#terraform - April 2026

Hello! I'm looking for a way to switch identity depending on the component in a stack.

I have a default identity which I use store terraform state file, But the component that I'm trying to create should be on another account. I have tried using the component level identity selection, but it isn't working. it tries to create the component on the default identity no matter the config I tried.

Hi everyone 👋
I hope you're doing well. I wanted to kindly ask if someone might be able to take a look at the following issue when they have time: https://github.com/cloudposse/terraform-aws-rds-cluster/issues/271
It’s about making the random “pet name” suffix configurable (or optionally disabled) for instance names. I’m not entirely sure if there’s already a recommended approach for this, so I’d really appreciate any guidance or help.
I understand everyone has a lot on their plate, so thank you very much in advance for your time and consideration — it’s genuinely appreciated 🙏
Please let me know if I can provide any additional details.
Thanks again!



update: we opened PR making that suffix optional: https://github.com/cloudposse/terraform-aws-rds-cluster/pull/282

Hey folks 👋

I'm working on an interesting problem and I feel like someone out there must have run into this before:

Problem/Background

• I'm currently assuming an aws role to access an s3 bucket for backend state as follows:

terraform {
  backend "s3" {
    ...
    assume_role = {
      role_arn = var.backend_assume_role_arn
    }
    ...
  }
}

• This role has permissions to read and write to the s3 bucket, and I'd like to scope down permissions so that I use a read-only role during init and plan phases, and switch to a read-write role for the apply phase.
Where I'm stuck

• I can swap in the read-write role arn before running the apply phase, but the problem I run into is that since the backend config changes, a init -reconfigure is required here.
• If I run tofu init -reconfigure before the apply, this leads to Error: Inconsistent dependency lock file
• I've also attempted tofu init -reconfigure -lockfile=readonly, but that leads to Error: Provider dependency changes detected
• At this point, my only option is to run another tofu plan, which is out of the question.
An alternative

• I can remove the assume_role out of the backend block entirely.
• This allows me to assume a read-only role to begin with (in my terminal, pipeline, etc), and I can init and plan with it
• Then I can assume a read-write role before running the apply
• This does work, but I'm reaching out for other ideas here. Ideally, I don't want to have to switch role in my terminal or pipeline. The pattern I'm trying to maintain is a single AWS role that can assume the read or write roles to the s3 bucket backend during init/plan vs apply.

Email received today… 🤔

Your account has now been migrated from the legacy Free plan to HCP Terraform Free. This transition is complete, and you can continue using the platform on the Free tier at no cost.

HCP Terraform Free is built to support modern infrastructure teams with stronger security, governance, and collaboration capabilities—while incurring no cost to you for up to 500 managed resources per month.

Now that you’re on HCP Terraform Free, you can take advantage of:

• Unlimited users – Invite your entire team and collaborate without seat limits

• Single sign-on (SSO) – Secure access using your organization’s identity provider

• Policy enforcement – Maintain governance and consistency across infrastructure changes

• Run tasks – Integrate security, compliance, and other tools directly into your Terraform workflows

• Stacks – Simplify provisioning and managing resources at scale, reducing the time and overhead of managing infrastructure

watch out if you use KICS
https://cybersecuritynews.com/checkmarx-kics-compromised/