From 7639b746a9d11a084202590797bb90591f604829 Mon Sep 17 00:00:00 2001
From: jonathan-cantu-icf <jonathan.cantu@icf.com>
Date: Thu, 12 Feb 2026 14:03:09 -0500
Subject: [PATCH 1/2] Cleanup of root.tofu.tf for platform and services using 
 as a tool to identify issues.

---
 ops/platform/root.tofu.tf | 19 +++++--------------
 ops/services/root.tofu.tf | 19 +++++--------------
 2 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/ops/platform/root.tofu.tf b/ops/platform/root.tofu.tf
index ed70b04b1d..a10ad52b38 100644
--- a/ops/platform/root.tofu.tf
+++ b/ops/platform/root.tofu.tf
@@ -8,17 +8,15 @@ locals {
   # handled by the Terraservice module.
   account_type = coalesce(var.account_type, one([for x in local.account_types : x if x == terraform.workspace]))
 
+  # This is just a breadcrum - helper variable that is not actually used in code but helps in tracking whether or not we are including this tf.
+  # tflint-ignore: terraform_unused_declarations
   _canary_exists = module.terraservice.canary
 }
 
 variable "region" {
   default  = "us-east-1"
   nullable = false
-}
-
-variable "secondary_region" {
-  default  = "us-west-2"
-  nullable = false
+  type     = string
 }
 
 variable "account_type" {
@@ -36,6 +34,7 @@ variable "account_type" {
   }
 }
 
+# tflint-ignore: terraform_required_providers
 provider "aws" {
   region = var.region
   default_tags {
@@ -43,15 +42,7 @@ provider "aws" {
   }
 }
 
-provider "aws" {
-  alias = "secondary"
-
-  region = var.secondary_region
-  default_tags {
-    tags = local.default_tags
-  }
-}
-
+# tflint-ignore: terraform_required_version
 terraform {
   backend "s3" {
     bucket       = "bfd-platform-${local.account_type}-tf-state"
diff --git a/ops/services/root.tofu.tf b/ops/services/root.tofu.tf
index 70410d4349..a5df52c048 100644
--- a/ops/services/root.tofu.tf
+++ b/ops/services/root.tofu.tf
@@ -9,17 +9,15 @@ locals {
     "invalid-parent-env"
   )
 
+  # This is just a breadcrum - helper variable that is not actually used in code but helps in tracking whether or not we are including this tf.
+  # tflint-ignore: terraform_unused_declarations
   _canary_exists = module.terraservice.canary
 }
 
 variable "region" {
   default  = "us-east-1"
   nullable = false
-}
-
-variable "secondary_region" {
-  default  = "us-west-2"
-  nullable = false
+  type     = string
 }
 
 variable "parent_env" {
@@ -37,6 +35,7 @@ variable "parent_env" {
   }
 }
 
+# tflint-ignore: terraform_required_providers
 provider "aws" {
   region = var.region
   default_tags {
@@ -44,16 +43,8 @@ provider "aws" {
   }
 }
 
-provider "aws" {
-  alias = "secondary"
-
-  region = var.secondary_region
-  default_tags {
-    tags = local.default_tags
-  }
-}
-
 terraform {
+  required_version = "~> 1.6"
   backend "s3" {
     bucket       = "bfd-${local.parent_env}-tf-state"
     key          = "ops/services/${local.service}/tofu.tfstate"

From bf376d6a99171d8f8e9b601f41b5aba917a112ca Mon Sep 17 00:00:00 2001
From: jonathan-cantu-icf <jonathan.cantu@icf.com>
Date: Fri, 13 Feb 2026 15:53:41 -0500
Subject: [PATCH 2/2] Reintroduce secondary_region - apparently necessary for 
 for cross-region configuration as seen in the KMS key definitions. For now,
 they should be maintained.

---
 ops/platform/root.tofu.tf | 16 ++++++++++++++++
 ops/services/root.tofu.tf | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/ops/platform/root.tofu.tf b/ops/platform/root.tofu.tf
index a10ad52b38..deb4a4f165 100644
--- a/ops/platform/root.tofu.tf
+++ b/ops/platform/root.tofu.tf
@@ -19,6 +19,12 @@ variable "region" {
   type     = string
 }
 
+variable "secondary_region" {
+  default  = "us-west-2"
+  nullable = false
+  type     = string
+}
+
 variable "account_type" {
   description = <<-EOF
   The account type being targeted to create platform resources within. Will correspond with
@@ -42,6 +48,16 @@ provider "aws" {
   }
 }
 
+# tflint-ignore: terraform_required_providers, terraform_unused_declarations
+provider "aws" {
+  alias = "secondary"
+
+  region = var.secondary_region
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
 # tflint-ignore: terraform_required_version
 terraform {
   backend "s3" {
diff --git a/ops/services/root.tofu.tf b/ops/services/root.tofu.tf
index a5df52c048..b0f1924958 100644
--- a/ops/services/root.tofu.tf
+++ b/ops/services/root.tofu.tf
@@ -20,6 +20,12 @@ variable "region" {
   type     = string
 }
 
+variable "secondary_region" {
+  default  = "us-west-2"
+  nullable = false
+  type     = string
+}
+
 variable "parent_env" {
   description = <<-EOF
   The parent environment of the current solution. Will correspond with `terraform.workspace`".
@@ -43,6 +49,16 @@ provider "aws" {
   }
 }
 
+# tflint-ignore: terraform_required_providers, terraform_unused_declarations
+provider "aws" {
+  alias = "secondary"
+
+  region = var.secondary_region
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
 terraform {
   required_version = "~> 1.6"
   backend "s3" {