This message was deleted.
# general
s
This message was deleted.
b
I use this all the time and it works great. How are you setting the config value?
a
We have two different AWS accounts - one for prod, and one for dev/uat. So for each stack, I'm setting:
Copy code
config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX
to only allow deploys to the correct account.
b
Do you use an explicit provider in your code? Are those the resources that end up in the wrong account?
a
Sorry for the delay. Yes, I am using a provider for all pulumi resources. We have a multi-region setup so all resources use a regional based provider for AWS.
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));

customOptionsByRegion[region] = new CustomResourceOptions() { Provider = providerByRegion[region], Parent = providerByRegion[region] };

vpcByRegion[region] = new Vpc($"{region.Id()}-vpc", new()
                {
                    CidrBlock = CidrBlock.Cidr(),
                    EnableDnsHostnames = true,
                    EnableDnsSupport = true,
                }, customOptionsByRegion[region]);
So I suppose different resources in different regions have a different provider, but they all are part of the same AWS account.. or at least should be.
b
You need to add the allowed account ids to that provider as well then, in that case
a
Ohh okay. So if i add something like this to the yaml config file..?
Copy code
config:
  aws:allowedAccountIds:
    - XXXXXXXXXXX
  aws-use1:allowedAccountIds:
    - XXXXXXXXXXX
  aws-euc1:allowedAccountIds:
    - XXXXXXXXXXX
Another thought - could I give them all the same
aws
alias? If I did that, would they all reference the same accounts in
aws:allowedAccountIds
?
Something like...
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));
b
No you need to do it directly in your provider instantiation in your code
a
Sorry I'm not following you - I'm pretty new to Pulumi. Can you clarify what you mean? I need to add the
allowedAccountIds
setting directly to the provider?
b
So, you see how you’re setting the region in
Pulumi.Aws.ProviderArgs
? Another ProviderArg is
allowedAccountIds
so when you instantiation your provider, pass the values there untested code:
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = [ "11111111" ], Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));
🙌 1
a
Ooh I see.. So then something like this should do it (also untested code)..
Copy code
var config = new Pulumi.Config("aws");
var allowedAccountIds = config.RequireObject<List<string>>("allowedAccountIds");
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = allowedAccountIds, Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));
b
yep!
a
Awesome.. I'll give that a try tomorrow. Thank you very much @billowy-army-68599!