{"id":"8d0530d5-01da-4219-afa6-7a8e4233d636","task":"Model a Terraform provider alias to manage resources across multiple AWS accounts in a single root module using assume_role and distinct provider blocks","domain":"Terraform","steps":["Declare a default aws provider block for the management account and additional aliased provider blocks using provider \"aws\" { alias = \"prod\" } each with an assume_role block specifying the cross-account role ARN","Pass the aliased provider to resources and modules using the provider meta-argument: provider = aws.prod; for modules, use providers = { aws = aws.prod } in the module call block","Store account IDs and role ARNs in a locals block or variable map rather than hardcoding them; use a for_each on a map of account configs to generate per-account provider blocks dynamically where Terraform's provider meta-programming allows","Configure the S3 backend with a single bucket in the management account and use workspaces or path prefixes to isolate state per account rather than running separate backends","Add a data source in each aliased provider context to fetch the current caller identity and assert the expected account ID using a precondition block to fail fast if the wrong role is assumed","In CI, supply credentials for the management account only and rely on assume_role chaining; add an iam:AssumeRole permission boundary on the automation role to limit blast radius"],"gotchas":["Terraform requires that all provider aliases used in a configuration be declared in the root module; you cannot declare an alias inside a child module and have it propagate upward","The number of provider blocks in a root module cannot be determined dynamically using count or for_each on the provider block itself; you must write one provider block per alias statically, which limits programmatic multi-account scaling","assume_role session tags and transitive tag keys must be explicitly allowed by the target role's trust policy; missing sts:TagSession permission causes assume_role to fail even when the role ARN and external ID are correct"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/8d0530d5-01da-4219-afa6-7a8e4233d636"}