Im trying to setup AWS Config and I created a module that contains all of the resources I need. I use workspaces to differ between dev, stage, and prod accounts and I also have a root account. I want my S3 bucket to live in my root account and all other resources to be created in the other accounts. Right now we are in just one region so that is not an issue.
Currently I call my module like this:
module “config” {
source = “./modules/config”
primary_region = var.primary_region
encryption_enabled = var.encryption_enabled
prefix = var.prefix
workspaces = var.workspaces
snapshot_frequency = var.snapshot_frequency
config_aggregator_account = var.config_aggregator_account
transition_expiration = var.transition_expiration
transition_ia = var.transition_ia
transition_ia_class = var.transition_ia_class
delete_non_current_version = var.delete_non_current_version
abort_incomplete_multipart_upload = var.abort_incomplete_multipart_upload
}
I then create my bucket as so…
resource “aws_s3_bucket” “config_bucket” {
count = terraform.workspace == “root” ? 1 : 0
bucket = “bucket-config-data”
}resource “aws_s3_bucket_policy” “config_bucket_access” {
count = terraform.workspace == “root” ? 1 : 0
bucket = aws_s3_bucket.config_bucket[0].id
policy = data.aws_iam_policy_document.config_bucket_policy.json
}etc…
If I run plan for the root workspace it wants to create the bucket as I want. If I try and run a plan in any other workspaces I get this error…
│ Error: Invalid index
│
│ on modules/config/config.tf line 15, in resource “aws_config_delivery_channel” “config_channel”:
│ 15: s3_bucket_name = aws_s3_bucket.config_bucket[0].id
│ ├────────────────
│ │ aws_s3_bucket.config_bucket is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
If I remove the [0]
and run plan again I get the following error…
│ Error: Missing resource instance key
│
│ on modules/config/s3.tf line 8, in resource “aws_s3_bucket_policy” “config_bucket_access”:
│ 8: bucket = aws_s3_bucket.config_bucket.id
│
│ Because aws_s3_bucket.config_bucket has “count” set, its attributes must be accessed on specific instances.
│
│ For example, to correlate with indices of a referring resource, use:
│ aws_s3_bucket.config_bucket[count.index]
How should I be building my module with all resources and limit one piece to only one account?
Or should I pull that resource out of the module and build it separately?