Hi, I am curious, which strategy to organize your Pulumi projects did you choose regarding service principals/managed identities and role assignments? For example, considering 2 applications and 1 database: opt1: • application1-project: Contains the resources for the first application and its managed identity. • application2-project: Contains the resources for the second application and its managed identity. • database-project: Contains the database resources and the role assignments for both application-managed identities. opt2: • application1-project: Contains the resources for the first application, its managed identity, and the role assignment to the database. • application2-project: Contains the resources for the second application, its managed identity, and the role assignment to the database. • database-project: Contains only the database resources. op3: • application1-project: Contains the resources for the first application. • application2-project: Contains the resources for the second application. • identity-management-project: Manages the creation of managed identities and their role assignments. • database-project: Contains the database resources.

> 2 applications and 1 database TBF this sounds like a recipe for disaster. Otherwise I am usually trying to avoid cross project dependencies because it is never without a pain. My rule of the thumb is: if the resource is free and there are no service limits => make many clones (roles, identities, etc…). Good candidates for shared resources are low level components, like a network (VPC, subnets). In your case I’d opt for the

opt2

.