https://pulumi.com logo
Title
m

millions-umbrella-34765

10/20/2021, 8:28 PM
So I've made progress enabling GuardDuty for the organization with this code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// pulumi import aws:organizations/organization:Organization myOrg o-4pxk9chgfxyz

const myOrg = new aws.organizations.Organization(
	"myOrg",
	{
		awsServiceAccessPrincipals: [
			"<http://ram.amazonaws.com|ram.amazonaws.com>",
			"<http://sso.amazonaws.com|sso.amazonaws.com>",
			"<http://reporting.trustedadvisor.amazonaws.com|reporting.trustedadvisor.amazonaws.com>",
			"<http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com>",
			"<http://guardduty.amazonaws.com|guardduty.amazonaws.com>"
		],
		featureSet: "ALL"
	},
	{
		protect: true
	}
);


//Configure GuardDuty for the organization

//creating a detector in the master acct enables GuardDuty
const masterAcctDetector = new aws.guardduty.Detector("masterAcctDetector", {});

//delegate the GuardDuty admin account to the security account (<mailto:aws-security@my.com|aws-security@my.com>)
const securityAccountId = "405739590713";
const guardDutyOrganizationAdminAccount = new aws.guardduty.OrganizationAdminAccount("guardDutyOrganizationAdminAccount", {adminAccountId: securityAccountId}, {
	dependsOn: [myOrg],
});
But GD is only per region by the organization is not specific to a region. To create a GD master account, I need to run this for each region so I'll create a new stack for the region. Is it an issue the org is defined in this file and doesn't apply to a region?
l

little-cartoon-10569

10/20/2021, 8:31 PM
It doesn't have to be an issue. You can either have a stack for the umbrella code (incl. GD), or a separate project, or a condition in your project to have that code run for only one stack.
m

millions-umbrella-34765

10/20/2021, 8:41 PM
hmm... the GD master account
dependsOn: [myOrg]
so I don't think I can put a conditional around that. Originally, I thought I would have the org creating in one project and then refer to in a separate project for the GD master account... but I wasn't sure how to do
dependsOn
to refer to the org in another stack.
l

little-cartoon-10569

10/20/2021, 8:44 PM
You can't. Can you put those two resources in the same project + stack?
Pity that dependsOn is used for this. Would be nicer if an organization ID was used, or similar..
m

millions-umbrella-34765

10/20/2021, 8:48 PM
Well, that's what I'm trying to figure out how to do 🙂 I think what I need to do is use an explicit provider for the additional region.
l

little-cartoon-10569

10/20/2021, 8:48 PM
Do you not already do that?
m

millions-umbrella-34765

10/20/2021, 8:49 PM
yeah, as shown in my code snippet, not using providers yet. and I haven't had to use them before so this will be the first time.
l

little-cartoon-10569

10/20/2021, 8:50 PM
That is a very useful thing to do, in this situation and lots of others. For example, my project that manages backups has a normal AWS provider (region specific) and AWS provider for remote backups (hard coded to us-west-2 for cost reasons). Each stack has its own normal provider, and that 2nd provider gives access to resources that all stacks can see.
👍 1
g

great-sunset-355

10/21/2021, 6:01 AM
Sounds like a "typical" problem of default providers. Personally, I'd recommend managing all providers yourself. It is a little bit more overhead but way worth it. If you are creating a
ComponentResources
you can use
pulumi.ResourceOptions.merge()
function to merge the
opts
passed in. Then inside the component I
merge
function to override the provider that may have come from
opts
self._config = app_config
        # merge parent options and override with child options
        self._opts = pulumi.ResourceOptions.merge(
            opts,
            pulumi.ResourceOptions(
                parent=self,
                provider=self._config.aws_provider,
            ),
        )
This way I make sure to not use the default provider. Also, make sure that each resource inside component uses
opts=self._opts