Pulumi primitive to create resources only temporarily (for the duration of pulumi up), to work around Azure KeyVault permission issues?

[codethief]

We use Pulumi with Python to deploy our infrastructure in Azure. Unfortunately, there are cases where we have to temporarily create resources only for the purpose of making the deployment succeed. We'd like to clean those up afterwards automatically but we're wondering how exactly. Does Pulumi provide a primitive here to create resources only temporarily? In other words, they should be cleaned up automatically at the end of the deployment and not make it into the Pulumi state.

To give an example, we create a pulumi_azure_native.keyvault.Vault with enable_rbac_authorization=True and afterwards store certain secrets in it. However, in order for our Azure DevOps' deployment pipeline's service principal to be allowed to write to the key vault it just created, we first have to authorize it by creating an appropriate pulumi_azure_native.authorization.RoleAssignment. This has a number of unfortunate implications:

• We either have to hard-code our pipeline's service principal ID or we could try to dynamically determine the security principal that's currently being used by Pulumi.
• In the former case (hard-coding):
  • pulumi up will only succeed when actually run from within our pipeline. Running pulumi up locally will fail due to lack in permissions.
  • Running pulumi preview locally works as expected.
• In the latter case (determining the security principal dynamically):
  • pulumi up can be run from both within our pipeline, and locally. However, the role assignment will be reflected in the state, i.e. the state will depend on who executed pulumi up last.
  • Running pulumi preview locally will indicate that the role assignment created by the pipeline would be deleted, and that a new one (for the local user) would be created. Clearly, this can lead to confusion, especially in cases where you have not made any changes to your code at all and therefore expect zero infrastructure changes.

Again, it would be great if Pulumi could provide a corresponding primitive here to not commit the role assignment to the state. Alternatively, pulumi_azure_native could of course create temporary role assignments under the hood when writing to a key vault, without committing them to the state; however I could imagine there are more cases like this, so a more general solution might be useful.

Related tickets:

• Creating Key in Vault - ForbiddenByRbac pulumi-azure-native#890

[codethief]

Looks like there is no way to do this right now. From the related Slack discussion: