Terraform/Terraform Enterprise AWS Cross Account Pipeline

I’m trying to automate a cross account codepipeline in three aws accounts. Setting this up manually would be easy since I could control when and which resource gets created at which time. However, I’m having difficulty automating this using TF/TFE.

Account A needs:

  • kms key
  • artifact bucket
  • codepipeline

Account B needs:

  • 3 x iam roles
  • S3 deploy bucket

Account C needs:

  • 3 x iam roles
  • S3 deploy bucket

The problem here is that the IAM roles for account B and C needs the ARNs for the kms key and artifact bucket. I cant create the codepipeline in account A until all these resources have been created. On top of that, the actual codepipeline needs the name of the of the s3 deploy buckets in B and C for a ‘deploy step’ where an artifact gets extracted to these s3 buckets.

How can I solve this in an efficient manner?

Can you store all of the resources in on directory and create them all at once, or do the various accounts need their files to be separated? If they can all reside in the same directory, then it is easy and you just run terraform once and have the difference resources reference each other.