When organizing projects and stacks for core infrastructure resources (IAM, Guardduty, Cloudtrail) across all AWS accounts, is the preferred approach to have a single "infra" project that contains the resources that belong in each account and then have a stack in that project for each account ("root", "dev", "prod", "networking", "ops")? If so, what if you want to conditionally create resources in some accounts and not others, say a role in only the ops account and not the others? Are there downsides to wrapping resources with

if (config.accountName === "ops") {...}

or is that even possible? I'm coming from TF and am possibly trying to fit Pulumi to the patterns in TF and that may be a bad idea. Any guidance would be great!

1. you can get the current stack off the Pulumi Context (depends on language), — you could condition on that. 2. I’ve been setting configuration values inside each stack, if I want something to be optional. eg see https://www.pulumi.com/docs/intro/concepts/config/#code

alright, I can do that. I was also thinking I could represent separate AWS accounts as separate projects and then create a component resource (which I'm guessing is like a TF module?) to create all account level resources and pass in options for enabling or disable resources per account. One example of using conditionals per stack is creating the aws org and account resources in the

root

aws account. I don't/can't create those resources in the other accounts like

dev

or

ops

so I'd wrap those resources and exports in conditional that checks if the stack is the root account stack. Then when I need to access the account ids for the various accounts in the IAM roles for the member accounts, I would just reference the root account stack outputs. I guess all of this can be done in the same project using different stacks. I worry about the complexity at scale, but I haven't come across any documentation or examples of this. Again, this is just me applying the patterns I learned from terragrunt/terraform and there is probably a different patten in Pulumi that's better.