I need an advice as I can't get it to work. I am using aws-native provider for creating aws vpc component I create VPC, then create VpnGateway, then create VpcGatewayAttachment portion of code in question:

vgw = awscc.ec2.VpnGateway(
            "vgw",
            tags=VPC.build_tags(
                config.common_tags,
                config.virtual_private_gateway.tags,
                Name=f"{config.name}-vgw",
            ),
            amazon_side_asn=config.virtual_private_gateway.asn,
            type="ipsec.1",
            **config.virtual_private_gateway.extra_args,
            opts=ResourceOptions(parent=self.vpc),
        )
        attachment = awscc.ec2.VpcGatewayAttachment(
            "vgw",
            opts=ResourceOptions(parent=vgw),
            vpc_id=self.vpc.id,
            vpn_gateway_id=vgw.id,
        )

so far so good, resources are created successfully. Then, I update ASN on VpnGateway, which should trigger replacement. here is what diff shows:

└─ aws-native:ec2:Vpc                                 vpc                                    
 +-        ├─ aws-native:ec2:VpnGateway                       vgw                        replace     [diff: ~amazonSideAsn]
 ~         │  ├─ aws-native:ec2:VpcGatewayAttachment          vgw                        update      [diff: ~vpnGatewayId]

which is correct. however, if fails

aws-native:ec2:VpnGateway (vgw):
    error: operation DELETE failed with "GeneralServiceException": Vpn Gateway is not in the correct state (Service: Ec2, Status Code: 400, Request ID: 34ada6f3-5619-4a5e-8dda-6d82916501ff) (SDK Attempt Count: 1)

because it must delete

VpcGatewayAttachment

first. how do I signal to pulumi that before attempting to delete

aws-native:ec2:VpnGateway

, it must delete its children, e.g.

aws-native:ec2:VpcGatewayAttachment

? I am pretty sure TF does it correctly. I tried playing around with

deleted_with

but I couldn't achieve the outcome I am looking for.

set an explicit

depends_ond

in the opts

I tried, it doesn't help

Are you sure that error is because of the deletion order? It looks different. If you attempt to delete the VpnGateway via the UI or another SDK, do you get the same 400 status response?

yes, I am sure. if I destroy attachment with targeted destroy and then change asn, it completes successfully.

pulumi:pulumi:Stack                                      pulumi-aws-vpc-stacks-dev  running..                     
     └─ aws-networking:index:VPC                              vpc                                                      
        └─ aws-native:ec2:Vpc                                 vpc                                                      
 ++        ├─ aws-native:ec2:VpnGateway                       vgw                        created replacement (51s)     [diff: ~amazonSideAsn]
 +         │  ├─ aws-native:ec2:VpcGatewayAttachment          vgw                        creating (27s)

use the pulumi.Parent(parent_instance), this will map the parent child relationship explicitly

opts=ResourceOptions(parent=vgw),

this line makes parent-child relationship, no?

The parent-child relationship is not a depends-on relationship. Sometimes you need to make a child depends-on its parent. I don't know if it'll help in this case, but it's worth finding out.