But GCP docs says it is "output only" : https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#privateclusterconfig

Tried to set peeringName but Pulumi complains (according to GCP's doc):

error: gcp:container/cluster:Cluster resource 'test' has a problem: Value for unconfigurable attribute: Can't configure a value for "private_cluster_config.0.peering_name": its value will be decided automatically based on the result of applying this configuration.. Examine values at 'Cluster.PrivateClusterConfig.PeeringName'.

My understanding is that the only way to fix this is to call GCP API once the Cluster is deployed. In terms of design, how can I implement an idempotent custom resource? I noticed there is a CustomResource class. Should I work this it? Are there examples I can follow?

Is there a way to manage that setting at cluster creation time?

No, but it can be changed once the cluster is deployed using https://www.pulumi.com/registry/packages/gcp/api-docs/compute/networkpeeringroutesconfig/

new compute.NetworkPeeringRoutesConfig(name, {peering: cluster.privateClusterConfig.peeringName, exportCustomRoutes: true, importCustomRoutes: false, project: '...', network: '...'})

In terms of design, how can I implement an idempotent custom resource?

I noticed there is a CustomResource class. Should I work this it? Are there examples I can follow?

Specific answer: use NetworkPeeringRoutesConfig instead of doing custom stuff. General answer: use a Dynamic Provider: https://www.pulumi.com/docs/intro/concepts/resources/dynamic-providers/ https://www.pulumi.com/blog/dynamic-providers/