Verified steps

Declare a default aws provider block for the management account and additional aliased provider blocks using provider "aws" { alias = "prod" } each with an assume_role block specifying the cross-account role ARN
Pass the aliased provider to resources and modules using the provider meta-argument: provider = aws.prod; for modules, use providers = { aws = aws.prod } in the module call block
Store account IDs and role ARNs in a locals block or variable map rather than hardcoding them; use a for_each on a map of account configs to generate per-account provider blocks dynamically where Terraform's provider meta-programming allows
Configure the S3 backend with a single bucket in the management account and use workspaces or path prefixes to isolate state per account rather than running separate backends
Add a data source in each aliased provider context to fetch the current caller identity and assert the expected account ID using a precondition block to fail fast if the wrong role is assumed
In CI, supply credentials for the management account only and rely on assume_role chaining; add an iam:AssumeRole permission boundary on the automation role to limit blast radius

Known gotchas

Terraform requires that all provider aliases used in a configuration be declared in the root module; you cannot declare an alias inside a child module and have it propagate upward
The number of provider blocks in a root module cannot be determined dynamically using count or for_each on the provider block itself; you must write one provider block per alias statically, which limits programmatic multi-account scaling
assume_role session tags and transitive tag keys must be explicitly allowed by the target role's trust policy; missing sts:TagSession permission causes assume_role to fail even when the role ARN and external ID are correct

terragrunt.gruntwork.io · 6 steps · unrated

Use Terraform moved blocks and the terraform state mv command together to safely refactor a root module that splits into child modules without destroying resources

Terraform · 6 steps · unrated

Configure Terraform S3 backend with native state locking (use_lockfile) without DynamoDB

developer.hashicorp.com/terraform/language/backend/s3 · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Model a Terraform provider alias to manage resources across multiple AWS accounts in a single root module using assume_role and distinct provider blocks

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes