Create CyHy Lambda artifacts bucket name using bucket_prefix

This makes our bucket names unique and allows us to remove some local variables that are no longer needed.

Co-authored-by: Nicholas McDonnell <[email protected]>
Co-authored-by: Jeremy Frasier <[email protected]>

README.md

@@ -140,12 +140,10 @@ changes by simply running `terraform apply -var-file=<workspace_name>.tfvars`.
 |------|-------------|------|---------|:--------:|
 | aws\_region | The AWS region where the non-global resources for the Cyber Hygiene account are to be provisioned (e.g. "us-east-1"). | `string` | `"us-east-1"` | no |
 | cool\_lambda\_artifacts\_s3\_bucket | The name of the bucket where COOL Lambda deployment packages are to be stored. | `string` | n/a | yes |
-| cyhy\_lambda\_artifacts\_s3\_bucket | The name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored.  Note that in production Terraform workspaces, the string '-production' will be appended to the bucket name.  In non-production workspaces, '-<workspace\_name>' will be appended to the bucket name. | `string` | `"cool-cyhy-lambda-deployment-artifacts"` | no |
+| cyhy\_lambda\_artifacts\_s3\_bucket\_prefix | The prefix of the name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored.  A unique bucket name beginning with the specified prefix will be created. | `string` | `"cool-cyhy-lambda-deployment-artifacts"` | no |
 | disable\_inactive\_users\_lambda\_key | The S3 key associated with the Lambda function deployment package to disable inactive IAM users. | `string` | n/a | yes |
 | provisionaccount\_role\_description | The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account."` | no |
 | provisionaccount\_role\_name | The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account. | `string` | `"ProvisionAccount"` | no |
-| provisioncyhyroot\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root. | `string` | `"Allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root."` | no |
-| provisioncyhyroot\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root. | `string` | `"ProvisionCyHyRoot"` | no |
 | provisionlambdabucket\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account."` | no |
 | provisionlambdabucket\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account. | `string` | `"ProvisionLambdaArtifactsBucket"` | no |
 | provisionssmsessionmanager\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in the Cyber Hygiene account."` | no |

lambda_artifacts_bucket.tf

@@ -1,7 +1,7 @@
 # This bucket is used to store the deployment packages for any Lambda functions
 # that will be used in a CyHy environment.
 resource "aws_s3_bucket" "lambda_artifacts" {
-  bucket = local.lambda_bucket_name
+  bucket_prefix = var.cyhy_lambda_artifacts_s3_bucket_prefix
 
   tags = {
     "Name" = "Lambda Deployment Artifacts"

locals.tf

@@ -17,15 +17,6 @@ locals {
   # Get the CyHy account ID.
   cyhy_account_id = data.aws_caller_identity.cyhy.id
 
-  # Determine if this is a Production workspace by checking if
-  # terraform.workspace begins with "prod"
-  production_workspace = length(regexall("^prod", terraform.workspace)) == 1
-
-  # In production Terraform workspaces, the string '-production' is appended to
-  # the bucket name.  In non-production workspaces, '-<workspace_name>' is
-  # appended to the bucket name.
-  lambda_bucket_name = format("%s-%s", var.cyhy_lambda_artifacts_s3_bucket, local.production_workspace ? "production" : terraform.workspace)
-
   # Find the Users account
   users_account_id = [
     for account in data.aws_organizations_organization.cool.accounts :

provisionlambdabucket_policy.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "provisionlambdabucket_policy_doc" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.lambda_bucket_name}",
+      "arn:aws:s3:::${var.cyhy_lambda_artifacts_s3_bucket_prefix}*",
     ]
   }
 }

variables.tf

@@ -26,9 +26,9 @@ variable "aws_region" {
   type        = string
 }
 
-variable "cyhy_lambda_artifacts_s3_bucket" {
+variable "cyhy_lambda_artifacts_s3_bucket_prefix" {
   default     = "cool-cyhy-lambda-deployment-artifacts"
-  description = "The name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored.  Note that in production Terraform workspaces, the string '-production' will be appended to the bucket name.  In non-production workspaces, '-<workspace_name>' will be appended to the bucket name."
+  description = "The prefix of the name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored.  A unique bucket name beginning with the specified prefix will be created."
   type        = string
 }