acoustic-plumber-13001
11/09/2022, 7:42 PMPulumi.dev.yaml
and Pulumi.prod.yaml
Each of these files has a single aws:allowedAccountIds
account id. They also each set a single aws:profile
While on our dev
stack I ran pulumi up
and....Pulumi created some of the resources in AWS account #1 (dev) and others in AWS account #2 (prod)!
Honestly I'm absolutely astounded this is even remotely possible. It seems to me even with the allowedAccountIds
and aws:profile
config options set, pulumi sometimes, somehow just decides to use the [default]
credentials in ./aws/credentials Has anyone else experienced this? This is not the first time I've experienced strange AWS credential issues with Pulumi. This seems extremely, extremely bad.little-cartoon-10569
11/09/2022, 7:56 PMacoustic-plumber-13001
11/09/2022, 8:00 PM// Create an ACM certificate in us-east-1.
let cert = new aws.acm.Certificate("cert", {
domainName: "<http://foo.com|foo.com>",
validationMethod: "EMAIL",
}, { provider: useast1 });
For every single resource you create, explicitly pass a provider? If that's what you meant, then when creating the provider object, you need to use pulumi "get environment"?little-cartoon-10569
11/09/2022, 8:03 PMpulumi.getStack()
or similar antwhere except index.ts. It makes unit testing very hard.acoustic-plumber-13001
11/09/2022, 8:07 PMUse option inheritance in ComponentResources, and you're good.Meaning, you don't need to explicitly set provider on every resource, only on parent resources correct? All children resources can inherit from that. And thanks, these things should be explained in the pulumi "getting started" docs
little-cartoon-10569
11/09/2022, 8:08 PMacoustic-plumber-13001
11/09/2022, 8:10 PMaws:allowedAccountIds
seems really badlittle-cartoon-10569
11/09/2022, 8:11 PMconst nestResource = new Bucket(`${name}-discriminator`, { /* args */ }, { ...opts, parent: this });
allowedAccountIds
. It's listed in https://www.pulumi.com/registry/packages/aws/api-docs/provider/#allowedaccountids_nodejs but not documented. Does it ever work?acoustic-plumber-13001
11/09/2022, 8:17 PMaws:allowedAccountIds
and aws:profile
Our .dev.yaml:[default]
from aws/credentials, or one named [prodpulumi]
I'm glad I caught this early, could have been quite bad if I had been attempting to delete or edit existing resources in dev account