This message was deleted.

Looking at the state file pre-update, this resource does not seem to have a provider associated with it:

{
                "urn": "urn:pulumi:prod-us-west-1::okera-infra-regions::kubernetes:yaml:ConfigFile::certmanager-deploy-file",
                "custom": false,
                "type": "kubernetes:yaml:ConfigFile",
                "parent": "urn:pulumi:prod-us-west-1::okera-infra-regions::pulumi:pulumi:Stack::okera-infra-regions-prod-us-west-1",
                "dependencies": [
                    "urn:pulumi:prod-us-west-1::okera-infra-regions::aws:iam/role:Role::cert-manager-iam-role"
                ]
            },

@bored-table-20691 👋 I saw this & commented as well. looks like we have two ways we could implement this

@orange-policeman-59119 hi! Thank you for responding. Do you still think a repro is needed? I don’t have one handy as it’s tied to our actual stack, but I can give it a shot.

I don't think so, I see exactly in the code where we stopped passing the provider down. Unintended consequence of disabling default providers is discovering this edge case where some of our resources are actually collections-of-resources, and we need to figure out which options should cascade down (all? some?)

Indeed.

I think I'm getting the hang of navigating our codebase a few weeks in though, will keep that ticket updated and next week will chat with @ancient-policeman-24615 about a solution. He just shipped the disable-default-providers option, so I imagine he'll know which route we should go. The team has been looking at refactoring providers in general to get rid of some tech debt, this is a good example for that work. I'll flag it to them

There was an interesting side effect of disabling the default provider, which is

iam.GetPolicyDocument

errors in the same weird way if you don’t pass in a provider and the default provider is disabled. This is even though this call conceptually does not need a provider