For one of my stacks, I want to generate a secure password and store it in a new AWS SSM parameter. How can I get this to generate only on the creation of the resource but not override the value on subsequent stack updates? Should I be creating this SSM resource outside of my stack? Is this the use case for setting a pulumi secret? I'm using the Automation API - does this change ideal usage?

check out the Pulumi Random provider: https://www.pulumi.com/registry/packages/random/api-docs/randompassword/ it has a few random generators including one for password where you can pick what special characters you want to include etc and it will maintain the same result from the first

pulumi up

through subsequent deployments. though you can configure that with the Keepers property which lets you for example have it regenerate the password when some other input from another resource changes

This looks great, thanks @bumpy-grass-54508 👍