search

One Reo 2 AWS Account

chevron-rightwhy 2 account in one repohashtag

Perfect 👍 this is actually a very common real-world enterprise setup:

  • AWS Account A (Dev/Stage) → developers experiment here.

  • AWS Account B (Prod) → production-only workloads.

You’ll want to keep one codebase, but configure it so Terraform knows which AWS account + environment to deploy to.

hashtag
📂 Recommended File Structure

terraform/
├── backend.tf              # Remote backend (Terraform Cloud or S3+DynamoDB)
├── main.tf                 # Root module calls sub-modules (e.g., S3, VPC, EC2)
├── outputs.tf
├── provider.tf             # AWS provider config (with profiles/aliasing)
├── variables.tf            # Shared input variables
├── versions.tf             # Terraform + provider versions
├── modules/                # Reusable infra modules
│   └── s3/
│       ├── main.tf
│       ├── variables.tf
│       └── outputs.tf
└── environments/
    ├── dev.tfvars          # Variables for dev account
    └── prod.tfvars         # Variables for prod account

hashtag
🛠️ provider.tf

Here we define two AWS providers, one for dev account and one for prod account. Each account uses its own profile (set up in ~/.aws/credentials by running aws configure --profile dev and aws configure --profile prod).

provider "aws" {
  alias   = "dev"
  region  = var.region
  profile = "dev"
}

provider "aws" {
  alias   = "prod"
  region  = var.region
  profile = "prod"
}

hashtag
🛠️ main.tf

Here you decide which account’s provider to use depending on the environment.

module "s3_bucket" {
  source = "./modules/s3"

  bucket_name = var.bucket_name
  environment = var.environment

  providers = {
    aws = var.environment == "prod" ? aws.prod : aws.dev
  }
}

hashtag
🛠️ variables.tf

variable "bucket_name" {
  description = "Name of the S3 bucket"
  type        = string
}

variable "environment" {
  description = "Environment name (dev/prod)"
  type        = string
}

variable "region" {
  description = "AWS region"
  type        = string
  default     = "us-east-1"
}

hashtag
🛠️ environments/dev.tfvars

bucket_name = "mycompany-dev-bucket"
environment = "dev"
region      = "us-east-1"

hashtag
🛠️ environments/prod.tfvars

bucket_name = "mycompany-prod-bucket"
environment = "prod"
region      = "us-east-1"

hashtag
🚀 Usage

For Dev account:

terraform apply -var-file=environments/dev.tfvars

For Prod account:

terraform apply -var-file=environments/prod.tfvars

✅ With this approach:

  • One repo/codebase

  • Two AWS accounts (via profiles in provider.tf)

  • Environment-specific tfvars (dev/prod)

👉 Now, here’s a decision point: Do you want Terraform state also separated per environment (recommended) — e.g., terraform-dev.tfstate vs terraform-prod.tfstate (in Terraform Cloud or S3+DynamoDB) — or do you want to keep a single state file for both environments?

chevron-righthow to configure for 2 accounthashtag

currently i have one aws account configured with default profile i will manage account 2 comming days

so i will get account 2 credentiasl

so you know my current structure

give me updated structure and codebase to manage two aws account

i just created terraform cloud account i have not created any variables/organization/workspace

so give me full steps so it should work seamleassly

Great question 👌 Yes, you can absolutely use the same Terraform codebase for multiple AWS accounts — you just need to manage credentials and environments correctly.

Here are the ways you can do it:

hashtag
🔑 Option 1: Use Named Profiles (Recommended)

When you configure with AWS CLI, you can give each account its own profile:

aws configure --profile account1
aws configure --profile account2

This stores credentials in ~/.aws/credentials like:

[account1]
aws_access_key_id = XXXX
aws_secret_access_key = YYYY
region = ap-south-1

[account2]
aws_access_key_id = AAAA
aws_secret_access_key = BBBB
region = us-east-1

hashtag
In Terraform provider.tf:

provider "aws" {
  region  = var.region
  profile = var.aws_profile
}

hashtag
In your dev.tfvars, prod.tfvars, etc.:

aws_profile = "account1"
region      = "ap-south-1"

Or for account 2:

aws_profile = "account2"
region      = "us-east-1"

👉 Then just run:

terraform plan -var-file=environments/dev.tfvars

hashtag
🔑 Option 2: Use Environment Variables (Quick & Temporary)

Instead of profiles, you can export credentials before running Terraform:

export AWS_ACCESS_KEY_ID=XXXX
export AWS_SECRET_ACCESS_KEY=YYYY
export AWS_DEFAULT_REGION=ap-south-1

or for PowerShell (Windows):

$env:AWS_ACCESS_KEY_ID="XXXX"
$env:AWS_SECRET_ACCESS_KEY="YYYY"
$env:AWS_DEFAULT_REGION="ap-south-1"

Terraform automatically picks them up. But you’ll need to switch manually each time.

hashtag
🔑 Option 3: Separate Workspaces / Backends per Account

If you’re deploying the same infra to both accounts, you can use:

  • Workspaces (dev, stage, prod, account1, account2, etc.)

  • Different backend.tf configs (so state doesn’t clash between accounts)

This way, account1’s state is separate from account2’s.

✅ Recommended Setup for You:

  • Keep one codebase

  • Use profiles in provider.tf (var.aws_profile)

  • Pass different .tfvars files per account/environment

👉 Do you want me to extend your current provider.tf and dev.tfvars example to show exactly how to add profiles for account1 & account2?

PreviousworkflowNextall images

Last updated