No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

The trick is to update the listener to have no certificate in one `up`, then destroy the stack. I set all my certificates to 'protect: true', so that it fails faster, reminding me to clear the cert.

so you actually modify your pulumi code temporarily in order to detach the certificate from the listener?

Yes, that's how I've done it. Maybe that's not the best way...

hey, if it works for you. I think that would help me right now but for our use-case long term it isn't feasible to make a temporary change to the pulumi code in order for a destroy to function

An alternative would be to `pulumi state delete` the certificate, then delete it manually after the `pulumi destroy` works?

Or maybe a `dependsOn` opt would work... :thinking_face:

If `dependsOn` successfully changes the dependency order, then that would be the best solution. Code would be accurate and self-documenting, and wouldn't need to change.

If it causes a circular dependency though... :frowning:

my understanding of `dependsOn` is that it adds additional explicit dependencies to the dependency tree, it doesn't remove or alter any existing dependencies

and the only reason i know that is because I had the same thought as you lol

Have you tried it? Maybe Pulumi notices the contradictory dependency and ensures only the explicit one exists? :crossed_fingers:

where are you suggesting placing a `dependsOn`?

On the certificate, depending on the listener...

Forcing Pulumi to delete the listener before the certificate...

well the certificate must exist before the listener in the code

Hmm.. there must be some way. I've just reviewed my code, and in the end I used `state delete`, removed the certificate code, and hardcoded its ARN.. a complete workaround. Re-use the same certificate for the same purpose always.

Ooo. You could put the certificate in a different project or stack and use a stack reference.. then it wouldn't get deleted when the listener does. Maybe that might fit your model?

well our stack is generating a sub-domain with the associated dns records and certificate included so this must be part of the same stack logically

Ah well.. I'm good with ideas, but getting them to work is much harder :slightly_smiling_face: If you try `dependsOn` and it doesn't work the way you need to it, you can raise an issue on GitHub and they'll turn it into a feature request.