Move Backup Service Role to within each deployment

Moving this role allows us to use it in the Vault Access Policies of the member account vaults, enabling restricted access to copy backups back into member accounts.

Author: kurtismash

main.tf

@@ -46,7 +46,6 @@ module "deployment" {
   }
   central_account_resource_name_prefix                = var.central_account_resource_name_prefix
   central_backup_service_linked_role_arn              = local.backup_service_linked_role_arn
-  central_backup_service_role_arn                     = module.backup_service_role.role.arn
   central_deployment_helper_role_arn                  = module.deployment_helper.lambda_role.arn
   central_deployment_helper_topic_name                = module.deployment_helper.sns_topic.name
   deployment_regions                                  = local.deployment_regions

iam-service-role.tf renamed to modules/service-deployment/iam-service-role.tf

@@ -1,11 +1,12 @@
 #
-# Creates a service role for AWS Backup.
+# Creates a service role for AWS Backup
+# One per deployment to restrict permissions for copying back to member accounts
 #
 
 module "backup_service_role" {
-  source = "./modules/iam-role"
+  source = "../iam-role"
 
-  name = join("", [var.central_account_resource_name_prefix, "backup-service-role"])
+  name = join("", [local.central_account_resource_name_prefix, "backup-service-role"])
   assume_role_policy = jsonencode({
     Version : "2012-10-17"
     Statement : [
@@ -17,7 +18,7 @@ module "backup_service_role" {
         Action : "sts:AssumeRole",
         Condition : {
           StringEquals : {
-            "aws:SourceAccount" : local.account_id
+            "aws:SourceAccount" : var.current.account_id
           }
         }
       }

modules/service-deployment/iam-sfn-backup-ingest.tf

@@ -107,7 +107,7 @@ module "backup_ingest_sfn_role" {
         "Action" : [
           "iam:PassRole"
         ],
-        "Resource" : var.central_backup_service_role_arn
+        "Resource" : module.backup_service_role.role.arn
       },
       {
         Sid : "AllowAssumeRoleInMemberAccounts",

modules/service-deployment/regional.tf

@@ -33,7 +33,7 @@ module "region" {
     standard_vaults             = local.standard_vaults
   }
   deployment = {
-    backup_service_role_arn     = var.central_backup_service_role_arn
+    backup_service_role_arn     = module.backup_service_role.role.arn
     ou_paths_including_children = local.deployment_ou_paths_including_children
   }
   eventbridge = {

modules/service-deployment/variables.tf

@@ -21,11 +21,6 @@ variable "backup_tag_key" {
   }
 }
 
-variable "central_backup_service_role_arn" {
-  description = "The ARN of the central backup service role, used to copy backups between vaults."
-  type        = string
-}
-
 variable "central_backup_service_linked_role_arn" {
   description = "The ARN of the AWS Backup service-linked role in the central account. Required to be added to custom KMS Key Policies in member accounts."
   type        = string