Is there a standard way to accomplish this pattern without running afoul of refreshes and drift issues?

var myGenericSecret = new Vault.Generic.Endpoint( name, new Vault.Generic.EndpointArgs {
    Path = args.Path,
    DataJson = args.Data,
} );

var secretData = myGenericSecret.Path.Apply( p => Vault.Generic.GetSecret.InvokeAsync( new Vault.Generic.GetSecretArgs {
    Path = p,
} ) );

// generate outputs based on returned secretData

The original issue is that the Vault.Generic.Endpoint resource doesn't output the server-side result of the creation. Trying to supplement that by following it up with a GetSecret has been a dead end. If the endpoint doesn't exist for whatever reason, but pulumi thinks it does, pulumi still tries to execute the invoke, resulting in an error. Apparently making the invoke dependent on the output Path doesn't tie it closely enough to the lifecycle of the Endpoint resource for Path to be "unknown" in cases where the endpoint gets refreshed and is deleted. This is an example using Vault but it's a more general pattern of "create resource -> immediately fetch data about that resource" where I want the data and its "known-ness" to be explicitly tied to its associated resource. EDIT: This has been resolved, the issue was that the Endpoint itself was returning the wrong error code when the resource didn't exist. I was thrown off because the URL it was calling was identical to the GetSecret call I was attempting to (not) make.

I think if you depend on

myGenericSecret.Id

that will only ever be set on real updates, never on preview.

that's gtk and I was suspecting that. I think in this case the issue is actually on the vault plugin's side. it's returning 400s instead of 404s when the item doesn't exist