Hi, I'm using Pulumi with self-managed S3 backend to manage AWS resources. I have an

infra

stack which provides basic resources for the rest of the stacks. One example is an ACM certificate which is managed by the

infra

stack and used e.g. in an

api

stack. Now when I update the

infra

stack, it tries to replace the ACM certificate. It creates the new certificate but fails to delete the old one due to

ResourceInUseException

exception because the certificate is in use by the resources managed by the

api

stack (via a stack reference). I have to deploy the dependant stack so they use the new certificate and then re-redeploy the

infra

stack. Does this have any "standard" solution? I'm thinking of using an S3 bucket notifications which would trigger a Lambda function when the

infra

stack (backed by S3 bucket) is updated, which would re-deploy the dependant stacks and then retry the deployment of

infra

stack. But maybe there's a more elegant way.

Dependencies between infrastructure pieces are always hard. I would probably use https://www.pulumi.com/docs/intro/concepts/resources/options/retainondelete/ to keep the old cert. The dependent stacks will eventually use the new certificate. The old certs can be deleted by a Lambda that's triggered by Cloudwatch Scheduled events (filtered by "in use"=no).

That sounds viable, thanks @fierce-ability-58936!

Our solution is to not share certificates, and to define them in the stack where they're used. But in general, having to support a being-phased-out resource and a being-phased-in resource probably means having two resources in code...

Yeah, was thinking about that aproach too. The same holds for e.g. security groups etc. I guess. These are all free resources so it doesn't really matter, but I can imagine there are non-free resources where I'd like to save a bit by managing them in a shared stack.

Security groups can usually avoid this. They should be defined in the same functional component as uses / provides them. You can add or change rules to SGs without a problem, you don't need extra ones. You should avoid creating extra ones when possible, as most resources that can have SGs attached are limited to 5 SGs.