My feeling is that I shouldn't create resources in another resources

.apply

eg:

cert.domainValidationOptions.apply(options=>options.map(option=>new aws.route53.Record(...

is that correct?

That is correct because your preview might not match since those delegates might not execute in preview

Do you know of any way of getting deterministic domainValidationOptions? Or doing the equivalent of terraforms for each validation option create record: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#referencing-domain_validat[…]th-for_each-based-resources

Can I ask what SDK you’re using?

TS/nodejs sdk

well I believe the ordering is deterministic based on the input domains. I don't know for sure if that means the order will be the same as the order the domains were provided in, just that it will be the same order as long as the inputs haven't changed. You could sort the array by

var sortedOptions = options.apply(unsorted => ........ return sorted);

. And if you know the order your domains should be in after sorting than you would know at which indices in the array you need to provide which providers. But I don't think there is way to have a setup such that when you update the cert by adding a new domain name you will only have to update 1 validation record. Because even if you sorted it this new domain could end up in the middle of your sorted array so every record that came after it would need to be recreated as well (because presumably your naming the resources by index or something). Alternatively if it is an option for you, I don't think it really costs anything or too much to make additional ACM certs for your AWS infrastructure. Is it possible for you to make separate certs? Then your separate provider issue would be trivial.

I wasn't using index for the validation record naming but instead using the domain name

Does it let you use the domain name? Because that would be an

Output<string>

on the domain validation options right? And I'm pretty sure resource name only accepts

string

. Or was that not giving you compile errors because you were doing it inside of an

.apply(...)

so it was a

string

?

I mean these domain names

validations = [domainName, ...subjectAlternativeNames]

yea but how do you match them to the appropriate validation option without doing something funky inside of an apply?

I thought your suggestion was

validations = [domainName, ...subjectAlternativeNames].sort()
options = cert.domainValidationOptions.apply(//sort)

and when I loop over validations to create the records the index should match up?

yes I think that would work - I was asking how you were using the domain names as your resource names previously before doing any sorting but I guess you just didn't have it working.

It was working by creating the records in the apply of validation options but that seems wrong so...

Sweet, glad to hear it. Yea this doc here has a little blurb about creating resources inside that delegate: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/#apply