This message was deleted.
# generals
sparse-intern-71089
02/09/2023, 4:29 PMThis message was deleted.
b
billowy-army-68599
02/09/2023, 4:48 PM
I use this all the time and it works great. How are you setting the config value?
a
abundant-dawn-11116
02/09/2023, 4:49 PMWe have two different AWS accounts - one for prod, and one for dev/uat. So for each stack, I'm setting:
Copy code
config:
aws:allowedAccountIds:
- XXXXXXXXXXXb
billowy-army-68599
02/09/2023, 4:50 PM
Do you use an explicit provider in your code? Are those the resources that end up in the wrong account?
a
abundant-dawn-11116
02/10/2023, 6:16 PMSorry for the delay. Yes, I am using a provider for all pulumi resources.
We have a multi-region setup so all resources use a regional based provider for AWS.
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));
customOptionsByRegion[region] = new CustomResourceOptions() { Provider = providerByRegion[region], Parent = providerByRegion[region] };
vpcByRegion[region] = new Vpc($"{region.Id()}-vpc", new()
{
CidrBlock = CidrBlock.Cidr(),
EnableDnsHostnames = true,
EnableDnsSupport = true,
}, customOptionsByRegion[region]);abundant-dawn-11116
02/10/2023, 6:21 PMSo I suppose different resources in different regions have a different provider, but they all are part of the same AWS account.. or at least should be.
b
billowy-army-68599
02/10/2023, 8:24 PM
You need to add the allowed account ids to that provider as well then, in that case
a
abundant-dawn-11116
02/10/2023, 8:55 PMOhh okay. So if i add something like this to the yaml config file..?
Copy code
config:
aws:allowedAccountIds:
- XXXXXXXXXXX
aws-use1:allowedAccountIds:
- XXXXXXXXXXX
aws-euc1:allowedAccountIds:
- XXXXXXXXXXXabundant-dawn-11116
02/10/2023, 9:00 PMAnother thought - could I give them all the same
awsaws:allowedAccountIdsabundant-dawn-11116
02/10/2023, 9:01 PMSomething like...
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));b
billowy-army-68599
02/10/2023, 10:14 PM
No you need to do it directly in your provider instantiation in your code
a
abundant-dawn-11116
02/12/2023, 4:23 PMSorry I'm not following you - I'm pretty new to Pulumi. Can you clarify what you mean? I need to add the
allowedAccountIdsb
billowy-army-68599
02/12/2023, 4:26 PM
So, you see how you’re setting the region in
Pulumi.Aws.ProviderArgsallowedAccountIdsbillowy-army-68599
02/12/2023, 4:27 PM
billowy-army-68599
02/12/2023, 4:27 PM
so when you instantiation your provider, pass the values there
untested code:
Copy code
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = [ "11111111" ], Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" }, new Alias { Name = "aws" } }));🙌 1
a
abundant-dawn-11116
02/12/2023, 4:33 PMOoh I see.. So then something like this should do it (also untested code)..
Copy code
var config = new Pulumi.Config("aws");
var allowedAccountIds = config.RequireObject<List<string>>("allowedAccountIds");
providerByRegion[region] = new Pulumi.Aws.Provider($"aws-{region.Id()}", new Pulumi.Aws.ProviderArgs { AllowedAccountIds = allowedAccountIds, Region = region.SystemName }, new CustomResourceOptions().WithAliases(new() { new Alias { Name = $"aws-{region.SystemName}" } }));b
billowy-army-68599
02/12/2023, 4:34 PM
yep!
a
abundant-dawn-11116
02/12/2023, 4:35 PMAwesome.. I'll give that a try tomorrow. Thank you very much @billowy-army-68599!