elegant-dog-76355
03/02/2023, 9:17 PMPulumi.yaml
instead of using the environment variable PULUMI_BACKEND_URL
. Is this correct ? This would have the limitation of having one backend per project
and cannot have one per stack
.
If I only have a backend per project in the Pulumi.yaml
file and that backend is stored in S3
AWS Account 1111111
but each stack
[*dev*|*stage*|*prod*] is per AWS Account `222222`|`3333333`|`4444444` how do I configure `Pulumi`/`Github Actions` to use AWS Account 1111111
for the backend operation but deploy the resources in the case of dev in AWS Account 222222
?
At the moment i have the following in GitHub actions
but this only works if the backend and the resources been deployed are in the same AWS Account:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_DEV_PULUMI_ROLE }}
role-session-name: OIDCSession
- name: Deploy changes to Infra
uses: pulumi/actions@v4
with:
command: up
stack-name: ${{ env.PULUMI_DEV_INFRA_STACK }}
work-dir: ${{ env.PULUMI_DEV_INFRA_CWD }}
env:
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_INFRA_DEV_ACCESS_TOKEN }}
little-cartoon-10569
03/02/2023, 9:25 PMpulumi login <backend>
before pulumi stack select
.billowy-army-68599
03/02/2023, 9:27 PMelegant-dog-76355
03/02/2023, 9:30 PMechoing-dinner-19531
03/02/2023, 9:32 PMwe don’t yet support per stack backendsJust to set expectations, I don't think we'll ever support this. The backend tells us the stack, its very flipped logic to somehow get a stack to tell us what backend to use.
little-cartoon-10569
03/02/2023, 9:36 PMelegant-dog-76355
03/02/2023, 9:44 PMdev
and another for staging
etc. I have been deploying to aws for a while now with diffrent customers and it has always been the case that each of these environments (`dev`|`stage`|`prod`) are in diffrent aws accounts. Coming from a terraform/cloudformation background this pretty standard setup.
Your comment "The backend tells us the stack" now makes sense why this would not be supported. I just need to get my head around a bit more on how pulumi works 🙂
very happy to go ahead and try out @little-cartoon-10569 suggestionbillowy-army-68599
03/02/2023, 9:46 PMelegant-dog-76355
03/02/2023, 9:59 PMdev_backend.config
which contains the following:
bucket = "terraform-backend-eks-hello-dev"
region = "eu-west-1"
key = "terraform-backend-eks-hello-dev/eu-west-1/dev/terraform.tfstate"
dynamodb_table = "dynamo-terraform-state-lock"
encrypt = true
then in github actions you pass this file into terraform to initialise the setup
- name: Terraform Init
run: |
terraform init -input=false -backend=true -backend-config="backend.config"
shell: bash
working-directory: ${{ env.TF_EKS_ENTRY_POINT }}
you can then have a backend end file for called prod_backend.config
and so on. Terragrunt is a great tool for keeping your code DRY but you don't need it to support multiple backends.
again thanks for all the advise on this. Only first week with Pulumi so I have allot to learnbillowy-army-68599
03/02/2023, 10:02 PMterraform init
phase is analogous to pulumi login
little-cartoon-10569
03/02/2023, 10:06 PMbitter-carpenter-93554
03/04/2023, 1:36 AMbackend:
url: s3://${AWS_BUCKET}?region=us-east-1
export PULUMI_BACKEND_URL="<s3://your-bucket?region=us-east-1>"
elegant-dog-76355
03/04/2023, 8:39 AMpulumi login
cmd because if that fails you can catch and react to the error but thats just my option 1 week in using pulumi :-)