A discussion on best practices for structuring Terraform in a multi-AWS-account environment, without traditional dev/qa/prod environments. The setup involves one internal AWS account and multiple customer-facing accounts (controlled by us but shared with third parties).
Two key requirements need to be addressed:
-
Granular resource creation: ability to independently provision individual resources (e.g., just an IAM role or just an S3 bucket) without applying an entire stack.
-
Cross-account access management: ability to define and manage cross-account policies so that specific resources can be shared between the internal account and customer accounts.
Seeking advice on the best Terraform structure for this setup. A folder-based approach (over workspaces) has been considered as a starting point, but it’s unclear if that’s the right direction. Looking for real-world recommendations, trade-offs, and examples.