setting `aws_account_id` doesn't ensure all resources are created in that account

[applike-ss]

I am trying out this template for EKS cluster creation right now.

While doing the apply, i was wondering why my vpc endpoint resources did not show up in the new subaccount that i created.

Turns out they were created in the main account i was using, even though i set aws_account_id to the sub account.

That is not ideal or obvious to a new user and i assume it also is a bug?

These resources i can see in my main account, which should be in the new sub account instead:

• vpc
• subnets
• routing tables
• igw
• egress igw
• eip
• endpoints
• nat gw

I see that it says in the requirements [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) configured with the account you want to deploy into, however my assumption was that my profile should have the permissions needed to create the resources.

Why else would there be a aws_account_id variable?

It seems i will have to use the iam_role option then to enforce where to spawn the resources, will check that out.

When destroying the incorrectly created resources, i do now get:

╷
│ Error: expected "url" url to not be empty, got 
│ 
│   with data.flux_sync.main[0],
│   on flux2.tf line 103, in data "flux_sync" "main":
│  103:   url         = local.flux2["github_url"]
│ 
╵
╷
│ Error: error reading EKS Cluster (cluster-name): couldn't find resource
│ 
│   with data.aws_eks_cluster.cluster,
│   on provider-local.tf line 33, in data "aws_eks_cluster" "cluster":
│   33: data "aws_eks_cluster" "cluster" {
│ 
╵

not ideal, because we wanted to use flux2 without github. Will try that again with a demo url set.

Setting a demo url did actually not let me remove the resources, so i manually removed them.

[ArchiFleKs]

@applike-ss Hi, as you might have notice in https://github.com/particuleio/teks/pull/133, to enable multi-account support, you need to use a dedicated assume role in the terragrunt.hcl in each environment.

For example if using AWS Organization / SSO:

• Always run Terragrunt command from the root account
• Setup cross account access using IAM assume role in Terragrunt.hcl per env

More information here

[applike-ss]

Thanks, that's what i'm trying right now.

Having some issues still like #134, however i am refactoring it a bit so i don't actually need the kms module.

[applike-ss]

i got my cluster up and running, though not with all the addons that it should have. closing it and creating a new one for the current issue