https://pulumi.com logo
Title
a

abundant-dawn-11116

02/09/2023, 4:29 PM
Hi Everyone. Quick question regarding the aws:allowedAccountIds config setting - I've noticed that even with using this setting, there are cases where I've accidentally connected to the wrong AWS account, which has caused all sorts of issues where the stack then references resources in two different accounts. From there, I get a bunch of access denied errors, which makes sense because I'm connected to one AWS account but referencing another. Am I missing something here? What I was hoping for is that pulumi would stop in it's tracks as soon as it finds that it is referencing a non-approved account. Is there a better setting to use to achieve this? Does
forbiddenAccountIds
work any differently?
b

billowy-army-68599

02/09/2023, 4:48 PM
I use this all the time and it works great. How are you setting the config value?
a

abundant-dawn-11116

02/09/2023, 4:49 PM
We have two different AWS accounts - one for prod, and one for dev/uat. So for each stack, I'm setting:
config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX
to only allow deploys to the correct account.
b

billowy-army-68599

02/09/2023, 4:50 PM
Do you use an explicit provider in your code? Are those the resources that end up in the wrong account?
a

abundant-dawn-11116

02/10/2023, 6:16 PM
Sorry for the delay. Yes, I am using a provider for all pulumi resources. We have a multi-region setup so all resources use a regional based provider for AWS.
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));

customOptionsByRegion[region] = new CustomResourceOptions() { Provider = providerByRegion[region], Parent = providerByRegion[region] };

vpcByRegion[region] = new Vpc($"{region.Id()}-vpc", new()
                {
                    CidrBlock = CidrBlock.Cidr(),
                    EnableDnsHostnames = true,
                    EnableDnsSupport = true,
                }, customOptionsByRegion[region]);
So I suppose different resources in different regions have a different provider, but they all are part of the same AWS account.. or at least should be.
b

billowy-army-68599

02/10/2023, 8:24 PM
You need to add the allowed account ids to that provider as well then, in that case
a

abundant-dawn-11116

02/10/2023, 8:55 PM
Ohh okay. So if i add something like this to the yaml config file..?
config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX
  aws-use1:allowedAccountIds:
    - XXXXXXXXXXX
  aws-euc1:allowedAccountIds:
    - XXXXXXXXXXX
Another thought - could I give them all the same
aws
alias? If I did that, would they all reference the same accounts in
aws:allowedAccountIds
?
Something like...
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));
b

billowy-army-68599

02/10/2023, 10:14 PM
No you need to do it directly in your provider instantiation in your code
a

abundant-dawn-11116

02/12/2023, 4:23 PM
Sorry I'm not following you - I'm pretty new to Pulumi. Can you clarify what you mean? I need to add the
allowedAccountIds
setting directly to the provider?
b

billowy-army-68599

02/12/2023, 4:26 PM
So, you see how you’re setting the region in
Pulumi.Aws.ProviderArgs
? Another ProviderArg is
allowedAccountIds
so when you instantiation your provider, pass the values there untested code:
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = [ "11111111" ], Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));
a

abundant-dawn-11116

02/12/2023, 4:33 PM
Ooh I see.. So then something like this should do it (also untested code)..
var config = new Pulumi.Config("aws");
var allowedAccountIds = config.RequireObject<List<string>>("allowedAccountIds");
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = allowedAccountIds, Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));
b

billowy-army-68599

02/12/2023, 4:34 PM
yep!
a

abundant-dawn-11116

02/12/2023, 4:35 PM
Awesome.. I'll give that a try tomorrow. Thank you very much @billowy-army-68599!