Does pulumi destroy use the index.ts file? I’m creating a certification validation and thinking about whether I have to guard it somehow.

destroy

doesn't run the user program, that might change at some point in the future. If you want to make sure the cert isn't created on each update I'd suggest looking at dynamic providers: https://www.pulumi.com/docs/intro/concepts/resources/dynamic-providers/

I think the cert would be fine, in that it’s a resource with an associated state so it won’t be recreated. It’s the validation that concerns me. In that it’s a resource I think should be temporary, i.e. the resource should only exist as long as needed for ACM to validate the ACM) and then deleted. Is a dynamic providers the only way to do that?

even dynamic resources doesn't quite do that, I've thought about temporary resources (that is resources that only live for the duration of the deployment, or less) and there's probably some things we could do but we don't have anything to support that yet.

Understood. Is the general best practice when it comes to validation is to just leave the records there as evidence of previous validation?

that would probably work

Or, I guess just check if the certs state is valid.