Allow bucket and dynamodb to be optional

nitrocode commented 3 years ago

what

Allow bucket and dynamodb to be optional

why

So the other properties of the module can be utilized without these resources created

references

Closes https://github.com/cloudposse/terraform-aws-tfstate-backend/issues/72

commands

terraform plan -var-file=fixtures.us-east-2.tfvars -var="bucket_enabled=false"

```shell Terraform will perform the following actions: # module.tfstate_backend.data.template_file.terraform_backend_config[0] will be read during apply # (config refers to values not yet known) <= data "template_file" "terraform_backend_config" { + id = "5a980e8fb70fc8f005fdb482ab13ecfd59fb1b29ba860fddf0d9237096940026" + rendered = <<~EOT terraform { required_version = ">= 0.12.2" backend "s3" { region = "us-east-2" bucket = "" key = "terraform.tfstate" dynamodb_table = "eg-test-terraform-tfstate-backend-lock" profile = "" role_arn = "" encrypt = "true" } } EOT + template = <<~EOT terraform { required_version = ">= ${terraform_version}" backend "s3" { region = "${region}" bucket = "${bucket}" key = "${terraform_state_file}" dynamodb_table = "${dynamodb_table}" profile = "${profile}" role_arn = "${role_arn}" encrypt = "${encrypt}" } } EOT + vars = { + "bucket" = "" + "dynamodb_table" = "eg-test-terraform-tfstate-backend-lock" + "encrypt" = "true" + "profile" = "" + "region" = "us-east-2" + "role_arn" = "" + "terraform_state_file" = "terraform.tfstate" + "terraform_version" = "0.12.2" } } # module.tfstate_backend.aws_dynamodb_table.with_server_side_encryption[0] will be created + resource "aws_dynamodb_table" "with_server_side_encryption" { + arn = (known after apply) + billing_mode = "PROVISIONED" + hash_key = "LockID" + id = (known after apply) + name = "eg-test-terraform-tfstate-backend-lock" + read_capacity = 5 + stream_arn = (known after apply) + stream_label = (known after apply) + stream_view_type = (known after apply) + tags = { + "Attributes" = "lock" + "Name" = "eg-test-terraform-tfstate-backend-lock" + "Namespace" = "eg" + "Stage" = "test" } + tags_all = { + "Attributes" = "lock" + "Name" = "eg-test-terraform-tfstate-backend-lock" + "Namespace" = "eg" + "Stage" = "test" } + write_capacity = 5 + attribute { + name = "LockID" + type = "S" } + point_in_time_recovery { + enabled = true } + server_side_encryption { + enabled = true + kms_key_arn = (known after apply) } } Plan: 1 to add, 0 to change, 0 to destroy. ```

terraform plan -var-file=fixtures.us-east-2.tfvars -var="dynamodb_enabled=false"

```shell Terraform will perform the following actions: # module.tfstate_backend.data.template_file.terraform_backend_config[0] will be read during apply # (config refers to values not yet known) <= data "template_file" "terraform_backend_config" { + id = (known after apply) + rendered = (known after apply) + template = <<~EOT terraform { required_version = ">= ${terraform_version}" backend "s3" { region = "${region}" bucket = "${bucket}" key = "${terraform_state_file}" dynamodb_table = "${dynamodb_table}" profile = "${profile}" role_arn = "${role_arn}" encrypt = "${encrypt}" } } EOT + vars = { + "bucket" = (known after apply) + "dynamodb_table" = "" + "encrypt" = "true" + "environment" = null + "name" = null + "namespace" = null + "profile" = "" + "region" = "us-east-2" + "role_arn" = "" + "stage" = null + "terraform_state_file" = "terraform.tfstate" + "terraform_version" = "0.12.2" } } # module.tfstate_backend.aws_s3_bucket.default[0] will be created + resource "aws_s3_bucket" "default" { + acceleration_status = (known after apply) + acl = "private" + arn = (known after apply) + bucket = "eg-test-terraform-tfstate-backend" + bucket_domain_name = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = true + hosted_zone_id = (known after apply) + id = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = "s3:PutObject" + Condition = { + StringNotEquals = { + s3:x-amz-server-side-encryption = [ + "AES256", + "aws:kms", ] } } + Effect = "Deny" + Principal = { + AWS = "*" } + Resource = "arn:aws:s3:::eg-test-terraform-tfstate-backend/*" + Sid = "DenyIncorrectEncryptionHeader" }, + { + Action = "s3:PutObject" + Condition = { + Null = { + s3:x-amz-server-side-encryption = [ + "true", ] } } + Effect = "Deny" + Principal = { + AWS = "*" } + Resource = "arn:aws:s3:::eg-test-terraform-tfstate-backend/*" + Sid = "DenyUnEncryptedObjectUploads" }, + { + Action = "s3:*" + Condition = { + Bool = { + aws:SecureTransport = [ + "false", ] } } + Effect = "Deny" + Principal = { + AWS = "*" } + Resource = [ + "arn:aws:s3:::eg-test-terraform-tfstate-backend/*", + "arn:aws:s3:::eg-test-terraform-tfstate-backend", ] + Sid = "EnforceTlsRequestsOnly" }, ] + Version = "2012-10-17" } ) + region = (known after apply) + request_payer = (known after apply) + tags = { + "Name" = "eg-test-terraform-tfstate-backend" + "Namespace" = "eg" + "Stage" = "test" } + tags_all = { + "Name" = "eg-test-terraform-tfstate-backend" + "Namespace" = "eg" + "Stage" = "test" } + website_domain = (known after apply) + website_endpoint = (known after apply) + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" } } } + versioning { + enabled = true + mfa_delete = false } } # module.tfstate_backend.aws_s3_bucket_public_access_block.default[0] will be created + resource "aws_s3_bucket_public_access_block" "default" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } Plan: 2 to add, 0 to change, 0 to destroy. ```

nitrocode commented 3 years ago

/test all

nitrocode commented 3 years ago

/test all

cloudposse / terraform-aws-tfstate-backend