Allow bucket and dynamodb to be optional @nitrocode (#95)
what
- Allow bucket and dynamodb to be optional
why
- So the other properties of the module can be utilized without these resources created
references
- Closes #72
commands
terraform plan -var-file=fixtures.us-east-2.tfvars -var="bucket_enabled=false"
Terraform will perform the following actions:
# module.tfstate_backend.data.template_file.terraform_backend_config[0] will be read during apply
# (config refers to values not yet known)
<= data "template_file" "terraform_backend_config" {
+ id = "5a980e8fb70fc8f005fdb482ab13ecfd59fb1b29ba860fddf0d9237096940026"
+ rendered = <<~EOT
terraform {
required_version = ">= 0.12.2"
backend "s3" {
region = "us-east-2"
bucket = ""
key = "terraform.tfstate"
dynamodb_table = "eg-test-terraform-tfstate-backend-lock"
profile = ""
role_arn = ""
encrypt = "true"
}
}
EOT
+ template = <<~EOT
terraform {
required_version = ">= ${terraform_version}"
backend "s3" {
region = "${region}"
bucket = "${bucket}"
key = "${terraform_state_file}"
dynamodb_table = "${dynamodb_table}"
profile = "${profile}"
role_arn = "${role_arn}"
encrypt = "${encrypt}"
}
}
EOT
+ vars = {
+ "bucket" = ""
+ "dynamodb_table" = "eg-test-terraform-tfstate-backend-lock"
+ "encrypt" = "true"
+ "profile" = ""
+ "region" = "us-east-2"
+ "role_arn" = ""
+ "terraform_state_file" = "terraform.tfstate"
+ "terraform_version" = "0.12.2"
}
}
# module.tfstate_backend.aws_dynamodb_table.with_server_side_encryption[0] will be created
+ resource "aws_dynamodb_table" "with_server_side_encryption" {
+ arn = (known after apply)
+ billing_mode = "PROVISIONED"
+ hash_key = "LockID"
+ id = (known after apply)
+ name = "eg-test-terraform-tfstate-backend-lock"
+ read_capacity = 5
+ stream_arn = (known after apply)
+ stream_label = (known after apply)
+ stream_view_type = (known after apply)
+ tags = {
+ "Attributes" = "lock"
+ "Name" = "eg-test-terraform-tfstate-backend-lock"
+ "Namespace" = "eg"
+ "Stage" = "test"
}
+ tags_all = {
+ "Attributes" = "lock"
+ "Name" = "eg-test-terraform-tfstate-backend-lock"
+ "Namespace" = "eg"
+ "Stage" = "test"
}
+ write_capacity = 5
+ attribute {
+ name = "LockID"
+ type = "S"
}
+ point_in_time_recovery {
+ enabled = true
}
+ server_side_encryption {
+ enabled = true
+ kms_key_arn = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
terraform plan -var-file=fixtures.us-east-2.tfvars -var="dynamodb_enabled=false"
Terraform will perform the following actions:
# module.tfstate_backend.data.template_file.terraform_backend_config[0] will be read during apply
# (config refers to values not yet known)
<= data "template_file" "terraform_backend_config" {
+ id = (known after apply)
+ rendered = (known after apply)
+ template = <<~EOT
terraform {
required_version = ">= ${terraform_version}"
backend "s3" {
region = "${region}"
bucket = "${bucket}"
key = "${terraform_state_file}"
dynamodb_table = "${dynamodb_table}"
profile = "${profile}"
role_arn = "${role_arn}"
encrypt = "${encrypt}"
}
}
EOT
+ vars = {
+ "bucket" = (known after apply)
+ "dynamodb_table" = ""
+ "encrypt" = "true"
+ "environment" = null
+ "name" = null
+ "namespace" = null
+ "profile" = ""
+ "region" = "us-east-2"
+ "role_arn" = ""
+ "stage" = null
+ "terraform_state_file" = "terraform.tfstate"
+ "terraform_version" = "0.12.2"
}
}
# module.tfstate_backend.aws_s3_bucket.default[0] will be created
+ resource "aws_s3_bucket" "default" {
+ acceleration_status = (known after apply)
+ acl = "private"
+ arn = (known after apply)
+ bucket = "eg-test-terraform-tfstate-backend"
+ bucket_domain_name = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = true
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "s3:PutObject"
+ Condition = {
+ StringNotEquals = {
+ s3:x-amz-server-side-encryption = [
+ "AES256",
+ "aws:kms",
]
}
}
+ Effect = "Deny"
+ Principal = {
+ AWS = "*"
}
+ Resource = "arn:aws:s3:::eg-test-terraform-tfstate-backend/*"
+ Sid = "DenyIncorrectEncryptionHeader"
},
+ {
+ Action = "s3:PutObject"
+ Condition = {
+ Null = {
+ s3:x-amz-server-side-encryption = [
+ "true",
]
}
}
+ Effect = "Deny"
+ Principal = {
+ AWS = "*"
}
+ Resource = "arn:aws:s3:::eg-test-terraform-tfstate-backend/*"
+ Sid = "DenyUnEncryptedObjectUploads"
},
+ {
+ Action = "s3:*"
+ Condition = {
+ Bool = {
+ aws:SecureTransport = [
+ "false",
]
}
}
+ Effect = "Deny"
+ Principal = {
+ AWS = "*"
}
+ Resource = [
+ "arn:aws:s3:::eg-test-terraform-tfstate-backend/*",
+ "arn:aws:s3:::eg-test-terraform-tfstate-backend",
]
+ Sid = "EnforceTlsRequestsOnly"
},
]
+ Version = "2012-10-17"
}
)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags = {
+ "Name" = "eg-test-terraform-tfstate-backend"
+ "Namespace" = "eg"
+ "Stage" = "test"
}
+ tags_all = {
+ "Name" = "eg-test-terraform-tfstate-backend"
+ "Namespace" = "eg"
+ "Stage" = "test"
}
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
+ versioning {
+ enabled = true
+ mfa_delete = false
}
}
# module.tfstate_backend.aws_s3_bucket_public_access_block.default[0] will be created
+ resource "aws_s3_bucket_public_access_block" "default" {
+ block_public_acls = true
+ block_public_policy = true
+ bucket = (known after apply)
+ id = (known after apply)
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
Plan: 2 to add, 0 to change, 0 to destroy.