Not strictly necessary. Mainly to:
- Keep tfstate centralized
- Use a single AWS_PROFILE (
mgmt) when applying things locally
In order to do it, we'd have to:
- Move tfstate buckets and lock tables to
mgmt account.
- Add an
assume_role block to the AWS providers (aws & awscc), interpolating against a role/account id per account:
provider "aws" {
[...]
assume_role {
role_arn = "arn:aws:iam::<account_id>:role/impersonate-from-mgmt"
session_name = "tofu-<account_friendly_name>"
}
[...]
}
- Run
terragrunt from the mgmt AWS profile: export AWS_PROFILE=notifycal-mgmt
Not strictly necessary. Mainly to:
mgmt) when applying things locallyIn order to do it, we'd have to:
mgmtaccount.assume_roleblock to the AWS providers (aws & awscc), interpolating against a role/account id per account:terragruntfrom themgmtAWS profile:export AWS_PROFILE=notifycal-mgmt