Call S3 bucket from deployment helper

Author: paulschwarzenberger

locals.tf

@@ -20,8 +20,9 @@ module "deployment_helper" {
   }
   deployment_regions                                 = local.deployment_regions
   lambda_function_name                               = join("", [var.central_account_resource_name_prefix, "deployment-helper"])
+  central_account_resource_name_prefix               = var.central_account_resource_name_prefix
   member_account_deployment_helper_role_arn_patterns = [for i in local.member_account_deployment_helper_role_names : join("", ["arn:", local.partition_id, ":iam::*:role/", i])]
-  terraform_state_bucket_name                        = local.terraform_state_bucket_name
+  terraform_state_bucket_name                        = var.terraform_state_bucket_name
 }
 
 module "deployment" {
@@ -52,10 +53,3 @@ module "deployment" {
   member_account_deployment_helper_role_name_template = replace(local.member_account_deployment_helper_role_name_template, "<SERVICE>", each.key)
   member_account_resource_name_prefix                 = var.member_account_resource_name_prefix
 }
-
-module "tf_state_bucket" {
-  source = "./modules/s3"
-  count  = var.terraform_state_bucket_name == "" ? 1 : 0
-
-  central_account_resource_name_prefix = var.central_account_resource_name_prefix
-}

main.tf

@@ -24,7 +24,7 @@ module "lambda_role" {
           "s3:GetBucketLocation",
           "s3:ListBucket"
         ]
-        Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}"
+        Resource : local.terraform_state_bucket_arn
       },
       {
         Effect : "Allow"
@@ -33,7 +33,7 @@ module "lambda_role" {
           "s3:PutObject",
           "s3:DeleteObject"
         ]
-        Resource : "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}/*"
+        Resource : "${local.terraform_state_bucket_arn}/*"
       },
       {
         Effect : "Allow"

modules/deployment-helper/iam.tf

@@ -0,0 +1,11 @@
+locals {
+  terraform_state_bucket_name = (
+    var.terraform_state_bucket_name != "" ? var.terraform_state_bucket_name :
+    module.tf_state_bucket[0].s3_bucket_name
+  )
+
+  terraform_state_bucket_arn = (
+    var.terraform_state_bucket_name != "" ? "arn:${var.current.partition}:s3:::${var.terraform_state_bucket_name}" :
+    module.tf_state_bucket[0].s3_bucket_arn
+  )
+}

modules/deployment-helper/locals.tf

@@ -9,5 +9,5 @@ module "deployment_helper_regional" {
   }
   lambda_function_name        = var.lambda_function_name
   lambda_role_arn             = module.lambda_role.role.arn
-  terraform_state_bucket_name = var.terraform_state_bucket_name
+  terraform_state_bucket_name = local.terraform_state_bucket_name
 }

modules/deployment-helper/regional.tf

@@ -0,0 +1,6 @@
+module "tf_state_bucket" {
+  source = "../s3"
+  count  = var.terraform_state_bucket_name == "" ? 1 : 0
+
+  central_account_resource_name_prefix = var.central_account_resource_name_prefix
+}

modules/deployment-helper/s3.tf

@@ -17,6 +17,11 @@ variable "lambda_function_name" {
   type        = string
 }
 
+variable "central_account_resource_name_prefix" {
+  type        = string
+  description = "Prefix to be used for resource names in the central account."
+}
+
 variable "member_account_deployment_helper_role_arn_patterns" {
   description = "The patterns to use to restrict role assumption to the member account Deployment Helper roles."
   type        = list(string)