Is there any way to get Pulumi to perform a sanity check about which AWS account it is interacting with? We use several different AWS accounts for security reasons. While I definitely want to be able to apply different stacks to different accounts, accidentally applying a stack to a different account than where it was created causes a big mess.

Here's a snippet I use to do something like this:

// Create a 1st class provider so we can expicitly connect to an assumeRole account.  Also log the account number so we
// know we are targetting the right one!
const awsProvider = new aws.Provider("testing", {
    region: region,
    assumeRole: {
        roleArn: assumeRoleArn,
    },
});
aws.getCallerIdentity({ provider: awsProvider }).then(identity => {
    <http://pulumi.log.info|pulumi.log.info>(`Account: ${identity.accountId}`, awsProvider);
});

The key part is really the last three lines of code. The rest is just to use an explicit provider to be more clear on how I want to configure my AWS connection. The result is you'll get a log entry in

preview

and

update

with the account being used for the deployment.

oh sweet, those are both good options. Thank you!

that means all code that implements/builds objects has to be passed that provider, correct?

There are two (mostly unrelated) parts to the example above: 1. Logging the caller identity - this can be used in any project 2. Using an explicit

new aws.Provider

. For (2), yes, you need to then pass that provider to all resources. The easiest way to do this is to put your resources inside components, have all child resources mark themselves as

parent: this

within the component, and then pass the provider itself just at the places you construct the component. Children of a component (and grandchildren, etc.) will inherit the provider.