[dlkmp]

Interesting example. For context, I have only experience with Azure Bicep so "no state" is my default assumption on IAC languages.

Do you in practice really use random names? In my experience, I'd just use a loop vm01...vm10 for the names and the passwords aren't needed to identify an instance after the deployment so here randomness isn't an issue.

[orf]

Random choice of subnet is a better example, random names is definitely not common.

Random passwords, write-only attributes (like database master passwords) are the most common.

How do you express “create a DB with this strong password, then put it in a s3 object”, then later “actually put it in SSM rather than s3”?

[dlkmp]

We cannot, okay, I see the point. Up to now, I considered the inability to express modifications on existing resources a limitation of the declarative model but I can see how adding state can help here.

With Bicep, we mostly deploy only the initial state and then we either re-deploy the whole thing or, if this isn't possible due to the interruptions this causes, add migration scripts in an imperative language (az cli/ pwsh). Which is admittedly the much less elegant approach.