I'm currently bootstrapping an AWS organizations setup using pulumi. (prod/dev/... accounts, security accounts, ci access, etc. - I think in azure this concept is called "landing zone" but since this name refers to a specific product on AWS, I'm not using it here.)
What I want to do is
aws.organizations.AccountHere's what I tried - From what I remember, the "same" code works in terraform:
const account = new organizations.Account("account", {
roleName: "some-role-name-for-the-parent-account-to-assume",
...
})
const provider = new Provider("subaccount-provider", {
assumeRole: {
roleArn: `arn:aws:iam::${account.id}:role/${account.roleName}`
}
})
const otherResource = new WhateverAWSResource(
"other-resource",
{ ... },
// the role assumed by the provider will result in the resource being created in the subaccount
{ provider }
)
The issue now is that:
Account instance does not expose the roleArnaccount.id and account.roleName are of type Output<string>Question: Is there a way to make something like this work? Preferably
-.yaml level. This would require additional plumbing and feels very unelegant since it would introduce a lot of noise in the repo structure.I think the automation API is fine to make it work but it seems kind of non-ideomatic for this use case.
String interpolation is not allowed in pulumi since account.id and account.roleName are of type Output
You could use pulumi.all to map an array of outputs into an output that wraps the array (works similarly to Promise.all).
For strings, pulumi.interpolate or pulumi.concat might be even better (see the docs).
Example (pulumi.interpolate):
const provider = new Provider("subaccount-provider", {
assumeRole: {
roleArn: pulumi.interpolate`arn:aws:iam::${account.id}:role/${account.roleName}`
}
})