#terraform - February 2023

I thought it was possible to no fail on data lookups or get empty results but it looks like is only for some resources? is that correct? ( I was looking trough some TF PRs and it looks that way)

anyone knows if aws_service_discovery_private_dns_namespace is just a route53 local zone or there is some hiden metadata to it?

Greetings, i am trying to use your https://github.com/cloudposse/terraform-aws-service-control-policies module with terragrunt. My question is how can i fit the value of service_control_policy_statements while not using your cloudposse/config/yaml module. The terragrunt.hcl file is like this.

include {
  path = find_in_parent_folders()
}

locals {
  common_vars                        = yamldecode(file(find_in_parent_folders("common_vars.yaml")))
  service_control_policy_description = "OwnerTeam Tag Require Service Control Policy"
  service_control_policy_statements  = here_should_come_the_statement
  name                               = "service-control-policy"
  target_id                          = "141757035671"
}

terraform {
  source = "../../..//modules/terraform-aws-service-control-policies"
}

inputs = {
  name                               = "${local.common_vars.namespace}-${local.common_vars.environment}-${local.name}"
  service_control_policy_description = local.service_control_policy_description
  service_control_policy_statements  = local.service_control_policy_statements
  target_id                          = local.target_id
}

Hi all, I’m using the cloudposse/rds-cluster/aws module to create an rds aurora cluster. I now have the requirement to restore from a snapshot.

How do I do so?

I tried changing the snapshot_identifier, but the plan shows an update (and the execution does nothing) when it should show a destroy/create for the cluster.

So I could use some assistance with understanding the whole “aws-teams” “aws-teams-roles” and “aws-sso” components.. Currently I have an account created in my org that I would like to enable a set of users access to create aws resources in using atmos.. I have setup this group with the AdministratorAccess permissions set tied to the account in question.. My issue arises in how I configure them with the identity account’s roles which is what is used by atmos. Now I only want this team to have Admin access for this one account only. Suggestions as to how I could go about this?

@Erik Osterman (Cloud Posse) can the terraform-yaml-config module be used outside of cloudposse's opinionated workflow or is couple in one way or another that will ultimately make it a pain?

does anyone know how to get every non master account bar a specific one?

i want to execute the following but not in our security account

resource "aws_guardduty_member" "this" {
  provider = aws.security-account

  count       = length(data.aws_organizations_organization.this.non_master_accounts)
  account_id  = data.aws_organizations_organization.this.non_master_accounts[count.index].id
  detector_id = aws_guardduty_detector.security_account.id
  email       = data.aws_organizations_organization.this.non_master_accounts[count.index].email

  lifecycle {
    ignore_changes = [email]
  }
}

I m trying to do route53 vpc association to zones as below and aws_route53_vpc_association_authorization unable to identify the depends on attribute . Can anyone help me why i m not able to do this

resource "aws_route53_vpc_association_authorization" "master" {
    for_each = { for entry in local.zone_appvpc: "${entry.zone_id}.${entry.app_vpc}" => entry }
    vpc_id  = each.value.app_vpc
    zone_id = each.value.zone_id
    depends_on = [
      aws_route53_zone.private
    ]
}

resource "aws_route53_zone" "private" {
  count = "${length(var.r53_zones)}"
  name          = "${element(var.r53_zones, count.index)}"
  force_destroy = true
  vpc {
    vpc_id = var.master_account_vpc_id
  }
}
locals {
  zone_ids    = aws_route53_zone.private.*.id
  app_vpcs    = var.app_accounts[*].app_vpc_id
  zone_appvpc = distinct(flatten([
    for app_vpc in local.app_vpcs : [
      for zone_id in local.zone_ids : {
        zone_id  = zone_id
        app_vpc  = app_vpc
      }
    ]
  ]))
}
r53_zones = ["<http://aws.org|aws.org>","<http://google.org|google.org>"]
  master_account_vpc_id = "vpc-0b887bb1ccgh0a"
  app_accounts = [ 
    { "account" : "49563775878", "app_vpc_id" : "vpc-0c8aeb58gty6be45e"},
    { "account" : "49556775878", "app_vpc_id" : "vpc-0c8adhghgty6be45e"}

  ]

Hey guys! What do you think about having a visual Terraform editor? 👋😊

It looks like No Code tools are becoming quite popular so I was thinking how awesome it would be if you could create your Terraform configuration with No Code approach!

Would anyone be interested in using such a tool? 🤔

Hello Terraformers! I just finished the 2nd part of my AWS PrivateLink series, Check it out and let me know what you think. Also, are you currently leveraging Privatelink? https://www.taccoform.com/posts/aws_pvt_link_2/

What are people's opinions regarding storing state (not in a TACO)? This would be for a monorepo of ops code and there are maybe 20 accounts. So one option would be one-state-account-to-rule-them-all or basically a state bucket in every account. Personally I like the latter, but the former definitely seems easier in the beginning. Curious if people have hard-won experience in both these areas that have helped them form opinions?

Does anyone have a good way to deal with a null value in a ternary that is breaking higher up in the dictionary?

bucket     = var.build_config.source.storage_source.bucket != null ? var.build_config.source.storage_source.bucket : google_storage_bucket.bucket.name

=>

Error: Attempt to get attribute from null value
│
│   on ../../../modules/cloud_function/main.tf line 26, in resource "google_cloudfunctions2_function" "function":
│   26:         bucket     = var.build_config.source.storage_source.bucket != null ? var.build_config.source.storage_source.bucket : google_storage_bucket.bucket.name
│     ├────────────────
│     │ var.build_config.source is null
│
│ This value is null, so it does not have any attributes.

In other words it's breaking because before it's even getting to the final key to check, the key above that is null so it has no attribute to even look for.

This is a block list of Max 1. I don't using a dynamic would help really. I have marked var.build_config.source as optional because it is, as are all other values below it.

I guess I could use a nested ternary lol where I first check source and then check storage for nulls but oof, man that is kludgy.

This message was deleted.

This message was deleted.

does anyone know how to create an IAM role that allows federated SSO users access in the "assume role policy"

is this valid ...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::aws:policy/AWSServiceRoleForSSO"
            }
        }
    ]
}

i need to allow users (in a specific group from SSO) the ability to assume a specific role inside each accounte

This message was deleted.

hello

Is there a doc anywhere on how you make sure your modules remain compliant at cloudposse?

Anyone experiencing Terraform Cloud hickups? Pending jobs etc?

v1.4.0-beta1
Version 1.4.0-beta1

Hi,

Is this https://github.com/cloudposse/terraform-aws-tfstate-backend still recommended or is there a better one to use on Cloudposse ?

I'm having trouble getting YAML into a heredoc:

# files.yml
file1:
  key1: "value1"
  key2:
    - subkey1: "subvalue1"
      subkey2: "subvalue2"
...

# module instantiation
module "my-mod" {
  source = "../foo"
  files = yamldecode(file(files.yml))
}

# module source
locals {
  service_definitions = { magic }
}

resource "datadog_service_definition_yaml" "service_definition" {
  for_each = local.service_definitions

  service_definition = <<EOF
    "${each.value}"
  EOF
}

errors is:

Error: Invalid template interpolation value
│
│   on ../../../modules/datadog-service-definitions/main.tf line 12, in resource "datadog_service_definition_yaml" "service_definition":
│   11:   service_definition = <<EOF
│   12:     "${each.value}"
│   13:   EOF
│     ├────────────────
│     │ each.value is object with 9 attributes
│
│ Cannot include the given value in a string template: string required.

I've outputted the object: it does indeed have 9 attributes and looks correct as far as an object goes. Any hacks for this? I recognize it's a type thing.

v1.4.0-beta1
1.4.0 (Unreleased)
UPGRADE NOTES:

config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.


config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this...

v1.3.8
1.3.8 (February 09, 2023)
BUG FIXES:
Fixed a rare bug causing inaccurate before_sensitive / after_sensitive annotations in JSON plan output for deeply nested structures. This was only observed in the wild on the rancher/rancher2 provider, and resulted in glitched display in Terraform Cloud's structured plan log view. (#32543)
A...

Selenium C# WebDriver not resizing browser window correctly
I have to make visual tests for test automation purposes, with window browser size being (x=1366,y=668). When I'm running these tests in a headless mode, everything works fine and the window is as large as it should be. However, when I run the same tests WITHOUT headless mode, the browser window always is a bit smaller than it should be.
How can it be made that the window is being sized as it is specified?
Here we can see that the size of the window is not as expected - (1366, 668)
<a...

How do you resize images css [closed]
I thought i had everything correctly but i can't get CSS to resize the image, someone please help
I was trying to resize the image

Angular Material 15: How to resize focused components such as autocomplete or datepicker?
i updated to material 15, i want ask how i can change height, or overall size of focused component such as autocomplete or datepicker,
https://m2.material.io/design/layout/applying-density.html#usage ,
this page is telling me i can't use density on such components so what is the other way of making my components smaller?
before this i used material 12 and all i had to do was change...

Cypress drag and drop by offset
I am trying to make DnD work in Cypress and React app.
At first I was trying all examples around those with simulating by mouse events but it is not working in general in my environment. :(
I was able to write a test where I know the drag element and drop element using this code.
const dataTransfer = new DataTransfer();


cy.get(dragSelector).trigger("dragstart", {
dataTransfer,
force: true,
});


cy.get(dropSelector).trigger("drop", {
dataTransfer,
force:...

CSS img won't resize
Total newbie here, tried to google my issue, even get on the second page of results... I'm stuck on resizing image and I have no idea why it is not working, hoping someone can help. By using Inspect on Chrome I can see that element for img is not being connected to the img and I have no idea why.
Block below is within






Here is CSS that I have for the whole part.
main {
display: inline-block;
background-color: var(--main-bgc);...

How do I resize views when using UITabBarController as popover
I have a UITabBarController that is created as a popover view on an iPad screen. There are three tabs associated with it. I'm trying to make one popover (the first tab) smaller than the other two. Once the popover is created and displayed how can I change the size of the popover window when the first tab is selected vs the other two views?
This is the code that creates the popover.
let storyboard = UIStoryboard(name: "Flight", bundle: nil)
let tbc =...

How to make columns of a table resizable with CSS without property of table width 100%
This question is similar to that you find here
Would it be possible to do the same without using width 100%?
I have a large table and I want to keep it scrollable horizontally without squeezing other columns as I enlarge one...
Thank you so much!

In Flutter, how to reduce the image data before saving it to a file?
I'm working on a screen recording app in Flutter. In order to keep the quality of the captured screen image, I have to scale the image as shown below. However, it makes the image data very large. How can I reduce the data size (scale back to the original size) before saving it to a file? For performance reasons, I want to work with raw RGBA instead of encoding it PNG.
double dpr = ui.window.devicePixelRatio;
final boundary =
key.currentContext!.findRenderObject() as...

Dependencies array issue with useMemo and a debounced function
I have the following code that uses lodash.debounce:
// Get Dimensions
// Capture dimensions when App first mounts, immediately
// Listen for resize events and trigger 'getDimensions' (debounced)
const getDimensions = () => dispatch(setDimensions({
viewportWidth: window.innerWidth,
viewportHeight: window.innerHeight
}))

const handleResize = useMemo(() =>
debounce(getDimensions, 250)
, [getDimensions])

useEffect(() => {
handleResize()
window.addEventListener('resize',...

How to insert a picture from an existing table with file path and desired placement
I'm trying to create the following template:
The user creates a table in a "Data Entry" worksheet that lists the following:
File path ie: P:\Phone Camera Dump\20121224_111617.jpg
Range where the picture is to be placed in the "PICS" worksheet.
https://i.stack.imgur.com/bvsJs.jpg
Once the list is finalized, the user executes and images are placed within the ranges specified on the "PICS" worksheet and dynamically re-sized.
Presently the range has a set...

How to make SVG image to use available space? (and to avoid size-hardcoding)
I have an SVG image as a child (at the begin) of a Row. I have wrapped it in a FractionallySizedBox() to make sure that image takes a certain amount of space in a Row. Now, I want Image to use that space, without setting fix width or height (since it can make problems on different devices).
I have used attribute fit: BoxFit.scaleDown, but it is not working.
Any suggestions? :)
here my code:
Row(
children: [
Flexible(
child: FractionallySizedBox(...

Flutter Web - Widgets not resizing with browser zoom
I am currently building a Flutter web application and have encountered an issue where some of my widgets do not resize properly with the browser zoom. When the user decreases the zoom level, some of the widgets become cutoff and disappear from the screen.
I would like to request help in finding a solution to ensure that all of my widgets remain fully visible and properly resized regardless of the user's browser zoom level.
Steps to Reproduce
Open the Flutter web application in a browser.
Zoom...

resize2fs not resizing the filesystem size equal to disk size?
While trying online file system resize. I see the file system size is less than the disk size by 2MB.
Can not figure out what is the issue.
Tried with ext3/ext4 file system. I see same issue.
I see these logs in dmesg again and again.
dmesg,
[Fri Feb 10 04:12:11 2023] EXT4-fs (nvme1n1): resizing filesystem from 168460288 to 168460800 blocks
[Fri Feb 10 04:12:11 2023] EXT4-fs (nvme1n1): resized filesystem to 168460800
[Fri Feb 10 04:13:34 2023] EXT4-fs (nvme1n1): resizing filesystem from...

finally

resource/aws_lambda_function: Add replace_security_groups_on_destroy and replacement_security_group_ids attributes (#29289)

Does cloudposse provide a secure account baseline module with all the other modules stitched together?

Is it possible to pass a variable to downstream modules via context.tf, or do they have to be explicitly defined as variables in the module? Specifically I'm trying to use the module cloudposse/s3-bucket/aws with user_enabled = true and also passing path as a variable to the downstream cloudposse/iam-s3-user/aws module

I’m hitting a wall here and I’m pretty sure is something stupid, I’m using this module https://github.com/cloudposse/terraform-aws-iam-role and passing policy_documents and with one policy is all good but I need to pass the policy names base on the names entered as inputs from a variable and it does not work

peeps any experienced scalr users in here? would love to setup a time to talk and get our takes. I'm a spacelift fan myself, but have some counter scalr price points, as well and would love to get a sense of product maturity, feature release schedule, pricing, ease of setup and use, plan/apply latency, things like this. thanks!

how would you guys handle an API-driven TFC workspace which needs to call multiple modules? for e.g. a module for security group creation, a module for ec2 instance creation etc; thinking of uploading different config. versions and triggering the run to reference the relevant config. version

hello team i am using terraform module for lambda. Here's my code:-
module "c6_emr_failed_jobs_lambda" {
source = "terraform-aws-modules/lambda/aws"
function_name = "test"
description = "Lambda function to monitor emr failed jobs"
handler = "failed.lambda_handler"
runtime = "python3.7"
architectures = ["x86_64"]
vpc_subnet_ids = module.vpc.private_subnets
vpc_security_group_ids = ["sg-xxxxxxxxxxxx"]
environment_variables = {
ENVIRONMENT = "${local.env_name}",
REGION = var.region
}
create_package = false
timeout = 30
package_type = "Zip"
s3_existing_package = {
s3_bucket = "bucket-test-temp"
s3_key = "emr-failed-job-monitoring/karan.zip"
}
tags = local.tags
}


I am getting this error --> Error: filename, s3_* or image_uri attributes must be set

posting this once more lol:

peeps any experienced scalr users in here? would love to setup a time to talk and get our takes. I'm a spacelift fan myself, but have some counter scalr price points, as well and would love to get a sense of product maturity, feature release schedule, pricing, ease of setup and use, plan/apply latency, things like this. thanks!

quick question, lets say I need to create a few secrets, the content for those secrets are tokens for external services like facebook and twitter. how do you guys handle that kinda of stuff ? create the secret and then manually add the secret there ?

v1.4.0-beta2
1.4.0 (Unreleased)
UPGRADE NOTES:

config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.


config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this...

v1.3.9
1.3.9 (February 15, 2023)
BUG FIXES:
Fix crash when planning to remove already-deposed resource instances. (#32663)

short question vpc peering multi account, is there a possibility to split the requester part to one terraform cloud workspace and the accepter part to another one, so no cross account permissions are needed?

I have a question regarding the terraform-aws-ecs-alb-service-task module... I'm trying to create a service associated with two target_groups (through the ecs_load_balancers variable) but I'm having a dependency problem. But there is no problem if I just try to associate a single target group, I think it's due to this condition enable_ecs_service_role = module.this.enabled && var.network_mode != "awsvpc" && length(var.ecs_load_balancers) >= 1 because of this check length(var.ecs_load_balancers) >= 1

I have a silly question for some people but I’ve been banging my head on this for a while.
I’m using a laptop that uses z scaler. I was able to export the self-signed cert for python using python -m certifi .
i'm seeing this issue when doing terraform init. this is using terraform enterprise and modules from terraform enterprise. the tfe is self hosted on internal domain.
this error repeats for every module. let me know y'all thoughts.

╷
│ Error: Failed to download module
│ 
│ Could not download module "r53_private_zone" (.terraform/modules/tfvpc-us-west-2-devqa/modules/dns/main.tf:9) source code from
│ "git::<https://github.com/terraform-aws-modules/terraform-aws-route53?ref=v2.10.2>": error downloading
│ '<https://github.com/terraform-aws-modules/terraform-aws-route53?ref=v2.10.2>': /opt/homebrew/bin/git exited with 128: Cloning into
│ '.terraform/modules/tfvpc-us-west-2-devqa.vpc_nfw_nsfw-required.dns.r53_private_zone'...
│ fatal: unable to access '<https://github.com/terraform-aws-modules/terraform-aws-route53/>': error setting certificate verify locations:  CAfile: <name of my ca file>
│ CApath: none
│ .
╵

Any opinions on what to do when either a provider is incomplete missing certain resources or the provider doesn't exist at all. It seems some people use curl with local-exec but that is pretty hacky.

Hi Team, I just facing same problem with this issue, any update guys?
https://github.com/cloudposse/terraform-aws-cloudfront-cdn/issues/74

Been thinking about the null-label module and maybe adapting/forking it to make ansible equivalent - our projects use ansible null-provisioner to run ansible code on the machine running the terraform but different projects requiring stuff like group_vars ssh configuration options etc make any form of shared module across our org brittle.

However using a shared context object with ansible config options (that can be injected into small modules and manipulated if required) seems like a novel use of the null-label style module. Love to hear folks thoughts, i'd be something i'd be open sourcing if others might benefit from such a thing.

Ultimately leading to something like this:

// default project ansible object
module "ansible" {
  source  = "org/ansible/null"
  ssh_user = "centos"
  ssh_extra_args = "-o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
}
// override the default ansible module with some specific option

module "ansible_al2" {
  source  = "org/ansible/null"
  context = module.ansible.context
  ssh_user = "ec2-user"
}

// pass the overriden module into module making ec2 instances etc.
// this would still include the ssh_extra_args value due to inheritance

module "ec2_al2_instances {
 instance_type = "t2.small"
 instance_count = 5
 ansible_context = module.ansible_al2.context
}

hey everyone, I reported a bug that we've been seeing in our Geodesic Shell builds for when installing terraform. https://github.com/cloudposse/packages/issues/3339 has anyone else seen it?

Anyone know if you can use terraform (module or resource) to customize the AWS access portal URL? By default, you can access the AWS access portal by using a URL that follows this format: <http://d-xxxxxxxxxx.awsapps.com/start|d-xxxxxxxxxx.awsapps.com/start>. But, I want to customize it with TF.

Hey,
We are seeing this error in datadog:
Failed to process: error unmarshaling JSON: json: cannot unmarshal string into Go struct field GitHubOptions.appID of type int64 from our argocd-notifications-controller. Does someone know how to fix this?

Hello, I am trying to set up an AWS SQS dead letter queue using this simple example from the resource doc:

resource "aws_sqs_queue" "terraform_queue_deadletter" {
  name = "terraform-example-deadletter-queue"
  redrive_allow_policy = jsonencode({
    redrivePermission = "byQueue",
    sourceQueueArns   = [aws_sqs_queue.terraform_queue.arn]
  })
}

However when I open the console I can see that the queue was not set up as a DLQ (screenshot attached)

Is it something that I am missing? Or something in the AWS Docs is not very clear?

Anyone using dynamodb_endpointin your backend configuration? Im running Atlantis in account A and our current Ddb table is in account B. If I disable the dynamodb_endpoint and dynamodb_table from my backend configuration everything works fine. The S3 bucket is in account B so I know i have my IAM roles and what not configured right. Basically everything works right until I enable dynamo state locking. The error I get from Atlantis is

ResourceNotFoundException: Required resource not found

Im assuming it cant find my table since it works otherwise. Here are the values im using in my config...

dynamodb_endpoint = "<http://dynamodb.us-east-1.amazonaws.com|dynamodb.us-east-1.amazonaws.com>" <- Is this the correct value for the endpoint assuming in im us-east-1?
dynamodb_table    = "tf-state-lock"

As background if I manually run terraform plans and applies from within the B account as a terraform user it also works. Is there some trick here that im missing?

dumb question but when doing stuff like

module "ops_siem_label" {
  source  = "../../../modules/null-label"
  name    = "ops-siem"
  context = module.this.context
}

Is there a preffered way by CP for how you'd do the name? so that the - uses the seperator? We often have 2-3 word names and my OCD is like this should respect the seperator option the owner requested

Hi All,
What's the best way to learn Terraform.
Is there any course with better hands-on ?

official docs

I would agree with using the docs. the best way to learn Terraform is to:
1. Think about what you want to build (ie, website with a loadbalancer, webserver, and external database for example)
2. Decide what cloud you want to build it on
3. Read the docs to start building the resources you need for step 1

When using this EKS module (terraform-aws-modules/eks/aws) you need to specify a kubernetes provider in order to modify the aws-auth configmap. I'm trying to create a kubernetes provider with an alias, but I'm not sure how to pass the alias information to the EKS module. Anyone know how to do this?

v1.4.0-rc1
1.4.0 (Unreleased)
UPGRADE NOTES:

config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.


config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this...

Hi folks.. I'm trying to create a eks cluster using cloudposse/eks-cluster/aws . I tried to refer eks_cloudposse\terraform-aws-eks-cluster\examples\complete\README.yaml but it seems outdated. Where can I get the latest example ?
Thanks in Advance 😄

https://medium.com/p/cc2d1d148fcd may be this article helps

Hi folks I was trying to combine eks-cluster module with bastion server module(cloudposse/ec2-bastion-server/aws`)and I have done that successfully.
But I need to pass some user_data to bastion server.I tried passing file("my_file.sh") but it is not working because the variable user_data is of type list.
How can I achieve this ?
I also tried using user_data_template variable.But it is trying to fetch the file directly from the module rather than my files.
And how can I do kubeconfig with the output of eks-cluster module ?
Can I use remote-exec provisioner for this purpose ?
Thanks in Advance 🙂

Somewhat of a generic question about how cross-account transit gateway resources work.... (module or no module)
https://github.com/cloudposse/terraform-aws-transit-gateway

Our org currently creates each environment's vpc from a separate terraform directory using distinct account credentials.
We have a separate-aws-accounts-per-environment type of setup (dev/stage/prod).

So far, I've only found examples that are structured around a single terraform config and a single terraform apply operation.
The single apply requires the credentials for two accounts, and creates resources in both accounts, and connects the transit gateways will full knowledge of both sides.

We'd prefer to keep terraform configs separate (per account) and run separate terraform apply actions to stand up transit-gateways.
If we can't do it that way, I'm hoping to understand why not.

The setup we're looking to create is two transit gateway(s) in two regions :
• existing vpc1, in region1, in accountA
• existing vpc2, in region2, in accountB
Long story short... my question:
I'm looking for an example where this is being done. *

My guesses:
So far I've come to believe that accountA must be able to discover accountB's transit_gateway_id after it gets created there (guessing it would need to read its remote_state?) -- any other tips folks can offer?

* (I'll be happy to contribute it as another multi-account /example/ in the module once I get it working.)