How do you manage multi-step

Resource

configuration in Pulumi ? I'm trying to set up an SSO between Okta and AWS using Pulumi, and that requires 3 steps with 2

Resources

: 1. Create

<http://okta.App|okta.App>

which generates metadata 2. Inject metadata and create

aws.iam.IdentityProvider

, which has an ARN 3. Inject

IdentityProvider

ARN back into the

<http://okta.App|okta.App>

Resource created in step 1 I'm trying to pack this logic into a

Component

but I struggle with step 3: can't seem to update a

Resource

as part of a

Component

Also tried using

_import

but there's an URN conflict because the imported resource (step 3) would actually be the same as step 1... Should I try creating a Dynamic Provider for that ? Can't it be done natively ?

@bright-orange-69401 I'm really interested on the answer to your question. If you find a solution, please, let us know.

@important-ram-83431 I'm still working on it but the solution we've found is to create another

Resource

via a Dynamic Provider that merely performs step 3 (validation of the SAML) It's a similar process as the one used by Terraform & Pulumi for AWS ACM CertificateValidation The

Resource

just finds the SAML App by its ID and updates it with the metadata obtained in step 2 : it does not actually provision anything and does not have a

delete

method

I'll try it and give you feedback. By now, I set those steps as "manual" (yes, it also sounds terrible to me) and I'm working on other steps of the Pulumi deployment.

BTW if you problem is specific to Okta, there's an alternative method: https://controltower.aws-management.tools/infrastructure/sso/okta_sso/