Why do I need multiple Accounts?

There certain hard-limits in AWS services you can’t raise, even with a support ticket. So make sure you don’t hit them. Otherwise scaling out will be a pain.

WTF? How should I manage this in terraform?

RTMF?

Also, this is basically build on my folder structure, which you can find here. Set up the provider (careful, this is 0.12 syntax!) this changed since terraform 0.13! I will update this soon.

provider "aws" {
  version = "~> 3.11.0"  # the provider version
  region  = var.aws_region # some region you set in your variables
  profile = var.aws_profile # the name of your profile
}

Profile? Yes! The name of the profile in your ~/.aws/config

[backend-prod]
region=eu-central-1
output=json
[backend-stage]
region=eu-central-1
output=json
[backend-dev]
region=eu-central-1
output=json

So backend-prod would be one of your profiles. In the ~/.aws/credentials file should be the matching IAM credentials.

But we can (and must) set an alias, to differentiate between our regions and/or accounts! 

provider "aws" {
  alias   = "us-east-1"  # set an alias to differentiate providers!
  region  = "us-east-1"
  profile = var.aws_profile
  version = "~> 3.11.0"
}

provider "aws" {
  version = "~> 3.11.0"
  region  = var.aws_region
  alias   = "shop-dev" # set a different alias
  profile = "shop-dev" # use a different profile!
}

Complete config you got to add in every folder in every environment (main.tf) where you want to cross access/manage resources.

provider "aws" {
  version = "~> 3.11.0"
  region  = var.aws_region 
  profile = var.aws_profile
}

provider "aws" {
  alias   = "us-east-1"
  region  = "us-east-1"
  profile = var.aws_profile
  version = "~> 3.11.0"
}

provider "aws" {
  alias   = "us-west-1"
  region  = "us-west-1"
  profile = var.aws_profile
  version = "~> 3.11.0"
}

provider "aws" {
  version = "~> 3.11.0"
  region  = var.aws_region
  alias   = "shop-dev"
  profile = "shop-dev"
}

So you might want to change a route53 record. But the zone is managed in backend-dev and you are working in the shop-dev folder. Here you tell terraform to simply use the other provider.

resource "aws_route53_record" "shop_com" {


  provider = aws.backend-dev 


  zone_id  = data.aws_route53_zone.backend.zone_id
  name     = "preview-shop.${data.aws_route53_zone.backend.name}
  type     = "A"

  alias {
    name                   = module.shop.lb_dns_name
    zone_id                = module.shop.lb_zone_id
    evaluate_target_health = true
  }
}