ignoreChanges

This option specifies a list of properties which will be ignored when updating existing resources. Any properties specified in this list, that are also specified in the resource’s arguments, will only be used when creating the resource—and ignored entirely while updating it.

For instance, in this example, the resource’s prop property will have its value of "new-value" set when initially creating resource, but from then on, any and all changes will be ignored: (from pulumi.com/docs)

res = MyResource("res",
    prop="new-value",
    opts=ResourceOptions(ignore_changes=["prop"]))

adding secrets to config

pulumi config set secrets:SSH_KEY --secret < PATH_TO_KEY

OnCreateResource hooks

There is no straightforward way to do this, but two options exist (pulumi-community.slack.com).

1. Use dynamic providers/resources

This approach creates a new dynamic resources that depends on the resource that was created. It has its own create() implementation that
serves as the hook.

See pulumi.com/docs and an example implementation for AWS EC2 provisioners, __main__.py and provisioners.py on GitHub.

Example:

from typing import Optional, Any
from uuid import uuid4
import pulumi
from pulumi import dynamic
class OnCreateWarningProvider(dynamic.ResourceProvider):
    warning_printed = False
    def print_warning(self, message):
        if not self.warning_printed:
            pulumi.warn(message)
            OnCreateWarningProvider.warning_printed = True
    def create(self, inputs: Any):
        self.print_warning(inputs['message'])
        return dynamic.CreateResult(id_=uuid4().hex, outs={})
class OnCreateWarning(dynamic.Resource):
    def __init__(self, name: str, message: str, opts: Optional[pulumi.ResourceOptions] = None):
        super().__init__(
            OnCreateWarningProvider(),
            name,
            {'message': message},
            opts=opts
        )

which gets called by

messaging.OnCreateWarning(
    name=f"on-create-warning-{resource_name}",
    message="Resource was created!",
    opts=pulumi.ResourceOptions(depends_on=[resource]),
)

2. Using CrossGuard

With a CrossGuard ResourceValidationPolicy, see for example github.com/pulumi. Run Pulumi with

pulumi up --policy-pack path-to-policy-code/