Do you have recommendations on how to set up AWS m...
# aws
Do you have recommendations on how to set up AWS multi-account with self-managed backend? Related Questions: • use one backend (e.g 1 S3 state file) or several ones • how to manage RBAC (per state, project and stack) • use AWS accounts for different environments (dev, staging, prod) or leverage stacks for those? • ...
Pulumi scopes the state of a specific stack by project if you use self-managed backends (e.g. S3). When deciding whether to use multiple backends, you need to think about stack references. Stack references do not work across different backends. Depending on whether you use different backends or not you could do the following for RBAC: If you're using different backends you can use the S3 path to represent organizational hierarchy and create the necessary IAM roles to grant teams only access to their designated prefix (e.g.
). If you end up using the same backend you could establish a convention for the project name (e.g. ``my-org_my-team_my-project`). Then you could do the same prefix based IAM policies. For the account structure I'd recommend you to use multiple AWS accounts. The reason for that is 1) access control and 2) account wide quotas: • It's easier to prevent unallowed access to production systems that way. • Many AWS services have account wide quotas (Lambda for example) and that could cause impact across environments. For example, a load test in the dev environment could cause an outage in the prod environment if it reaches the Lambda concurrency limit of the account.
Thanks @quick-house-41860, that helps a lot!
We are thinking of setting up a first backend just to manage the users and to manage their access to the s3 state file. Then, we have a second backend that is used for all resources. In the second backend, We would for example have a repo for shared resources and repositories with code and respective infrastructure for specific resources. We are thinking of leveraging the providers to make sure that only certain users with required permissions/roles can "deploy to production". We would do so via configuring the provider via the stack configuration.
Does that make sense? Is there a "better" way to do it?
Is there a pulumi template repo or so which shows how to manage the s3-prefix-based IAM policies?