Standard AWS practice today is to use multiple accounts to seperate infrastructure. This is done for a number of reasons, one of the most common is to seperate environment such as development, staging, and production. When initiating AWS API calls locally a common method is to run an “assume role” script, which will ingest an MFA token and AWS credentials to temporarily receive an token allowing the user to assume a role in a different account with appropriate privileges.

Building on the ideas from the last blog post regarding terraform workspaces and automation tools, we can start there as we build out our AWS Organization.

Server sprawl is an age old problem and IAC does not solve it. While IAC and the cloud eliminate the age old blinky light in the corner that you “Just need to keep on,” there is a new code sprawl that creates a new version of the same problem. Thankfully the folks at HashiCorp had this in mind when they added multiple workspaces to certain backends in Terraform .10.