I'm currently bootstrapping an AWS organizations setup using pulumi. (prod/dev/... accounts, security accounts, ci access, etc. - I think in azure this concept is called "landing zone" but since this name refers to a specific product on AWS, I'm not using it here.)
What I want to do is
- Create a bunch of new subaccounts
aws.organizations.Account - Deploy resources into these subaccounts (example: ci access, users, roles, etc)
Here's what I tried - From what I remember, the "same" code works in terraform:
const account = new organizations.Account("account", {
roleName: "some-role-name-for-the-parent-account-to-assume",
...
})
const provider = new Provider("subaccount-provider", {
assumeRole: {
roleArn: `arn:aws:iam::${account.id}:role/${account.roleName}`
}
})
const otherResource = new WhateverAWSResource(
"other-resource",
{ ... },
// the role assumed by the provider will result in the resource being created in the subaccount
{ provider }
)
The issue now is that:
- The
Accountinstance does not expose theroleArn - String interpolation is not allowed in pulumi since
account.idandaccount.roleNameare of typeOutput<string>
Question: Is there a way to make something like this work? Preferably
- Without explicitly splitting the project/stacks at the
-.yamllevel. This would require additional plumbing and feels very unelegant since it would introduce a lot of noise in the repo structure. - Without using the automation API.
I think the automation API is fine to make it work but it seems kind of non-ideomatic for this use case.
