pulumi: Failed update can lead to bad checkpoint file

We are seeing something where failure to update a aws:elasticloadbalancingv2/listener:Listener’s certificateArn property (“this failure is catastrophic”-style), due to an attempt to use a certificate in a different region, then apparently leaves behind a checkpoint file that cannot be properly destroyed in its entirety. After this failure, if we then try to pulumi destroy, the first thing it does is attempt to delete the aws:elasticloadbalancingv2/targetGroup:TargetGroup resource which fails with a “currently in use by a listener or a rule.” This makes sense, because that listener is still around.

The question is, why did we not try to delete the listener? Two theories: (1) it’s entirely missing due to a bug in the way we handle failed updates; or, alternatively, (2) it’s in the checkpoint file but the order is messed up for some reason. I will debug a little bit now that I have live access to the customer’s machine, but @pgavlin I’m going to hand off to you after I get a bit more info.