With the AWS guidance to separate environments into separate AWS accounts and the release of AWS Control Tower which makes setting up the multiple accounts with self-provisioning of new accounts through the Service Catalog, I’m attempting to work out the best practice for how to set up and manage my Terraform Cloud workspaces.
I realize this is going to take using IAM roles as that’s how Control Tower facilitates access to the multi-accounts and all examples I’ve found are geared around running your Terraform code through a CI/CD process, not utilizing Terraform Cloud. That to me seems like it would a lot of reinventing the wheel if that ends up being the only course of action to take, but something makes me believe there is another way. Right now the method I have used has been to add the region, access key, and secret key id as environment variables on the workspace with the secret key id marked as sensitive.
I have some of my Terraform IaC in repositories configured for VCS workflow in Terraform Cloud with upwards of a dozen workspaces using the same repository but having different variables. This would be a hassle to have to migrate to a CI/CD pipeline to handle.