Hi, I ran into a problem with aws IAM resources. Sometimes a resource (Role or Policy) may be recreated on AWS with the same name (ARN). Pulumi update won't detect any changes in this case. However, if on AWS console pulumi created resources that reference this ARN now show internal AWS id instead of ARN.
A scenario - a role is created by one stack (kiam). Another stack (an app) creates another role with trusted policy to give the first role permission to assume the app role. If the first stack is destroyed and deployed again, updating the second stack does not do any update, however the policy does not reference the correct ARN anymore.