Hey All, I've started using Pulumi to spin up some resources on AWS. Basically what I want is: 1. Provision a bastion host. 2. Provision an RDS 3. Provision a K8s cluster. 4. Provision some other resources (DNS, S3 buckets, etc). 5. Deploy the app. 6. Be able to remove some of the resources (to reduce costs when not needed) while others should be always available. With that in mind, I wonder what's the best way to design the solution: 1. What should be the project (account, env, etc)? 2. What should be a stack? Dev, staging, production? The bastion host is one stack and the K8s cluster is another? 3. How to reference stacks? If anyone has a reference to how a "real-life" app should be provisioned and deployed with Pulumi, it would be a great help!

This is how I've approached this: •

project

is a "self-contained" workload that includes most dependencies for it to run •

stack

is the environment (dev, prod, test etc.) I then layer the projects (workloads): •

landing_zone

-> Configures identities, permissions and resources which are shared across workloads •

hubspoke

-> Provisions networking for an environment. This is where I usually have VPN or in your case a bastion host •

app_zone

-> Provisions an application runtime environment – container service, container registry, secret store, centralized logging, data stores shared by multiple applications (SQL/blob etc...) •

<app_workload> (multiple)

-> A single application workload, usually containerized All of these projects have dev/prod/test stacks and they will usually have dependencies in the form of stack references to upstream projects... `<app_workload>`s will require a reference to which

app_zone

it should run in. An app_zone will need a private network/subnet which it will reference from

hubspoke

and so on...