Question around best practices.
We are currently upscaling to multi region deployments and creating our stack from scratch.
We created an AWS organisation and we will be creating different accounts here for different prod accounts.
We have existing iam admin users in our management AWS account and they will be used for assuming a role for different test/prod accounts to interact with those accounts
I am wondering what is the best practice with pulumi. How we are visualising our suite at present is to have projects with multiple stacks where each stack is pointing to an environment.
However regarding the creds for the AWS account we are under a slight dilemma.
We have considered two options, both we like and dislike at the same time.
1. Create iam users in the child AWS accounts aswell and use those credentials for pulumi. However with a growing number of regions this means a fair amount of creds to store and switch between each stack deployment.
2. Use the iam user in the management account, use the single set of credentials of the user for all resources and stacks by creating a provider which assumes the role and making the account id configurable, however this means we will need to pass in the provider across every resources we create and if someone misses using the provider it ll be devastating.
I am wondering if there is any best practices that pulumi suggests in this scenario.