tall-beard-99429
06/04/2021, 1:28 PMbored-oyster-3147
06/04/2021, 1:31 PMparentProvider
and a environmentProvider
. Naming is up to you. But your config should pass in whatever information is necessary to authenticate to the parentProvider
and the environmentProvider
. Your stacks will have different config to pass to the environmentProvider
(because you will have a prod and a staging stack).
Then you will just pass your parentProvider
into any resource declarations that belong to the top-level account, and your environmentProvider
to any resource declarations that belong to whichever child account that stack is configured to usetall-beard-99429
06/04/2021, 1:33 PMbored-oyster-3147
06/04/2021, 1:33 PMtall-beard-99429
06/04/2021, 1:35 PMshared
staging
and production
is this a sensible setup? shared holds things like my DNS (which is on the parent) and staging / production will hold my relevant setup for each of those areasbored-oyster-3147
06/04/2021, 1:36 PMshared
should be a different project, because it is deployed separately. Rember that "stacks" are different instances of the same resourcesshared
contains different resources than it should be a different projecttall-beard-99429
06/04/2021, 1:37 PMstaging
and / or production
that will require access to shared
resourcesbored-oyster-3147
06/04/2021, 1:38 PMStackReference
can do that or you can provide it via config, whatever works for youtall-beard-99429
06/04/2021, 1:38 PMproject
via CLIbored-oyster-3147
06/04/2021, 1:39 PMtall-beard-99429
06/04/2021, 1:40 PMbored-oyster-3147
06/04/2021, 1:47 PMtall-beard-99429
06/04/2021, 1:48 PMbored-oyster-3147
06/04/2021, 1:49 PMtall-beard-99429
06/04/2021, 2:02 PMStackReference
?bored-oyster-3147
06/04/2021, 2:38 PMStackReference
it from the other project.tall-beard-99429
06/04/2021, 2:46 PMStackReference
i don't seem to be able to get secrets / config?new pulumi.Config()
doesn't seem to accept any StackReference paramsrequireOutput
but not requireSecret
bored-oyster-3147
06/04/2021, 2:46 PMStackReference
is not meant to get config from another stack. Nor should you need to do thattall-beard-99429
06/04/2021, 2:47 PMbored-oyster-3147
06/04/2021, 2:47 PMtall-beard-99429
06/04/2021, 2:48 PMbored-oyster-3147
06/04/2021, 2:48 PMtall-beard-99429
06/04/2021, 2:49 PMbored-oyster-3147
06/04/2021, 2:50 PMStackReference
and .requireOutput()
that informationtall-beard-99429
06/04/2021, 2:56 PMbored-oyster-3147
06/04/2021, 3:00 PMAssumeRoleArn
that has access to the desired account. So your IAM User has the permissions to assume the roles, and you tell the providers which role to assume which determines which account they act intall-beard-99429
06/04/2021, 3:01 PMarn:aws:organizations::<orgid>:account/o-abc123/<account id>
?bored-oyster-3147
06/04/2021, 3:03 PMarn:aws:iam::{accountNumber}:role/{roleName}
OrganizationAccountAccessRole
so in that case it is arn:aws:iam::{accountNumber}:role/OrganizationAccountAccessRole
tall-beard-99429
06/04/2021, 3:04 PM