I'm really stuck on an issue using a dynamic provider resource. It's kind of a complex case and maybe I am just missing something really obvious. I'll try to summarize as succinctly as possible here: I am trying to create an AWS Client VPN Endpoint for my vpc using the self service portal with single sign-on. The client and the single sign-on portal have to have separate SAML providers, which is supported but it's a new enough feature that it hasn't been added to Terraform yet. (TF issue here: https://github.com/hashicorp/terraform-provider-aws/issues/16019). What I'm trying to do is write a dynamic resource provider to use the aws-sdk directly to create the client vpn endpoint since it supports setting this option. it appears to work, in that it creates the client vpn endpoint and wires everything up the way it should in the first run. It's just that subsequent runs of pulumi update will always try to delete and replace it, even when nothing has changed. Then when it tries to delete I get some errors related to missing parameters that from what I can tell shouldn't be missing based on the code. One complication is that I'm working in an AWS organization setup where resources are managed across multiple aws accounts by explicitly passing providers that assume IAM roles. So I set

AWS_PROFILE

to the "main" account credentials and then create a provider resource for each account I actually want to work in. I don't know how to use the pulumi provider to get credentials for the AWS sdk so I'm just passing a role arn to the dynamic resource and using STS assume role to get temporary credentials. Which appears to work, sometimes. My dynamic resource provider is more or less modeled following the example here: https://github.com/pulumi/examples/blob/master/classic-azure-ts-dynamicresource/cdnCustomDomain.ts