Home > front end >  pulumi/aws - create resources in newly created oranizations account
pulumi/aws - create resources in newly created oranizations account

Time:10-19

I'm currently bootstrapping an AWS organizations setup using pulumi. (prod/dev/... accounts, security accounts, ci access, etc. - I think in azure this concept is called "landing zone" but since this name refers to a specific product on AWS, I'm not using it here.)

What I want to do is

  1. Create a bunch of new subaccounts aws.organizations.Account
  2. Deploy resources into these subaccounts (example: ci access, users, roles, etc)

Here's what I tried - From what I remember, the "same" code works in terraform:

const account = new organizations.Account("account", {
  roleName: "some-role-name-for-the-parent-account-to-assume",
  ...
})

const provider = new Provider("subaccount-provider", {
  assumeRole: {
    roleArn: `arn:aws:iam::${account.id}:role/${account.roleName}`
  }
})

const otherResource = new WhateverAWSResource(
  "other-resource",
  { ... },
  // the role assumed by the provider will result in the resource being created in the subaccount  
  { provider }
)

The issue now is that:

  • The Account instance does not expose the roleArn
  • String interpolation is not allowed in pulumi since account.id and account.roleName are of type Output<string>

Question: Is there a way to make something like this work? Preferably

  • Without explicitly splitting the project/stacks at the -.yaml level. This would require additional plumbing and feels very unelegant since it would introduce a lot of noise in the repo structure.
  • Without using the automation API.

I think the automation API is fine to make it work but it seems kind of non-ideomatic for this use case.

CodePudding user response:

String interpolation is not allowed in pulumi since account.id and account.roleName are of type Output

You could use pulumi.all to map an array of outputs into an output that wraps the array (works similarly to Promise.all).

For strings, pulumi.interpolate or pulumi.concat might be even better (see the docs).

Example (pulumi.interpolate):

const provider = new Provider("subaccount-provider", {
  assumeRole: {
    roleArn: pulumi.interpolate`arn:aws:iam::${account.id}:role/${account.roleName}`
  }
})

Page link:https//www.codepudding.com/frontend/581341.html

Prev:Why does the process return null if we use the Windows temporary path for Process.Start of a file in
Next:AWS CDK: How to reference custom Docker image from public ECR repository
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding