null_resource
doesn't create anything. It's a container for provisioners. Because it is not directly connected to any piece of the infrastructure, it's not a big deal to destroy it in order to retrigger provisioners it has defined on.
There are two types of provisioning we are doing right now with Puppet: the one-time Puppet installation and Puppet run, which should be retriggered if the manifest changes--imagine that the repository IP changed and somehow we still don't have a proper DNS server in place.
Note
If you have Puppet master, all of it makes zero sense: modules and manifests are stored on the master, and the Puppet agent runs as a system service and applies manifests automatically every N minutes. On the contrary, this approach can be very handy if you decide to go for a masterless setup, because in that case, you have a whole new set of problems of how to distribute your Puppet code to all the servers you have.
Slim down the provisioners...