs

{

    

RoleAssignmentName = new RandomUuid($"{name}-Network-Contributor-Aci-Uuid").Result,

    

Scope = args.ResourceGroupId,

    

PrincipalId = aks.AddonProfiles.Apply(profiles => profiles!["AciConnectorLinux"].Identity.ObjectId),

    

RoleDefinitionId = roleDefinitionId,

    

PrincipalType = Authorization.PrincipalType.ServicePrincipal

}

Pulumi preview is failing on this line:

PrincipalId = aks.AddonProfiles.Apply(profiles => profiles!["AciConnectorLinux"].Identity.ObjectId),

With this error:

System.NullReferenceException: Object reference not set to an instance of an object.

`at Ict.AzureNative.Containers.IctAzureKubernetesCluster.<>c.<.ctor>b__32_7(ImmutableDictionary`2 profiles) in C\repos\ict azure native\src\ict azure native\Containers\IctAzureKubernetesCluster.csline 254` Given that this identity is not known until the cluster is created, it is expected to be empty in the initial preview, so why is it trying to work it out rather than waiting on AKS to create first?