AWS: Migrate AWS infra Terraform state files outside the AWS Org management account #4800
Description
We are currently saving Terraform state files in buckets that live in the AWS management account.
What AWS account do we put the state buckets in?
Long term, it's good if we're not putting the state in the management account. The benefit: a Terraform run that doesn't involve the management account should be able to succeed without interacting with the management account.
Originally posted by @sftim in #4694 (comment)
In general we should stop creating resources inside the management account. Service Control Policies affect only member accounts in the organization. They have no effect on users or roles in the management account.
/area infra
/area infra/aws
/priority important-longterm
Metadata
Metadata
Assignees
Labels
Infrastructure management, infrastructure design, code in infra/Issues or PRs related to Kubernetes AWS infrastructureIndicates that an issue or PR should not be auto-closed due to staleness.Important over the long term, but may not be staffed and/or may need multiple releases to complete.Categorizes an issue or PR as relevant to SIG K8s Infra.