No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Golden rule: never use any default provider. Always create and use explicit providers.

Thanks <@U012UJTT55M>   I've read the pulumi aws docs time and again, but still not sure what that means. I think it means:

```// Create an ACM certificate in us-east-1.
let cert = new aws.acm.Certificate("cert", {
    domainName: "<http://foo.com|foo.com>",
    validationMethod: "EMAIL",
}, { provider: useast1 });```
For every single resource you create, explicitly pass a provider? If that's what you meant, then when creating the provider object, you need to use pulumi "get environment"?

Yes, it's that. Link: <https://www.pulumi.com/docs/intro/concepts/resources/options/provider/>
However you don't need to get environment anywhere outside of your index.ts. Create all the providers you need in index.ts, then pass them around. Use option inheritance in ComponentResources, and you're good.

You should avoid calling `pulumi.getStack()` or similar antwhere except index.ts. It makes unit testing very hard.

&gt;  Use option inheritance in ComponentResources, and you're good.
Meaning, you don't need to explicitly set provider on _every_ resource, only on parent resources correct? All children resources can inherit from that.

And thanks, these things should be explained in the pulumi "getting started" docs

I think at getting started level, default provider is okay, and examples never use component resources. But the getting-started-with-component-resources docs should definitely include "best practices" like this.

Agreed. I'll submit a github issue, but the fact that pulumi could "accidentally" deploy resources to an aws account that is not listed in `aws:allowedAccountIds` seems really bad

Yes, you don't need to define providers inside components that have been given a provider, they inherit. However, I recommend always explicitly inheriting _all_ options, because that's good for opts like protect, additionalSecretOutputs and ignoreChanges:
```const nestResource = new Bucket(`${name}-discriminator`, { /* args */ }, { ...opts, parent: this });```

I don't know about `allowedAccountIds`. It's listed in <https://www.pulumi.com/registry/packages/aws/api-docs/provider/#allowedaccountids_nodejs> but not documented. Does it ever work?

It didn't just now. Deployed 10 resources to our dev account, 1 resource to our prod account. On a totally new stack, with .dev.yaml and .prod.yaml, including both `aws:allowedAccountIds` and `aws:profile`   Our .dev.yaml:

Either used the `[default]`  from aws/credentials, or one named `[prodpulumi]`  I'm glad I caught this early, could have been quite bad if I had been attempting to delete or edit existing resources in dev account

Thanks again <@U012UJTT55M> much appreciated