Question about Pulumi w/ AWS: Do you think in Pulumi it is a good idea to separate resources in one region managed in the same stack as another or use a secondary / explicit resource provider for each region in the same stack? I know it is a very subjective question, but was curious what some others were doing to control that blast radius?

We generally follow the stack pattern of:

stackName.environment.region

e.g.

cool-service.prod.us-west-1

If there are any required services in a specific region, the project explicitly declares a secondary explicit aws provider

wait.. stack names can contain dots? ..

We have a "primary region" and a concept of "base infrastructure". The base infrastructure has outputs that the "child" stacks use via StackReference. In the case where we need global infrastructure resources we do 1 of two things: 1. Treated as a manual one-off edge case and documented 2. Deployed with our "primary region" Some stacks only exist in one region, the primary region isn't always included for those projects.

All my use cases to date have called for separate region-based providers within a stack. If the prod stack has resources in two regions, then that's managed in one stack.

Nice. Thanks for the input on this

I missed this thread but we're following the 2nd pattern you describe above, where when one stack contains resources for multiple regions, all resources use an explicit provider

@alert-glass-49407 I agree — I prefer being explicit in these situations. It avoids surprises or confusion.

I had a mild panic attack when I realized that our SSO was misbehaving (not pulumi's or AWS' fault, to be clear 🙂) and I realized that the default provider for a complex multi-account-multi-region pulumi program might have deployed a ton of resources in a disjointed manner