https://pulumi.com
Join Slack
This message was deleted.
# pulumi-deployments
s
This message was deleted.
f
Copy code
# Create new subaccount
new_account = organizations.Account(
    client_name,
    email=email,
    close_on_deletion=True,
    role_name=role_name,
    name=client_name,
    iam_user_access_to_billing="ALLOW",
)

account_id = ""
while not account_id:
    # This is how we get the ID of 'new_account'
    organization = organizations.get_organization()
    for account in organization.accounts:
        if account.name == client_name:
            account_id = str(account.id)

# Intermediate provider that will assume admin role on the newly created account
iam_role_provider = Provider(
    resource_name="admin-provider",
    profile="mf",
    assume_role={"role_arn": f"arn:aws:iam::{account_id}:role/{role_name}"},
    skip_metadata_api_check=False,
    skip_credentials_validation=True,
)

# Create new S3 bucket
bucket = s3.Bucket(
    client_name,
    acl="private",
    versioning=s3.BucketVersioningArgs(
        enabled=True,
    ),
    bucket=client_name,
    opts=ResourceOptions(provider=iam_role_provider),
)

iam_for_lambda = iam.Role(
    "iamForLambda",
    assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
    {
    "Action": "sts:AssumeRole",
    "Principal": {
        "Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
    },
    "Effect": "Allow",
    "Sid": ""
    }
]
}
""",
    opts=ResourceOptions(provider=iam_role_provider),
)

# This is the lambda function we will deploy
lambda_function = lambda_.Function(
    resource_name=lambda_name,
    name=lambda_name,
    code=FileArchive("package/"),
    handler="XXXX",
    runtime=lambda_runtime,
    layers=get_latest_layers(
        [
            "XXXX",
        ]
    ),
    role=iam_for_lambda.arn,
    opts=ResourceOptions(provider=iam_role_provider),
)
What is weird is that the named provider can assume the admin role in the new subaccount and create a bucket but then fails to create a lambda.
r
Hmm... it doesn't look like the assumed role in the new account is define din this code so I can't tell, but does it have permissions to create a lambda?
f
@red-match-15116 as far as I understand, the field 
role_name
when creating a new account, will make that role an admin of the new account which is the one the Provider is assuming. At least that is how I understood it works.
r
Ah yep I see that now. I'm honestly not sure, but it seems related to aws permissions rather than pulumi deployments specifically. you might have more luck in #CRH5ENVDX? I would probably try to investigate the 
rolename
role in the new account and make sure it has the right permissions using the permissions simulator
👍 1
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by