AWS Pulumi Infrastructure Management

Expert guidance for managing Pulumi-based AWS infrastructure with comprehensive budget control, IAM management, GitHub OIDC authentication, and CloudWatch monitoring.

Project Architecture

This infrastructure implements:

Core File Structure

```

src/

├── iam/ # Group-based IAM system

│ ├── groups.ts # Service groups with AWS managed policies

│ └── index.ts # IAM exports

├── identity-provider/ # GitHub OIDC authentication

│ ├── github-oidc.ts # OIDC provider + IAM roles

│ ├── types.ts # TypeScript interfaces

│ ├── config.ts # GitHub org & repo configuration

│ └── index.ts

├── budget/

│ ├── control.ts # User creation with groups

│ ├── enforcement.ts # SNS topic configuration

│ └── index.ts

├── lambda-src/ # Lambda enforcement functions

├── dashboard.ts # CloudWatch cost dashboard

├── constants.ts # Global configuration

├── members.ts # Team member definitions

├── index.ts # Main entry point

└── infra.ts # Stack outputs & summaries

```

Key Commands

Development Workflow

```bash

Type checking

bun run type-check

Preview changes

pulumi preview

Deploy infrastructure

pulumi up

Quick deployment (auto-confirm)

bun run deploy:like-a-boss

```

Stack Management

```bash

List stacks

pulumi stack ls

Switch stack

pulumi stack select <stack-name>

Get user credentials

pulumi stack output userCredentials --show-secrets --json

Get console access

pulumi stack output consoleAccess --show-secrets --json

Get GitHub OIDC provider ARN

pulumi stack output githubOIDCProviderArn

Get GitHub Actions role ARNs

pulumi stack output githubActionsRoleArns --json

Get KMS key ARN

pulumi stack output kmsKeyArn

```

Configuration Guidelines

Team Member Configuration (src/members.ts)

Define team members with this interface:

```typescript

interface TeamMemberWithBudget {

username: string;

services: ServiceName[]; // Required restriction groups

monthlyBudgetUSD: number;

needsConsoleAccess?: boolean; // Console login

needsAccessKey?: boolean; // Programmatic access

regions?: Region[]; // Per-user region restrictions

budgetAlerts?: {

warningThreshold: number;

criticalThreshold: number;

emails: string[];

};

}

```

Available Service Groups

Region Restrictions

GitHub OIDC Configuration

Setting Up OIDC Roles (src/identity-provider/config.ts)

```typescript

export const githubOIDCConfig: GitHubOIDCProviderConfig = {

githubOrganization: "your-org",

roles: [

{

id: "infrastructure-admin-cd",

description: "Admin role for infrastructure deployment",

policies: [

"AdministratorAccess", // AWS managed policy

// "arn:aws:iam::123:policy/custom", // Custom policy ARN

],

repositories: ["infrastructure", "terraform-modules"],

},

],

providerTags: {

motive: "ci-cd github actions",

ManagedBy: "Pulumi",

},

};

```

GitHub Actions Workflow Integration

```yaml

permissions:

id-token: write # Required for OIDC

contents: read

jobs:

deploy:

runs-on: ubuntu-latest

steps:

- name: Configure AWS Credentials

uses: aws-actions/configure-aws-credentials@v4

with:

role-to-assume: ${{ secrets.AWS_ROLE_ARN }}

aws-region: sa-east-1

- name: Deploy

run: pulumi up --yes

```

Adding New OIDC Roles

1. Edit `src/identity-provider/config.ts`

2. Add role to `roles` array

3. Run `bun run type-check`

4. Deploy: `pulumi up`

5. Get ARN: `pulumi stack output githubActionsRoleArns --json`

6. Add ARN as GitHub secret

Key Constants (src/constants.ts)

Common Issues & Solutions

Node.js Version Requirement

**CRITICAL**: Requires Node.js 23.6.0+ for Pulumi operations.

For GitHub Actions:

```yaml

uses: actions/setup-node@v4

with:

node-version: "23.6.0"

```

Import Issues

Always use `.ts` extensions due to `"moduleResolution": "bundler"`:

```typescript

import {something} from "./file.ts"

import {ServiceName} from "@/iam" // Path aliases supported

```

Budget Filtering

Use `:` separator in cost filters:

```typescript

"CreatedBy:username" // ✅ Correct

"CreatedBy$username" // ❌ Wrong

```

Lambda Runtime

Use runtime constants:

```typescript

aws.lambda.Runtime.NodeJS20dX // ✅ Correct

"nodejs20.x" // ❌ Wrong

```

Deployment Checklist

When deploying infrastructure changes:

1. ✅ Run `bun run type-check` (must pass)

2. ✅ Run `pulumi preview` (review resources)

3. ✅ Verify team member emails in `src/members.ts`

4. ✅ Check budget amounts and service arrays

5. ✅ Verify region restrictions per user

6. ✅ Deploy with `pulumi up`

7. ✅ Verify user credentials output

8. ✅ Test group memberships in AWS Console

9. ✅ Test OIDC roles from GitHub Actions (if applicable)

Security Best Practices

1. **Group-Based Permissions**: Users inherit permissions through IAM groups, not inline policies

2. **AWS Managed Policies**: Use production-ready AWS managed policies where possible

3. **Per-User Region Restrictions**: Each user can have custom allowed regions

4. **Instance Type Restrictions**: Enforce cost-effective instance types

5. **IAM Operation Restrictions**: Prevent privilege escalation

6. **User-Friendly Passwords**: 8+ chars, mixed case + numbers, symbols optional

7. **OIDC over Access Keys**: Use keyless GitHub Actions authentication

Monitoring & Alerts

Output Summaries

After deployment, retrieve critical information:

Notes