02/10/2023, 2:33 PM
Hi, I’m trying to add a domain to a managed ssl certificate. I’m ok replacing it because it’s just a dev project with no traffic. When I proceed with the update though, it fails because a target http proxy uses it. I would expect pulumi to remove first the target http proxy and then the ssl certificate, but it does not.
Previewing update (
     Type                                       Name                                      Plan        Info
 +   ├─ gcp:compute:RegionNetworkEndpointGroup  global-lb-notification-rest-europe-west1  create
 +-  ├─ gcp:compute:ManagedSslCertificate       global-lb                                 replace     [diff: ~managed]
 +   ├─ gcp:compute:RegionNetworkEndpointGroup  global-lb-notification-rest-europe-west4  create
 +   ├─ gcp:compute:BackendService              global-lb-notification-rest               create
 ~   └─ gcp:compute:URLMap                      global-lb                                 update      [diff: ~hostRules,pathMatchers]

    + 3 to create
    ~ 1 to update
    +-1 to replace
    5 changes. 34 unchanged

Do you want to perform this update? yes
Updating (
     Type                                       Name                                      Status                   Info
     pulumi:pulumi:Stack                                **failed**               1 error
 +   ├─ gcp:compute:RegionNetworkEndpointGroup  global-lb-notification-rest-europe-west4  created (11s)
 +   ├─ gcp:compute:RegionNetworkEndpointGroup  global-lb-notification-rest-europe-west1  created (11s)
 +-  └─ gcp:compute:ManagedSslCertificate       global-lb                                 **replacing failed**     1 error

  pulumi:pulumi:Stack (
    error: update failed

  gcp:compute:ManagedSslCertificate (global-lb):
    error: deleting 1 error occurred:
    	* Error when reading or editing ManagedSslCertificate: googleapi: Error 400: The ssl_certificate resource 'projects/dev-julien-****/global/sslCertificates/global-lb' is already being used by 'projects/dev-julien-****/global/targetHttpsProxies/global-lb-35b3f02', resourceInUseByAnotherResource

Here is my pulumi code:
const sslCertificate = new gcp.compute.ManagedSslCertificate(key, {
    name: key,
    managed: {
      domains:{ domain }) => domain),

  const targetHttpsProxy = new gcp.compute.TargetHttpsProxy(
      sslCertificates: [],
Is there a way to tell pulumi that it needs to remove dependencies too?
Oh I’m so stupid, removing the name allows pulumi to create the replacement before removing the previous one…