https://pulumi.com logo
#aws
Title
# aws
t

tall-beard-99429

06/04/2021, 1:28 PM
I have a parent AWS account that has 2 child AWS accounts. 1 for prod and 1 for staging, the parent account has the user attached to it (currently) for pulumi to use. How can I make it so that we have both the parent and 1 of the children in use so that I can configure things for the production or staging environment?
I think this is something that a provider can help with, but I am struggling to find the documentation to confirm this
b

bored-oyster-3147

06/04/2021, 1:31 PM
your stack should create a
parentProvider
and a
environmentProvider
. Naming is up to you. But your config should pass in whatever information is necessary to authenticate to the
parentProvider
and the
environmentProvider
. Your stacks will have different config to pass to the
environmentProvider
(because you will have a prod and a staging stack). Then you will just pass your
parentProvider
into any resource declarations that belong to the top-level account, and your
environmentProvider
to any resource declarations that belong to whichever child account that stack is configured to use
t

tall-beard-99429

06/04/2021, 1:33 PM
Hi Joshua, i'm not sure what you mean by "your stack should create a parentProvider". Do you mean that my stack will have one, or that I should configure one?
b

bored-oyster-3147

06/04/2021, 1:33 PM
like you will actually declare a provider instance for each account and you will pass that around.
so you will be explicitly passing a provider to every resource
Or you could rely on inheritence, because resources will inherit the provider from their parent resource. But I prefer to be explicit in my pulumi code
t

tall-beard-99429

06/04/2021, 1:35 PM
Ok thanks, i'll give that a try now and let you know if i hit any other problems 🙂
🙌 1
Quick Q on the stack setup. I currently have 3 stacks,
shared
staging
and
production
is this a sensible setup? shared holds things like my DNS (which is on the parent) and staging / production will hold my relevant setup for each of those areas
b

bored-oyster-3147

06/04/2021, 1:36 PM
shared
should be a different project, because it is deployed separately. Rember that "stacks" are different instances of the same resources
so if
shared
contains different resources than it should be a different project
t

tall-beard-99429

06/04/2021, 1:37 PM
But there will be things in
staging
and / or
production
that will require access to
shared
resources
b

bored-oyster-3147

06/04/2021, 1:38 PM
yes stacks can reference other stacks across projects, that is fine.
StackReference
can do that or you can provide it via config, whatever works for you
t

tall-beard-99429

06/04/2021, 1:38 PM
Okay
Does that mean it has to reside in a different code base?
I don't see a way to specify the
project
via CLI
b

bored-oyster-3147

06/04/2021, 1:39 PM
It needs to be a separate pulumi program
t

tall-beard-99429

06/04/2021, 1:40 PM
Is there perhaps a better way I could set this up that doesn't require separate projects? Is it possible for pulumi to share state across 2 stacks so it doesn't try to duplicate those resources?
b

bored-oyster-3147

06/04/2021, 1:47 PM
the issue here isn't the sharing of state - that can be accomplished without any problem. The issue here is conceptually these are 2 different architectures and Pulumi's design is such that a project defines an architecture and a stack is an instance of that architecture. You have the first architecture which contains shared resources. This will be Pulumi Project 1 and it will declare your DNS resources, etc. It will have 1 stack because you only need 1 instance of these shared resources. Your second architecture is your application architecture. This will be Pulumi Project 2 and it will declare all of the resources for your application to run. You will have 2 stacks because you want 2 instances of this architecture (prod & staging). Part of this 2nd architecture is the fact that it refers to the single stack in Pulumi Project 1. All instances (stacks) of this architecture refer to that single stack in Pulumi Project 1.
👍 1
t

tall-beard-99429

06/04/2021, 1:48 PM
Ah okay, I understand you now
b

bored-oyster-3147

06/04/2021, 1:49 PM
cool, good luck! let me know if you need anymore help
t

tall-beard-99429

06/04/2021, 2:02 PM
How would the parentProvider work if the provider config is inside of a different project?
Ah wait, i think this is
StackReference
?
b

bored-oyster-3147

06/04/2021, 2:38 PM
well both projects need access to the parent account, right? So you will need a provider that is authenticated to the parent account in both projects.
You only need to reference the shared project if there is some output that you need from the resources that it declared. In which case you would make that output a stack output and then
StackReference
it from the other project.
t

tall-beard-99429

06/04/2021, 2:46 PM
One thing i'm struggling with here is using the correct config for the environment. With
StackReference
i don't seem to be able to get secrets / config?
new pulumi.Config()
doesn't seem to accept any StackReference params
and StackReference has
requireOutput
but not
requireSecret
b

bored-oyster-3147

06/04/2021, 2:46 PM
StackReference
is not meant to get config from another stack. Nor should you need to do that
t

tall-beard-99429

06/04/2021, 2:47 PM
How can I configure the parent provider if not with config?
b

bored-oyster-3147

06/04/2021, 2:47 PM
You use the config for the project you are in
t

tall-beard-99429

06/04/2021, 2:48 PM
So the architecture project needs to have the config for the shared account stored in it too?
b

bored-oyster-3147

06/04/2021, 2:48 PM
Does the architecture project need to create resources in the parent account? If so, yes.
t

tall-beard-99429

06/04/2021, 2:49 PM
ok
Thanks
b

bored-oyster-3147

06/04/2021, 2:50 PM
Alternatively, if you don't want Project 2 to be aware of what account the shared resources are in - than you should have Project 1's stack output the information you need to create your provider. Then you can
StackReference
and
.requireOutput()
that information
t

tall-beard-99429

06/04/2021, 2:56 PM
Looking at it now, i'm still not even sure if i'm doing the right thing here
In AWS organizations, I have 3 accounts, (shared, production, staging) with account IDs. I have on the root organization an IAM user that has programmatic access to everything. This is the user that I am using the access keys for. I can't seem to find a way to tell the AWS provider which account to send the API calls to, only to change the access key, but the access key is the same isn't it?
b

bored-oyster-3147

06/04/2021, 3:00 PM
At my company we use roles. So we have access keys that are configured in our environment, and we allow every provider we instantiate to just grab those same keys. But In order to tell the provider to place resources in a specific account we give it an
AssumeRoleArn
that has access to the desired account. So your IAM User has the permissions to assume the roles, and you tell the providers which role to assume which determines which account they act in
t

tall-beard-99429

06/04/2021, 3:01 PM
Is the role arn the account ARN?
IE
arn:aws:organizations::<orgid>:account/o-abc123/<account id>
?
b

bored-oyster-3147

06/04/2021, 3:03 PM
Ours look like
arn:aws:iam::{accountNumber}:role/{roleName}
You don't need the org ID or anything
and sometimes we use the default
OrganizationAccountAccessRole
so in that case it is
arn:aws:iam::{accountNumber}:role/OrganizationAccountAccessRole
t

tall-beard-99429

06/04/2021, 3:04 PM
ohh i see, this is to do with IAM roles
Ok, i'll look into them, thanks
🙌 1
2 Views