hi all! i have encapsulated the logic for obtaining a viewer certificate for cloudfront (aws) into a function (note I'm returning it in the very first line):

function getViewerCertificate(
  customDomain: string | undefined,
  ... // other parameters
): pulumi.Input<aws.types.input.cloudfront.DistributionViewerCertificate> {
  if (!customDomain) {
    return {
      minimumProtocolVersion: 'TLSv1.1_2016',
      cloudfrontDefaultCertificate: true,
    }
  }

which I later call it (with

customDomain

set to

undefined

)

const viewerCertificate = getViewerCertificate(customDomain,...)

and use it:

const distributionArgs: aws.cloudfront.DistributionArgs = {enabled: true, aliases: customDomain ? [customDomain] : [], viewerCertificate, ...}

and after running the

update

command with automation api this change is detected on every deploy as an updated resource, taking a lot of time to complete the operation. I understand that pulumi should not detect this as a change. is this an expected behavior? it seems like a bug to me

Export your pulumi state, and find in the state file the JSON object representing the

viewerCertificate

that was provided to the cloudfront distribution as it currently exists. Then you will be able to see how/if it differs with the object returned from this function