From 2d49b9553009b37fd443d1624478b958a2b45de5 Mon Sep 17 00:00:00 2001
From: Noam Shraga <noam.shraga@aquasec.com>
Date: Tue, 1 Jul 2025 13:03:11 +0300
Subject: [PATCH 1/3] SAAS-29539 - Auto-Discovery | AWS | Single | Terraform |
 Split volume scanning deployment

Resolves: SAAS-29539
---
 main.tf                                       |  3 +-
 modules/organization/main.tf                  |  2 +-
 modules/organization/variables.tf             | 10 ++--
 modules/single/main.tf                        |  7 ++-
 modules/single/modules/kinesis/main.tf        | 49 ++++++++++++-------
 modules/single/modules/kinesis/outputs.tf     | 20 ++++----
 modules/single/modules/kinesis/variables.tf   |  8 ++-
 modules/single/modules/lambda/locals.tf       |  2 +-
 modules/single/modules/lambda/main.tf         | 19 ++++---
 modules/single/modules/lambda/outputs.tf      |  2 +-
 modules/single/modules/lambda/variables.tf    |  6 +++
 modules/single/modules/stackset/main.tf       | 15 +++---
 modules/single/modules/stackset/outputs.tf    | 14 +++---
 modules/single/modules/stackset/variables.tf  |  8 ++-
 modules/single/modules/trigger/trigger-aws.py |  4 +-
 modules/single/modules/trigger/trigger.tf     |  3 +-
 modules/single/modules/trigger/variables.tf   |  6 +++
 modules/single/variables.tf                   |  6 +++
 variables.tf                                  | 12 ++---
 19 files changed, 126 insertions(+), 70 deletions(-)

diff --git a/main.tf b/main.tf
index e83b0ac..c119906 100644
--- a/main.tf
+++ b/main.tf
@@ -40,6 +40,7 @@ module "single" {
   custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name
   custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
   custom_cspm_regions                 = var.custom_cspm_regions
+  volume_scanning_deployment          = var.volume_scanning_deployment
 }
 
 module "organization" {
@@ -70,5 +71,5 @@ module "organization" {
   custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name
   custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
   custom_cspm_regions                 = var.custom_cspm_regions
-   volume_scanning_deployment         = var.volume_scanning_deployment
+  volume_scanning_deployment          = var.volume_scanning_deployment
 }
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index e9e4768..0f59d23 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -14,7 +14,7 @@ resource "aws_cloudformation_stack_set" "stack_set" {
 
   operation_preferences {
     failure_tolerance_percentage = 100
-    region_concurrency_type     = "PARALLEL"
+    region_concurrency_type      = "PARALLEL"
     max_concurrent_percentage    = 100
   }
 
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 15f1994..87f7858 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -122,13 +122,13 @@ variable "custom_security_group_name" {
 }
 
 variable "custom_cspm_regions" {
-    description = "Custom CSPM regions"
-    type        = string
-    default     = ""
+  description = "Custom CSPM regions"
+  type        = string
+  default     = ""
 }
 
 variable "volume_scanning_deployment" {
   description = "Toggle to deploy Volume Scanning resources"
-  type = string
-  default = "true"
+  type        = string
+  default     = "true"
 }
diff --git a/modules/single/main.tf b/modules/single/main.tf
index 4372991..7e71ae6 100644
--- a/modules/single/main.tf
+++ b/modules/single/main.tf
@@ -7,6 +7,7 @@ module "kinesis" {
   aqua_volscan_api_token            = var.aqua_volscan_api_token
   custom_bucket_name                = var.custom_bucket_name
   custom_processor_lambda_role_name = var.custom_processor_lambda_role_name
+  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
 }
 
 module "lambda" {
@@ -25,9 +26,9 @@ module "lambda" {
   aqua_cspm_role_prefix       = var.aqua_cspm_role_prefix
   custom_agentless_role_name  = var.custom_agentless_role_name
   custom_cspm_role_name       = var.custom_cspm_role_name
-  custom_cspm_regions         =  var.custom_cspm_regions
+  custom_cspm_regions         = var.custom_cspm_regions
+  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
   depends_on                  = [module.kinesis]
-
 }
 
 module "stackset" {
@@ -46,6 +47,7 @@ module "stackset" {
   custom_vpc_subnet2_name             = var.custom_vpc_subnet2_name
   custom_security_group_name          = var.custom_security_group_name
   event_bus_arn                       = module.kinesis.event_bus_arn
+  create_vol_scan_resource            = var.volume_scanning_deployment == "true" ? true : false
   depends_on                          = [module.lambda]
 }
 
@@ -64,5 +66,6 @@ module "trigger" {
   volscan_role_arn       = module.lambda.agentless_role_arn
   volscan_external_id    = module.lambda.volscan_external_id
   additional_tags        = var.additional_tags
+  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
   depends_on             = [module.stackset]
 }
diff --git a/modules/single/modules/kinesis/main.tf b/modules/single/modules/kinesis/main.tf
index 686a500..8c22077 100644
--- a/modules/single/modules/kinesis/main.tf
+++ b/modules/single/modules/kinesis/main.tf
@@ -2,15 +2,17 @@
 
 # Create Cloudwatch event bus
 resource "aws_cloudwatch_event_bus" "event_bus" {
-  name = "aqua-bus-${var.random_id}"
+  count = var.create_vol_scan_resource ? 1 : 0
+  name  = "aqua-bus-${var.random_id}"
 }
 
 # Create Cloudwatch event rule for EBS events
 resource "aws_cloudwatch_event_rule" "event_rule" {
+  count          = var.create_vol_scan_resource ? 1 : 0
   name           = "aqua-autoconnect-event-rule-${var.random_id}"
   description    = "Aqua EventBridge rule"
-  event_bus_name = aws_cloudwatch_event_bus.event_bus.name
-  role_arn       = aws_iam_role.kinesis_stream_events_role.arn
+  event_bus_name = aws_cloudwatch_event_bus.event_bus[0].name
+  role_arn       = aws_iam_role.kinesis_stream_events_role[0].arn
   event_pattern = jsonencode({
     "detail" : {
       "event" : [
@@ -33,12 +35,14 @@ resource "aws_cloudwatch_event_rule" "event_rule" {
 # Create Kinesis Processor lambda Cloudwatch log group
 # trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "kinesis_processor_lambda_log_group" {
+  count             = var.create_vol_scan_resource ? 1 : 0
   name              = "/aws/lambda/aqua-autoconnect-kinesis-processor-lambda-${var.random_id}"
   retention_in_days = 7
 }
 
 # Create Kinesis Data Stream Events role
 resource "aws_iam_role" "kinesis_stream_events_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -61,7 +65,7 @@ resource "aws_iam_role" "kinesis_stream_events_role" {
             "kinesis:PutRecord",
             "kinesis:PutRecords"
           ],
-          "Resource" : aws_kinesis_stream.kinesis_stream.arn,
+          "Resource" : aws_kinesis_stream.kinesis_stream[0].arn,
           "Effect" : "Allow"
         }
       ]
@@ -73,6 +77,7 @@ resource "aws_iam_role" "kinesis_stream_events_role" {
 # Create Kinesis Firehose role
 #tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_role" "kinesis_firehose_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -98,7 +103,7 @@ resource "aws_iam_role" "kinesis_firehose_role" {
             "kinesis:GetShardIterator",
             "kinesis:ListShards"
           ],
-          "Resource" : aws_kinesis_stream.kinesis_stream.arn,
+          "Resource" : aws_kinesis_stream.kinesis_stream[0].arn,
           "Effect" : "Allow",
           "Sid" : "kinesisStreamPermissions"
         },
@@ -107,7 +112,7 @@ resource "aws_iam_role" "kinesis_firehose_role" {
             "lambda:GetFunctionConfiguration",
             "lambda:InvokeFunction"
           ],
-          "Resource" : aws_kinesis_stream.kinesis_stream.arn,
+          "Resource" : aws_kinesis_stream.kinesis_stream[0].arn,
           "Effect" : "Allow",
           "Sid" : "lambdaPermissions"
         },
@@ -120,8 +125,8 @@ resource "aws_iam_role" "kinesis_firehose_role" {
             "s3:PutObject"
           ],
           "Resource" : [
-            aws_s3_bucket.kinesis_firehose_bucket.arn,
-            "${aws_s3_bucket.kinesis_firehose_bucket.arn}/*"
+            aws_s3_bucket.kinesis_firehose_bucket[0].arn,
+            "${aws_s3_bucket.kinesis_firehose_bucket[0].arn}/*"
           ],
           "Effect" : "Allow",
           "Sid" : "s3Permissions"
@@ -134,6 +139,7 @@ resource "aws_iam_role" "kinesis_firehose_role" {
 
 # Create Kinesis Processor lambda execution role
 resource "aws_iam_role" "processor_lambda_execution_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -169,12 +175,14 @@ resource "aws_iam_role" "processor_lambda_execution_role" {
 # trivy:ignore:AVD-AWS-0090
 # trivy:ignore:AVD-AWS-0089
 resource "aws_s3_bucket" "kinesis_firehose_bucket" {
+  count  = var.create_vol_scan_resource ? 1 : 0
   bucket = var.custom_bucket_name == "" ? "aqua-autoconnect-kinesis-firehose-bucket-${var.random_id}" : var.custom_bucket_name
 }
 
 # Create Kinesis Firehose S3 bucket lifecycle configuration
 resource "aws_s3_bucket_lifecycle_configuration" "kinesis_firehose_bucket" {
-  bucket = aws_s3_bucket.kinesis_firehose_bucket.bucket
+  count  = var.create_vol_scan_resource ? 1 : 0
+  bucket = aws_s3_bucket.kinesis_firehose_bucket[0].bucket
   rule {
     expiration {
       days                         = 7
@@ -187,7 +195,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "kinesis_firehose_bucket" {
 
 # Create Kinesis Firehose S3 bucket public access block
 resource "aws_s3_bucket_public_access_block" "kinesis_firehose_bucket" {
-  bucket                  = aws_s3_bucket.kinesis_firehose_bucket.bucket
+  count                   = var.create_vol_scan_resource ? 1 : 0
+  bucket                  = aws_s3_bucket.kinesis_firehose_bucket[0].bucket
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
@@ -197,7 +206,8 @@ resource "aws_s3_bucket_public_access_block" "kinesis_firehose_bucket" {
 # Create Kinesis Firehose S3 bucket SSE configuration
 # trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "kinesis_firehose_bucket" {
-  bucket = aws_s3_bucket.kinesis_firehose_bucket.bucket
+  count  = var.create_vol_scan_resource ? 1 : 0
+  bucket = aws_s3_bucket.kinesis_firehose_bucket[0].bucket
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "AES256"
@@ -209,11 +219,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "kinesis_firehose_
 # Create Kinesis Processor lambda function
 # trivy:ignore:AVD-AWS-0066
 resource "aws_lambda_function" "kinesis_processor_lambda" {
+  count            = var.create_vol_scan_resource ? 1 : 0
   architectures    = ["x86_64"]
   description      = "Aqua Kinesis Firehose Processor Lambda"
   function_name    = "aqua-autoconnect-kinesis-processor-lambda-function-${var.random_id}"
   handler          = "index.handler"
-  role             = aws_iam_role.processor_lambda_execution_role.arn
+  role             = aws_iam_role.processor_lambda_execution_role[0].arn
   runtime          = "python3.12"
   timeout          = 900
   filename         = data.archive_file.kinesis_processor_function.output_path
@@ -225,6 +236,7 @@ resource "aws_lambda_function" "kinesis_processor_lambda" {
 
 # Create Kinesis Stream
 resource "aws_kinesis_stream" "kinesis_stream" {
+  count           = var.create_vol_scan_resource ? 1 : 0
   encryption_type = "KMS"
   kms_key_id      = "alias/aws/kinesis"
   name            = "aqua-autoconnect-kinesis-datastream-${var.random_id}"
@@ -233,6 +245,7 @@ resource "aws_kinesis_stream" "kinesis_stream" {
 
 # Create Kinesis Firehose Delivery Stream
 resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
+  count       = var.create_vol_scan_resource ? 1 : 0
   destination = "http_endpoint"
   http_endpoint_configuration {
     access_key         = var.aqua_volscan_api_token
@@ -244,21 +257,21 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
       processors {
         parameters {
           parameter_name  = "LambdaArn"
-          parameter_value = aws_lambda_function.kinesis_processor_lambda.arn
+          parameter_value = aws_lambda_function.kinesis_processor_lambda[0].arn
         }
         type = "Lambda"
       }
     }
-    role_arn = aws_iam_role.kinesis_firehose_role.arn
+    role_arn = aws_iam_role.kinesis_firehose_role[0].arn
     url      = var.aqua_volscan_api_url
     s3_configuration {
-      bucket_arn = aws_s3_bucket.kinesis_firehose_bucket.arn
-      role_arn   = aws_iam_role.kinesis_firehose_role.arn
+      bucket_arn = aws_s3_bucket.kinesis_firehose_bucket[0].arn
+      role_arn   = aws_iam_role.kinesis_firehose_role[0].arn
     }
   }
   kinesis_source_configuration {
-    kinesis_stream_arn = aws_kinesis_stream.kinesis_stream.arn
-    role_arn           = aws_iam_role.kinesis_firehose_role.arn
+    kinesis_stream_arn = aws_kinesis_stream.kinesis_stream[0].arn
+    role_arn           = aws_iam_role.kinesis_firehose_role[0].arn
   }
   name = "aqua-autoconnect-kinesis-firehose-${var.random_id}"
 }
diff --git a/modules/single/modules/kinesis/outputs.tf b/modules/single/modules/kinesis/outputs.tf
index 7920c6f..5f5fb68 100644
--- a/modules/single/modules/kinesis/outputs.tf
+++ b/modules/single/modules/kinesis/outputs.tf
@@ -2,50 +2,50 @@
 
 output "event_bus_arn" {
   description = "Cloudwatch Event Bus ARN"
-  value       = aws_cloudwatch_event_bus.event_bus.arn
+  value       = try(aws_cloudwatch_event_bus.event_bus[0].arn, "")
 }
 
 output "event_rule_arn" {
   description = "Cloudwatch Event Rule ARN"
-  value       = aws_cloudwatch_event_rule.event_rule.arn
+  value       = try(aws_cloudwatch_event_rule.event_rule[0].arn, "")
 }
 
 output "kinesis_processor_lambda_log_group_name" {
   description = "Kinesis Processor Lambda Cloudwatch Log Group Name"
-  value       = aws_cloudwatch_log_group.kinesis_processor_lambda_log_group.name
+  value       = try(aws_cloudwatch_log_group.kinesis_processor_lambda_log_group[0].name, "")
 }
 
 output "kinesis_stream_events_role_arn" {
   description = "Kinesis Stream Events Role ARN"
-  value       = aws_iam_role.kinesis_stream_events_role.arn
+  value       = try(aws_iam_role.kinesis_stream_events_role[0].arn, "")
 }
 
 output "kinesis_firehose_role_arn" {
   description = "Kinesis Firehose Role ARN"
-  value       = aws_iam_role.kinesis_firehose_role.arn
+  value       = try(aws_iam_role.kinesis_firehose_role[0].arn, "")
 }
 
 output "kinesis_processor_lambda_execution_role_arn" {
   description = "Kinesis Processor Lambda Execution Role ARN"
-  value       = aws_iam_role.processor_lambda_execution_role.arn
+  value       = try(aws_iam_role.processor_lambda_execution_role[0].arn, "")
 }
 
 output "kinesis_firehose_bucket_name" {
   description = "Kinesis Firehose S3 Bucket Name"
-  value       = aws_s3_bucket.kinesis_firehose_bucket.bucket
+  value       = try(aws_s3_bucket.kinesis_firehose_bucket[0].bucket, "")
 }
 
 output "kinesis_processor_lambda_function_arn" {
   description = "Kinesis Processor Lambda Function ARN"
-  value       = aws_lambda_function.kinesis_processor_lambda.arn
+  value       = try(aws_lambda_function.kinesis_processor_lambda[0].arn, "")
 }
 
 output "kinesis_stream_arn" {
   description = "Kinesis Stream ARN"
-  value       = aws_kinesis_stream.kinesis_stream.arn
+  value       = try(aws_kinesis_stream.kinesis_stream[0].arn, "")
 }
 
 output "kinesis_firehose_delivery_stream_arn" {
   description = "Kinesis Firehose Delivery Stream ARN"
-  value       = aws_kinesis_firehose_delivery_stream.kinesis_firehose.arn
+  value       = try(aws_kinesis_firehose_delivery_stream.kinesis_firehose[0].arn, "")
 }
diff --git a/modules/single/modules/kinesis/variables.tf b/modules/single/modules/kinesis/variables.tf
index 86fc0d3..50e21ff 100644
--- a/modules/single/modules/kinesis/variables.tf
+++ b/modules/single/modules/kinesis/variables.tf
@@ -23,4 +23,10 @@ variable "custom_bucket_name" {
 variable "custom_processor_lambda_role_name" {
   description = "Custom Processor lambda role Name"
   type        = string
-}
\ No newline at end of file
+}
+
+variable "create_vol_scan_resource" {
+  description = "Create Volume Scanning Resource"
+  type        = bool
+  default     = true
+}
diff --git a/modules/single/modules/lambda/locals.tf b/modules/single/modules/lambda/locals.tf
index 2593e98..de151d0 100644
--- a/modules/single/modules/lambda/locals.tf
+++ b/modules/single/modules/lambda/locals.tf
@@ -3,6 +3,6 @@
 locals {
   # Decode the results of Lambda function invocations
   cspm_external_id       = jsondecode(aws_lambda_invocation.generate_cspm_external_id_function.result)["ExternalId"]
-  volscan_external_id    = jsondecode(aws_lambda_invocation.generate_volscan_external_id_function.result)["ExternalId"]
+  volscan_external_id    = try(jsondecode(aws_lambda_invocation.generate_volscan_external_id_function[0].result)["ExternalId"], "")
   is_already_cspm_client = jsondecode(aws_lambda_invocation.create_cspm_key_function.result)["IsAlreadyCSPMClient"]
 }
diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
index 10651f6..a190346 100644
--- a/modules/single/modules/lambda/main.tf
+++ b/modules/single/modules/lambda/main.tf
@@ -38,6 +38,7 @@ resource "aws_iam_role" "cspm_lambda_execution_role" {
 
 # Create generate Volume Scan external id lambda function
 resource "aws_lambda_function" "generate_volscan_external_id_function" {
+  count            = var.create_vol_scan_resource ? 1 : 0
   architectures    = ["x86_64"]
   description      = "Generate Volume Scanning External ID"
   function_name    = "aqua-autoconnect-generate-volscan-external-id-function-${var.random_id}"
@@ -54,7 +55,8 @@ resource "aws_lambda_function" "generate_volscan_external_id_function" {
 
 # Invoking generate Volume Scan external id lambda function
 resource "aws_lambda_invocation" "generate_volscan_external_id_function" {
-  function_name = aws_lambda_function.generate_volscan_external_id_function.function_name
+  count         = var.create_vol_scan_resource ? 1 : 0
+  function_name = aws_lambda_function.generate_volscan_external_id_function[0].function_name
   input = jsonencode({
     ApiUrl            = var.aqua_cspm_url
     AutoConnectApiUrl = var.aqua_autoconnect_url
@@ -100,6 +102,7 @@ resource "aws_lambda_invocation" "generate_cspm_external_id_function" {
 # Create Agentless role
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_role" "agentless_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -462,13 +465,13 @@ resource "aws_lambda_function" "create_cspm_key_function" {
 resource "aws_lambda_invocation" "create_cspm_key_function" {
   function_name = aws_lambda_function.create_cspm_key_function.function_name
   input = jsonencode({
-    ApiUrl        = var.aqua_cspm_url
-    AquaApiKey    = var.aqua_api_key
-    AquaSecretKey = var.aqua_api_secret
-    RoleArn       = aws_iam_role.cspm_role.arn
-    ExternalId    = local.cspm_external_id
-    AccountId     = tostring(var.aws_account_id)
-    GroupId       = var.aqua_cspm_group_id
+    ApiUrl            = var.aqua_cspm_url
+    AquaApiKey        = var.aqua_api_key
+    AquaSecretKey     = var.aqua_api_secret
+    RoleArn           = aws_iam_role.cspm_role.arn
+    ExternalId        = local.cspm_external_id
+    AccountId         = tostring(var.aws_account_id)
+    GroupId           = var.aqua_cspm_group_id
     CustomCSPMRegions = var.custom_cspm_regions
   })
   triggers = {
diff --git a/modules/single/modules/lambda/outputs.tf b/modules/single/modules/lambda/outputs.tf
index eec79be..a873a07 100644
--- a/modules/single/modules/lambda/outputs.tf
+++ b/modules/single/modules/lambda/outputs.tf
@@ -27,5 +27,5 @@ output "cspm_role_arn" {
 
 output "agentless_role_arn" {
   description = "The ARN of the IAM role created for the Agentless Volume Scanning"
-  value       = aws_iam_role.agentless_role.arn
+  value       = try(aws_iam_role.agentless_role[0].arn, "")
 }
diff --git a/modules/single/modules/lambda/variables.tf b/modules/single/modules/lambda/variables.tf
index fc4197c..dd6395c 100644
--- a/modules/single/modules/lambda/variables.tf
+++ b/modules/single/modules/lambda/variables.tf
@@ -76,3 +76,9 @@ variable "custom_cspm_regions" {
   description = "Custom CSPM regions"
   type        = string
 }
+
+variable "create_vol_scan_resource" {
+  description = "Create Volume Scanning Resource"
+  type        = bool
+  default     = true
+}
diff --git a/modules/single/modules/stackset/main.tf b/modules/single/modules/stackset/main.tf
index 19a4b92..b54d495 100644
--- a/modules/single/modules/stackset/main.tf
+++ b/modules/single/modules/stackset/main.tf
@@ -2,6 +2,7 @@
 
 # Create Stackset admin role
 resource "aws_iam_role" "stackset_admin_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -41,13 +42,14 @@ resource "aws_iam_role" "stackset_admin_role" {
 # Create Stackset execution role
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_role" "stackset_execution_role" {
+  count = var.create_vol_scan_resource ? 1 : 0
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
       {
         "Effect" : "Allow",
         "Principal" : {
-          "AWS" : aws_iam_role.stackset_admin_role.arn
+          "AWS" : aws_iam_role.stackset_admin_role[0].arn
         },
         "Action" : "sts:AssumeRole"
       }
@@ -121,12 +123,13 @@ resource "aws_iam_role" "stackset_execution_role" {
 
 # Create Cloudformation stackset
 resource "aws_cloudformation_stack_set" "stack_set" {
+  count                   = var.create_vol_scan_resource ? 1 : 0
   name                    = "aqua-autoconnect-stackset-${var.random_id}"
   description             = "Aqua Agentless StackSet"
   permission_model        = "SELF_MANAGED"
   capabilities            = ["CAPABILITY_IAM"]
-  administration_role_arn = aws_iam_role.stackset_admin_role.arn
-  execution_role_name     = aws_iam_role.stackset_execution_role.name
+  administration_role_arn = aws_iam_role.stackset_admin_role[0].arn
+  execution_role_name     = aws_iam_role.stackset_execution_role[0].name
   template_url            = "https://${var.aqua_bucket_name}.s3.amazonaws.com/volume-scanning-api-key-cfn-stackset.json"
   operation_preferences {
     region_concurrency_type = "PARALLEL"
@@ -147,8 +150,8 @@ resource "aws_cloudformation_stack_set" "stack_set" {
 
 # Create Cloudformation stackset instance for each enabled region specified
 resource "aws_cloudformation_stack_set_instance" "stack_set_instance" {
-  for_each       = toset(var.enabled_regions)
-  stack_set_name = aws_cloudformation_stack_set.stack_set.name
+  for_each       = var.create_vol_scan_resource ? toset(var.enabled_regions) : toset([])
+  stack_set_name = aws_cloudformation_stack_set.stack_set[0].name
   account_id     = var.aws_account_id
   region         = each.value
-}
\ No newline at end of file
+}
diff --git a/modules/single/modules/stackset/outputs.tf b/modules/single/modules/stackset/outputs.tf
index 9b076f4..d280098 100644
--- a/modules/single/modules/stackset/outputs.tf
+++ b/modules/single/modules/stackset/outputs.tf
@@ -2,30 +2,30 @@
 
 output "stack_set_name" {
   description = "Name of the CloudFormation StackSet"
-  value       = aws_cloudformation_stack_set.stack_set.name
+  value       = try(aws_cloudformation_stack_set.stack_set[0].name, "")
 }
 
 output "stack_set_admin_role_arn" {
   description = "ARN of the StackSet admin role"
-  value       = aws_iam_role.stackset_admin_role.arn
+  value       = try(aws_iam_role.stackset_admin_role[0].arn, "")
 }
 
 output "stack_set_admin_role_name" {
   description = "Name of the StackSet admin role"
-  value       = aws_iam_role.stackset_admin_role.name
+  value       = try(aws_iam_role.stackset_admin_role[0].name, "")
 }
 
 output "stack_set_execution_role_arn" {
   description = "ARN of the StackSet execution role"
-  value       = aws_iam_role.stackset_execution_role.arn
+  value       = try(aws_iam_role.stackset_execution_role[0].arn, "")
 }
 
 output "stack_set_execution_role_name" {
   description = "Name of the StackSet execution role"
-  value       = aws_iam_role.stackset_execution_role.name
+  value       = try(aws_iam_role.stackset_execution_role[0].name, "")
 }
 
 output "stack_set_template_url" {
   description = "URL of the CloudFormation template used by the StackSet"
-  value       = aws_cloudformation_stack_set.stack_set.template_url
-}
\ No newline at end of file
+  value       = try(aws_cloudformation_stack_set.stack_set[0].template_url, "")
+}
diff --git a/modules/single/modules/stackset/variables.tf b/modules/single/modules/stackset/variables.tf
index e9642de..7611d6d 100644
--- a/modules/single/modules/stackset/variables.tf
+++ b/modules/single/modules/stackset/variables.tf
@@ -68,4 +68,10 @@ variable "custom_security_group_name" {
 variable "event_bus_arn" {
   description = "Cloudwatch Event Bus ARN"
   type        = string
-}
\ No newline at end of file
+}
+
+variable "create_vol_scan_resource" {
+  description = "Create Volume Scanning Resource"
+  type        = bool
+  default     = true
+}
diff --git a/modules/single/modules/trigger/trigger-aws.py b/modules/single/modules/trigger/trigger-aws.py
index 310278a..ab49619 100644
--- a/modules/single/modules/trigger/trigger-aws.py
+++ b/modules/single/modules/trigger/trigger-aws.py
@@ -21,6 +21,7 @@
 region = query.get('region')
 additional_resource_tags = query.get('additional_tags')
 aws_account_id = query.get('aws_account_id')
+volume_scanning_deployment = query.get('volume_scanning_deployment')
 tstmp = str(int(time.time() * 1000))
 
 
@@ -100,6 +101,7 @@ def trigger_discovery():
         "is_already_cspm_client": is_already_cspm_client,
         "deployment_method": "Terraform",
         "additional_resource_tags": additional_resource_tags,
+        "volume_scanning_deployment": volume_scanning_deployment,
         "payload": {
             "cspm": {
                 "role_arn": cspm_role_arn,
@@ -191,4 +193,4 @@ def main():
 
 
 if __name__ == "__main__":
-    main()
\ No newline at end of file
+    main()
diff --git a/modules/single/modules/trigger/trigger.tf b/modules/single/modules/trigger/trigger.tf
index c48b347..904502d 100644
--- a/modules/single/modules/trigger/trigger.tf
+++ b/modules/single/modules/trigger/trigger.tf
@@ -17,6 +17,7 @@ data "external" "aws_onboarding" {
     volume_scanning_role_arn    = var.volscan_role_arn
     volume_scanning_external_id = var.volscan_external_id
     region                      = var.region
+    volume_scanning_deployment  = var.create_vol_scan_resource ? "true" : "false"
     additional_tags             = join(",", [for key, value in var.additional_tags : "${key}:${value}"])
   }
-}
\ No newline at end of file
+}
diff --git a/modules/single/modules/trigger/variables.tf b/modules/single/modules/trigger/variables.tf
index db8483a..4dc466b 100644
--- a/modules/single/modules/trigger/variables.tf
+++ b/modules/single/modules/trigger/variables.tf
@@ -66,3 +66,9 @@ variable "additional_tags" {
   description = "Additional tags to be sent to the Autoconnect API"
   type        = map(string)
 }
+
+variable "create_vol_scan_resource" {
+  description = "Create Volume Scanning Resource"
+  type        = bool
+  default     = true
+}
diff --git a/modules/single/variables.tf b/modules/single/variables.tf
index 1546ccc..2444de8 100644
--- a/modules/single/variables.tf
+++ b/modules/single/variables.tf
@@ -154,3 +154,9 @@ variable "custom_cspm_regions" {
   description = "Custom CSPM regions"
   type        = string
 }
+
+variable "volume_scanning_deployment" {
+  description = "Toggle to deploy volume scanning resources"
+  type        = string
+  default     = "true"
+}
diff --git a/variables.tf b/variables.tf
index 04d18e4..5ebae28 100644
--- a/variables.tf
+++ b/variables.tf
@@ -395,13 +395,13 @@ variable "custom_security_group_name" {
 }
 
 variable "custom_cspm_regions" {
-    description = "Custom CSPM regions"
-    type        = string
-    default     = ""
+  description = "Custom CSPM regions"
+  type        = string
+  default     = ""
 }
 
 variable "volume_scanning_deployment" {
-    description = "Toggle to deploy Volume Scanning resources"
-    type        = string
-    default     = "true"
+  description = "Toggle to deploy Volume Scanning resources"
+  type        = string
+  default     = "true"
 }

From 03652aa95e52731c11b6514177d62fb402c4cb7e Mon Sep 17 00:00:00 2001
From: Noam Shraga <noam.shraga@aquasec.com>
Date: Wed, 2 Jul 2025 18:36:20 +0300
Subject: [PATCH 2/3] PR comment

Resolves: SAAS-29539
---
 modules/single/modules/lambda/main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
index a190346..d7a1cf6 100644
--- a/modules/single/modules/lambda/main.tf
+++ b/modules/single/modules/lambda/main.tf
@@ -96,7 +96,6 @@ resource "aws_lambda_invocation" "generate_cspm_external_id_function" {
   triggers = {
     always_run = timestamp()
   }
-  depends_on = [aws_lambda_invocation.generate_volscan_external_id_function]
 }
 
 # Create Agentless role

From 2761b5b8e9e89e60b43924ab4e13f39a93bed2e0 Mon Sep 17 00:00:00 2001
From: Noam Shraga <noam.shraga@aquasec.com>
Date: Thu, 3 Jul 2025 12:15:31 +0300
Subject: [PATCH 3/3] PR comment

Resolves: SAAS-29539
---
 modules/single/modules/lambda/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
index d7a1cf6..3756e2f 100644
--- a/modules/single/modules/lambda/main.tf
+++ b/modules/single/modules/lambda/main.tf
@@ -189,7 +189,7 @@ resource "aws_iam_role" "agentless_role" {
     })
   }
   name       = var.custom_agentless_role_name == "" ? "aqua-agentless-role-${var.random_id}" : var.custom_agentless_role_name
-  depends_on = [aws_lambda_invocation.generate_volscan_external_id_function]
+  depends_on = [aws_lambda_invocation.generate_volscan_external_id_function[0]]
 }
 
 # Create CSPM role