What is the principles I need to follow, when I provision two resources that are dependent on each other? Apparently I cannot modify a resource after it has been declared. So, I have an Azure Functions application that is accessing a Cosmos DB container. I want to restrict the Cosmos DB account to allow only the system assigned identity of the Azure Functions account from the IP's defined on the Function Application's possible outbound IPs, and I want to configure the Functions Application with either the primary or secondary key from the Cosmos DB account. To get this information, I need to declare both of the resources, at which point I can't figure out how to modify the resources again in my stack. How should I accomplish this?

I want to configure the Functions Application with either the primary or secondary key from the Cosmos DB account

You can set web app (function app) settings as a separate resource which would go the last in your program.

Thanks! So first the function app, then Cosmos DB and lastly the function app configuration as a separate resource. Is this the "standard" way of handling similar situations in Pulumi? Configuration of a resource can either be set when the actual resource is declared, or as a separate "child" resource?

I can’t say if it’s standard… Our current model in azure-native maps ARM resources 1:1 so it’s up to the Azure service teams how they design resource models.

So there is not a built-in mechanism in Pulumi that can handle situations where the creation of resource 1 is dependent on outputs from resource 2, which in turn is dependent on outputs from resource 1?

No

OK, thanks!