dry-journalist-60579
03/13/2023, 10:12 PMdev
, staging
, and prod
stacks each in a separate account. Do I need to set up the OIDC provider and role to assume in every account? Or can I have one and somehow use cross-account role assuming?little-cartoon-10569
03/14/2023, 1:14 AMdry-journalist-60579
03/14/2023, 1:34 AMXXXXXX1
)
• workloads-app-dev (id: XXXXXX2
)
• workloads-app-staging (id: XXXXXX3
)
• workloads-app-prod (id: XXXXXX4
)
• workloads-cicd (id: XXXXXX5
)
In the bootstrap-project I am now creating a single OIDC provider and a role that Pulumi can assume using AssumeRoleWithWebIdentity
in the workloads-cicd
account. Now, I’ve set up the Pulumi Deployments configuration in the UI (anxiously awaiting https://github.com/pulumi/service-requests/issues/169 to not have to use the UI) to use the Role ARN created from the bootstrap stack. The app/dev stack targets the workloads-app-dev account, but I can’t quite figure out the right way to do this. I guess I’ll need a role within that account that the aforementioned role can assume and I’ll need to add that to my aws:assumeRole:
in app-project/Pulumi.dev.yaml? Right now I’m getting an error during the deployment/update of: AWS account ID not allowed: XXXXXX5
because I have a aws:allowedAccountIds: [XXXXXX2]
in the app/dev stack to ensure the correct placement…
Sorry if that is a lot of context. Ideally I’d prefer to not create the OIDC provider in each account.little-cartoon-10569
03/14/2023, 1:43 AMconst stagingProvider = new aws.Provider("staging", { assumeRole: deploymentRoleInStagingAccount });
dry-journalist-60579
03/14/2023, 1:49 AMworkloads-cicd
account. I can then specify that the app/dev stack should use the PulumiDeploymentRole either by explicitly creating a provider in the code or by specifying it in the Pulumi.dev.yaml:
config:
aws:region: us-east-1
aws:allowedAccountIds: [XXXXXX2]
aws:assumeRole:
roleArn: arn:aws:iam::XXXXXX2:role/PulumiDeploymentRole
little-cartoon-10569
03/14/2023, 1:51 AMdry-journalist-60579
03/14/2023, 1:53 AMlittle-cartoon-10569
03/14/2023, 1:53 AMdry-journalist-60579
03/14/2023, 1:54 AMprovider
code does not accept another providerlittle-cartoon-10569
03/14/2023, 1:54 AMdry-journalist-60579
03/14/2023, 1:54 AMlittle-cartoon-10569
03/14/2023, 1:55 AMdry-journalist-60579
03/14/2023, 1:55 AMrole/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_xxx
little-cartoon-10569
03/14/2023, 1:56 AMnew aws.Provider("bootstrap", { profile: new pulumi.Config("aws").profile })
.dry-journalist-60579
03/14/2023, 1:57 AMlittle-cartoon-10569
03/14/2023, 1:58 AMpulumi cancel
and clean-up duties.dry-journalist-60579
03/14/2023, 2:00 AMarn:aws:iam::XXX:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_xxx
=>
arn:aws:iam::XXX:role/service-role/AWSControlTowerAdmin
=>
arn:aws:iam::{0}:role/AWSControlTowerExecution
organization = aws.organizations.get_organization()
for account in organization.accounts:
# Skip deactivated accounts and the management account
if account.status != "ACTIVE":
continue
role_arn = pulumi.Output.format(
"arn:aws:iam::{0}:role/AWSControlTowerExecution", account.id
)
# Create Provider to assume role
provider = aws.Provider(
f"Provider: {account.name}",
assume_role={
"roleArn": role_arn,
},
)
password_policy = aws.iam.AccountPasswordPolicy(
f"AccountPasswordPolicy: {account.name}",
**PASSWORD_PARAMS,
opts=pulumi.ResourceOptions(provider=provider),
)
AWSControlTowerExecution
role in each account that can be assumed by the service-role/AWSControlTowerAdmin
in the management accountAWSControlTowerExecution
“out of the box”little-cartoon-10569
03/14/2023, 2:04 AMdry-journalist-60579
03/14/2023, 2:05 AMlittle-cartoon-10569
03/14/2023, 2:08 AMdry-journalist-60579
03/14/2023, 2:14 AM