Skip to content

fix(terraform): resolve account_id from AWS_ACCOUNT_ID env #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stxkxs merged 1 commit into from
Jun 7, 2026
Merged

fix(terraform): resolve account_id from AWS_ACCOUNT_ID env #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions terraform/live/dev/env.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
locals {
environment = "dev"
region = "us-west-2"
cluster_name = "eks-dev"
account_id = "REPLACE_WITH_DEV_ACCOUNT_ID"
environment = "dev"
region = "us-west-2"
cluster_name = "eks-dev"
# account_id resolves at parse time from AWS_ACCOUNT_ID — it names the state
# bucket in root.hcl before any AWS call, so it can't arrive as a TF_VAR_. The
# orchestrator sets it; for a manual run, export AWS_ACCOUNT_ID in the shell.
account_id = get_env("AWS_ACCOUNT_ID")
cost_center = "engineering"
business_unit = "platform"
}
15 changes: 8 additions & 7 deletions terraform/live/production/env.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,15 @@ locals {
cost_center = "engineering"
business_unit = "platform"

# account_id is the only environment-identifying value that has to live
# in git: terragrunt's `remote_state.config.bucket` evaluates this at
# parse time, so the backend bucket name needs it before any AWS API
# is reachable. All other infrastructure identifiers (OIDC issuer,
# account_id resolves at parse time from the AWS_ACCOUNT_ID environment
# variable: terragrunt's `remote_state.config.bucket` embeds it and is
# evaluated before any AWS API is reachable, so it can't arrive as a
# `TF_VAR_` (those reach the leaf module, not the backend config) — and it
# stays out of git. All other infrastructure identifiers (OIDC issuer,
# VPC/subnet IDs, KMS key ARN, route tables, security group, Karpenter
# node-role name) come in as `TF_VAR_*` from the orchestrator (portal
# workspace variables for the production deploy). Leaves declare the
# variables in `variables.tf`; if a leaf is run outside portal, set the
# corresponding TF_VAR_ in the shell.
account_id = "351619759866"
# variables in `variables.tf`. The orchestrator sets AWS_ACCOUNT_ID; if a
# leaf is run outside portal, export AWS_ACCOUNT_ID (and the TF_VAR_s) first.
account_id = get_env("AWS_ACCOUNT_ID")
}
11 changes: 7 additions & 4 deletions terraform/live/staging/env.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
locals {
environment = "staging"
region = "us-west-2"
cluster_name = "eks-staging"
account_id = "REPLACE_WITH_STAGING_ACCOUNT_ID"
environment = "staging"
region = "us-west-2"
cluster_name = "eks-staging"
# account_id resolves at parse time from AWS_ACCOUNT_ID — it names the state
# bucket in root.hcl before any AWS call, so it can't arrive as a TF_VAR_. The
# orchestrator sets it; for a manual run, export AWS_ACCOUNT_ID in the shell.
account_id = get_env("AWS_ACCOUNT_ID")
cost_center = "engineering"
business_unit = "platform"
}
Loading