[orf]

Random choice of subnet is a better example, random names is definitely not common.

Random passwords, write-only attributes (like database master passwords) are the most common.

How do you express “create a DB with this strong password, then put it in a s3 object”, then later “actually put it in SSM rather than s3”?

[dlkmp]

We cannot, okay, I see the point. Up to now, I considered the inability to express modifications on existing resources a limitation of the declarative model but I can see how adding state can help here.

With Bicep, we mostly deploy only the initial state and then we either re-deploy the whole thing or, if this isn't possible due to the interruptions this causes, add migration scripts in an imperative language (az cli/ pwsh). Which is admittedly the much less elegant approach.