Ok so I need to make four accounts snd the aft_management_account_id would be the one you console into sometimes?
Rarely to affect all lower envs
Honestly only when you need to adjust the permission structure of all lower envs
Tends to be only as needed
I still use the console of other accounts all the time to actually fuck around with resources
The AFT just controls who can touch what
, I have some experience with deploying CT but not with terraform. I heard deploying CT with terraform was painful when it was first released but it might have improved since then.
