HI, I have a series of SSM parameters that are using a KMS key id that is being referenced from another stack. In pseudo below.

export const appSettingsKeyArn = environmentStackRef.getOutput("appSettingsKeyArn");

var param = new aws.ssm.Parameter('name', {
  name: 'name',
  type: 'String',
  value: 'value',
  keyId: appSettingsKeyArn,
});

Everything in the stack is created fine, the system is working as it should be. However, everytime I run

pulumi up

it is attempting to update the SSM parameter resources with a new

keyId

Looking in the details of the plan, I can see that the key id is never stored in state, so pulumi is constantly trying to update it. Does anybody know why this is happening?

Does it actually change the SSM parameter when running up? Or does it just report that it will, during a preview / before the up runs? Pulumi will report potential changes if it cannot guarantee that there won't be a change. In this case, the value of the appSettingsKeyArn might not be known during preview, or it might change between preview and up, so it can't be certain that it won't have to update the keyId. So to be safe, it reports that it will change it. However, when running the actual up, it won't change it if it turns out that the "new" value is the same as the old value.

Yeah it actually doesn’t change anything, that’s correct. But it’s quite alarming as pulumi reports the key of the parameter is being changed updated, which could have implications on data integrity (being able to decrypt).

I think it does track it. I'm guessing that your parameter is being created inside an apply. Can you confirm this? If this is the case, then that's the reason you're seeing this behaviour. Move the code outside the apply and everything will work as expected.