started typing this before you responded, then the building lost power for two hours and I forgot about it… Anyway:
chiming in a bit late: I agree with geekflyer that separate projects is a good idea here.
For infra/platform resources shared between product environments (DNS zones, domainkey DNS records, crypto key rings, SSL policy, …), we have a Pulumi project named “infra”.
In that project we have a stack named “infra-prod”, which is referenced by the product’s test and prod stacks.
We also have an “infra-test” stack which uses a different GCP project, so we can play around with infra changes without affecting the product environments (test, prod) used by the devs.
For environment-specific product resources we have a Pulumi project named <product>, with one stack per environment (“<product>-test” and “<product>-prod”). Both stacks reference “infra-prod”.
The “infra-<env>” stacks export simplified versions of the actual resources they create, typically just the id and name.
of course, you can solve it with “just” stacks as you show above, especially if you don’t care about having multiple environments for the core/infra stuff 🙂