sparse-intern-71089
07/27/2023, 8:59 PMstocky-restaurant-98004
07/28/2023, 3:07 PMpulumi up
. You can pass a profile to pulumi login
for S3 state file storage, whereas the principal for pulumi up
is determined either by either provider config or the standard AWS credentials chain (AWS_PROFILE
, security keys, etc.)stocky-restaurant-98004
07/28/2023, 3:08 PMstocky-restaurant-98004
07/28/2023, 3:09 PMlate-piano-64593
07/28/2023, 5:17 PMlate-piano-64593
08/09/2023, 7:09 PMbackend.url
in Pulumi.yaml
when I switched between accounts correct?
I could solve this with bucket policies and skip the assume-role but I feel like thats not the "right" way to do it. I might be missing something though.late-piano-64593
08/09/2023, 7:18 PMurl
field when switching between accounts. Does that mean that the current design requires that my dev account have full permissions to accidentally overwrite the state bucket of prod?stocky-restaurant-98004
08/09/2023, 8:08 PMdev/
folder.stocky-restaurant-98004
08/09/2023, 8:10 PMlate-piano-64593
08/09/2023, 8:55 PMbackend.url
in the stack level settings ex: Pulumi.dev.yaml
? TIL! Is there a documentation of that schema somewhere?stocky-restaurant-98004
08/10/2023, 1:36 PM{{ backend.url}}/{{ project }}/ {{ stack }}
, or the a backend.url per-project if it's just {{ backend.url}}/{{ stack }}
. I would guess it's the former, but IDK for sure.late-piano-64593
08/10/2023, 5:38 PMbackend.url
for the project then if pulumi only touched specific sub directories in that root, per stack I could scope the S3 permissions correctly to prevent accountA (dev) from being able to Put/Get in AccountB (prod)'s stacks. But right now in s3 in the backend.url
root is just a .pulumi/
with some high level meta data and then the stacks/
directory below that.stocky-restaurant-98004
08/11/2023, 4:59 PMbackend.url
for everything: https://www.pulumi.com/blog/project-scoped-stacks-in-self-managed-backend/stocky-restaurant-98004
08/11/2023, 4:59 PMlate-piano-64593
08/12/2023, 4:08 PMpulumi state upgrade
so far has not changed the structure in s3 to match that folder structure but I am gonna try migrating to a new bucket next week.late-piano-64593
08/15/2023, 5:48 PMlate-piano-64593
08/15/2023, 5:50 PMbackups
history
stacks
etc, then encode the specific stack names into those resource rules.
Its possible but it means that I would need to update the IAM everytime I need to add a new stack. (if for example the dev AWS account might have multiple stacks in it while prod only has 1)