I'm currently bootstrapping an AWS organizations setup using pulumi. (prod/dev/... accounts, security accounts, ci access, etc. - I think in azure this concept is called "landing zone" but since this name refers to a specific product on AWS, I'm not using it here.)
What I want to do is
aws.organizations.Account
Here's what I tried - From what I remember, the "same" code works in terraform:
const account = new organizations.Account("account", {
roleName: "some-role-name-for-the-parent-account-to-assume",
...
})
const provider = new Provider("subaccount-provider", {
assumeRole: {
roleArn: `arn:aws:iam::${account.id}:role/${account.roleName}`
}
})
const otherResource = new WhateverAWSResource(
"other-resource",
{ ... },
// the role assumed by the provider will result in the resource being created in the subaccount
{ provider }
)
The issue now is that:
Account
instance does not expose the roleArn
account.id
and account.roleName
are of type Output<string>
Question: Is there a way to make something like this work? Preferably
-.yaml
level. This would require additional plumbing and feels very unelegant since it would introduce a lot of noise in the repo structure.I think the automation API is fine to make it work but it seems kind of non-ideomatic for this use case.
String interpolation is not allowed in pulumi since account.id and account.roleName are of type Output
You could use pulumi.all
to map an array of outputs into an output that wraps the array (works similarly to Promise.all
).
For strings, pulumi.interpolate
or pulumi.concat
might be even better (see the docs).
Example (pulumi.interpolate
):
const provider = new Provider("subaccount-provider", {
assumeRole: {
roleArn: pulumi.interpolate`arn:aws:iam::${account.id}:role/${account.roleName}`
}
})