🤖 feat: use Terraform profile-based AWS auth with refresh

[ibetitsmike]

Summary

Harden Terraform AWS authentication and AZ selection for EKS: keep default credential-chain compatibility, support refreshable profile-based auth when desired, and avoid selecting unsupported Local/Wavelength zones for cluster subnets.

Background

Two reliability issues were addressed:

1. Forcing profile = terraform broke environments that depend on the default AWS credential chain (CI, role-based runtime creds, etc.).
2. Selecting the first two state=available zones can pick Local/Wavelength zones in opted-in accounts, which EKS does not support for control plane subnets.

Implementation

• Updated terraform/variables.tf:
  • aws_profile is now optional (default = null) so the default AWS SDK credential chain remains intact
• Updated terraform/versions.tf:
  • provider still supports explicit profile selection via profile = var.aws_profile
• Updated terraform/vpc.tf:
  • data "aws_availability_zones" "available" now filters zone-type = availability-zone
  • first-two-AZ behavior now applies only to standard AZs (excluding Local/Wavelength)
• Updated terraform/README.md:
  • documents that default auth is credential-chain based
  • documents optional auto-refresh workflow with credential_process
  • clarifies profile override should apply to all AWS-authenticated commands (plan, apply, destroy) or be set once via TF_VAR_aws_profile

Validation

• terraform -chdir=terraform fmt -recursive -check
• terraform -chdir=terraform init -backend=false -input=false
• terraform -chdir=terraform validate

Risks

Low risk. Scope is limited to Terraform config and docs. Backward compatibility improves for non-profile environments, while profile-based flows remain supported and documented.

---

Generated with mux • Model: openai:gpt-5.3-codex • Thinking: xhigh • Cost: $0.53

[ibetitsmike]

@codex review

Please review this follow-up change for AWS credential auto-refresh behavior in Terraform and README guidance.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a8eeaaed73

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ibetitsmike]

@codex review

Addressed AZ selection hardening: availability zones are now filtered to standard zone-type=availability-zone before selecting the first two subnets, and README docs were updated accordingly.

[ibetitsmike]

@codex review

Addressed both review items:

• aws_profile is now optional (default = null) so default AWS credential chain behavior is preserved.
• docs now clarify profile overrides apply across plan/apply/destroy (or via TF_VAR_aws_profile).
  Also addressed AZ filtering by restricting to standard zone-type=availability-zone.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".