So I've made progress enabling GuardDuty for the o...
# aws
So I've made progress enabling GuardDuty for the organization with this code
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// pulumi import aws:organizations/organization:Organization myOrg o-4pxk9chgfxyz

const myOrg = new aws.organizations.Organization(
		awsServiceAccessPrincipals: [
		featureSet: "ALL"
		protect: true

//Configure GuardDuty for the organization

//creating a detector in the master acct enables GuardDuty
const masterAcctDetector = new aws.guardduty.Detector("masterAcctDetector", {});

//delegate the GuardDuty admin account to the security account (<|>)
const securityAccountId = "405739590713";
const guardDutyOrganizationAdminAccount = new aws.guardduty.OrganizationAdminAccount("guardDutyOrganizationAdminAccount", {adminAccountId: securityAccountId}, {
	dependsOn: [myOrg],
But GD is only per region by the organization is not specific to a region. To create a GD master account, I need to run this for each region so I'll create a new stack for the region. Is it an issue the org is defined in this file and doesn't apply to a region?
It doesn't have to be an issue. You can either have a stack for the umbrella code (incl. GD), or a separate project, or a condition in your project to have that code run for only one stack.
hmm... the GD master account
dependsOn: [myOrg]
so I don't think I can put a conditional around that. Originally, I thought I would have the org creating in one project and then refer to in a separate project for the GD master account... but I wasn't sure how to do
to refer to the org in another stack.
You can't. Can you put those two resources in the same project + stack?
Pity that dependsOn is used for this. Would be nicer if an organization ID was used, or similar..
Well, that's what I'm trying to figure out how to do 🙂 I think what I need to do is use an explicit provider for the additional region.
Do you not already do that?
yeah, as shown in my code snippet, not using providers yet. and I haven't had to use them before so this will be the first time.
That is a very useful thing to do, in this situation and lots of others. For example, my project that manages backups has a normal AWS provider (region specific) and AWS provider for remote backups (hard coded to us-west-2 for cost reasons). Each stack has its own normal provider, and that 2nd provider gives access to resources that all stacks can see.
👍 1
Sounds like a "typical" problem of default providers. Personally, I'd recommend managing all providers yourself. It is a little bit more overhead but way worth it. If you are creating a
you can use
function to merge the
passed in. Then inside the component I
function to override the provider that may have come from
Copy code
self._config = app_config
        # merge parent options and override with child options
        self._opts = pulumi.ResourceOptions.merge(
This way I make sure to not use the default provider. Also, make sure that each resource inside component uses