But then, when the preview phase finishes, the port-forward dies, and is not started again when we move to the apply phase, so pulumi is unable to actually make the changes it previewed.

I'm guessing preview and apply take place in different processes? You can see that I tried to add

ignore_sighup=True

to the pexpect call to see if I could force it to become a zombie process. If that had worked, I would have then used

atexit

to register a function to terminate it before closing.

But that didn't work; it still dies when the preview finishes.

Is there a way I can force the address attribute of the vault provider to be evaluated again at apply time?

I spent a little time exploring multiprocessing and subprocess with options that force the process into a different process group. I tried the latter and it doesn't work (the preview phase hangs until you manually kill the port-forward process).

I think I'm going to abandon this port-forward. It just won't work. Eventually we were going to get to a place where we wanted to run Pulumi in a container inside the cluster anyway (since some of our clusters are on the other side of the world). I had hoped for the POC that I wouldn't have to tackle that, but it looks like it's not going to work at all otherwise.