Hello I am trying to setup something using pulumi, i've used it a few times in the past, but I think i want something simple that it seems it's not doable using a selfhosted state backend. The goal is to have multple stacks (dev, staging, prod) and a tooling stack. dev and staging will share the same AWS account, and production a different one. We need some stack reference between prod and dev. But it seems we can't reference a stack if they are stored in a differente account/s3 then your current state file. Is there any workarround on this? The "best" workaround i can think of is to have a single state backend on s3, but that s3 be separated from the actual accounts, and all other accounts/iam would have access to this bucket. So I would have an account only to store the states for all stacks and different accounts. What am i missing? I did search some github issues and this indeed seems to be the case, but i am not 100% sure.

I think both your assessment of the requirements and the solution are on point. Having a separate account for infrastructure management (that can, in addition to state storage, include third-party secrets and the roles/service accounts used by deployment pipelines to obtain permissions in the accounts they deploy to) is a pattern I encounter frequently. It's also kind of what Pulumi Cloud provides as an external service.

I would say that having a different account for holding your state files than for your deployed resources is effectively essential. I've got myself in several catch22s trying to reduce the number of accounts involved in this sort of thing, and my conclusion is that the state that Pulumi uses and the state the Pulumi manages should be kept as separate as possible. This makes the infrastructure easier to explain to new team members, keeps the boundaries clear, makes problem-solving easier, etc.

@little-cartoon-10569 and @modern-zebra-45309 do you set up using a single S3 bucket on the infra account? I didn't test it yet, but seems to be the only way to reference stacks if they need to.

Yes. One bucket for all Pulumi projects. The ones that are entirely separate can use different paths; if you want to be able to use StackReferences between projects, they need to share the same path.