@jalam RE: However, note that when we started using terraspace, the bucket (in the child accounts) were already created in those individual accounts*. … I’ve just done another test deployment to another “child” account without the bucket being provisioned in advance and can confirm that like you said, it turns out that it would create the bucket in the “master” account (if the bucket doesn’t already exist).
Yeah. That’s pretty confusing behavior. The code was doing this because when the bucket exists Terraspace will just leave it as it and no bucket creation logic runs. When the bucket does not exist, then Terraspace will run the bucket creation logic. Unsure why the master account has access to check whether the bucket exists or not without having to assume the role though. Maybe bucket permission was granted via a bucket ACL. Unsure there.
In any case. Dug into this and it should be fixed now. Relevant PR:
Had to map the terraform interface to the ruby sdk, which was a bit annoying There were some parameters that didn’t seem to map at though, notably: assume_role_policy_arns, assume_role_tags, assume_role_transitive_tag_keys. Hope to document those in the docs.
Should generally work now, though.
Just make sure you update to the latest terraspace_plugin_aws
bundle info terraspace_plugin_aws
You should see something like this:
$ bundle info terraspace_plugin_aws
* terraspace_plugin_aws (0.3.3)
Summary: Terraspace AWS Plugin
As a part of this, added support for profile in the terraform s3 backend also.