Allow bucket and dynamodb to be optional (#95)

nitrocode · cloudpossebot · web-flow · commit 3ffcb0f78b1a · 2021-08-10T23:40:49.000-04:00
* Add bucket and dynamodb enabled vars

* Add bucket and dynamodb enabled logic

* Auto Format

* Update variables.tf

* Auto Format

* Add empty list to avoid coalescelist error

* Allow tests to pass in enabled vars

Co-authored-by: cloudpossebot &lt;11232728+cloudpossebot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -297,8 +297,10 @@ Available targets:
 | <a name="input_billing_mode"></a> [billing\_mode](#input\_billing\_mode) | DynamoDB billing mode | `string` | `"PROVISIONED"` | no |
 | <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket | `bool` | `true` | no |
 | <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket | `bool` | `true` | no |
+| <a name="input_bucket_enabled"></a> [bucket\_enabled](#input\_bucket\_enabled) | Whether to create the s3 bucket. | `bool` | `true` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| <a name="input_dynamodb_enabled"></a> [dynamodb\_enabled](#input\_dynamodb\_enabled) | Whether to create the dynamodb table. | `bool` | `true` | no |
 | <a name="input_enable_point_in_time_recovery"></a> [enable\_point\_in\_time\_recovery](#input\_enable\_point\_in\_time\_recovery) | Enable DynamoDB point-in-time recovery | `bool` | `true` | no |
 | <a name="input_enable_public_access_block"></a> [enable\_public\_access\_block](#input\_enable\_public\_access\_block) | Enable Bucket Public Access Block | `bool` | `true` | no |
 | <a name="input_enable_server_side_encryption"></a> [enable\_server\_side\_encryption](#input\_enable\_server\_side\_encryption) | Enable DynamoDB server-side encryption | `bool` | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -52,8 +52,10 @@
 | <a name="input_billing_mode"></a> [billing\_mode](#input\_billing\_mode) | DynamoDB billing mode | `string` | `"PROVISIONED"` | no |
 | <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket | `bool` | `true` | no |
 | <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket | `bool` | `true` | no |
+| <a name="input_bucket_enabled"></a> [bucket\_enabled](#input\_bucket\_enabled) | Whether to create the s3 bucket. | `bool` | `true` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| <a name="input_dynamodb_enabled"></a> [dynamodb\_enabled](#input\_dynamodb\_enabled) | Whether to create the dynamodb table. | `bool` | `true` | no |
 | <a name="input_enable_point_in_time_recovery"></a> [enable\_point\_in\_time\_recovery](#input\_enable\_point\_in\_time\_recovery) | Enable DynamoDB point-in-time recovery | `bool` | `true` | no |
 | <a name="input_enable_public_access_block"></a> [enable\_public\_access\_block](#input\_enable\_public\_access\_block) | Enable Bucket Public Access Block | `bool` | `true` | no |
 | <a name="input_enable_server_side_encryption"></a> [enable\_server\_side\_encryption](#input\_enable\_server\_side\_encryption) | Enable DynamoDB server-side encryption | `bool` | `true` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -7,5 +7,8 @@ module "tfstate_backend" {
 
   force_destroy = true
 
+  bucket_enabled   = var.bucket_enabled
+  dynamodb_enabled = var.dynamodb_enabled
+
   context = module.this.context
 }
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -1,3 +1,170 @@
 variable "region" {
   type = string
 }
+
+variable "arn_format" {
+  type        = string
+  default     = "arn:aws"
+  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
+}
+
+variable "acl" {
+  type        = string
+  description = "The canned ACL to apply to the S3 bucket"
+  default     = "private"
+}
+
+variable "billing_mode" {
+  default     = "PROVISIONED"
+  description = "DynamoDB billing mode"
+}
+
+variable "read_capacity" {
+  default     = 5
+  description = "DynamoDB read capacity units"
+}
+
+variable "write_capacity" {
+  default     = 5
+  description = "DynamoDB write capacity units"
+}
+
+variable "force_destroy" {
+  type        = bool
+  description = "A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable"
+  default     = false
+}
+
+variable "mfa_delete" {
+  type        = bool
+  description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
+  default     = false
+}
+
+variable "enable_point_in_time_recovery" {
+  type        = bool
+  description = "Enable DynamoDB point-in-time recovery"
+  default     = true
+}
+
+variable "enable_server_side_encryption" {
+  type        = bool
+  description = "Enable DynamoDB server-side encryption"
+  default     = true
+}
+
+variable "enable_public_access_block" {
+  type        = bool
+  description = "Enable Bucket Public Access Block"
+  default     = true
+}
+
+variable "block_public_acls" {
+  type        = bool
+  description = "Whether Amazon S3 should block public ACLs for this bucket"
+  default     = true
+}
+
+variable "ignore_public_acls" {
+  type        = bool
+  description = "Whether Amazon S3 should ignore public ACLs for this bucket"
+  default     = true
+}
+
+variable "block_public_policy" {
+  description = "Whether Amazon S3 should block public bucket policies for this bucket"
+  default     = true
+}
+
+variable "restrict_public_buckets" {
+  type        = bool
+  description = "Whether Amazon S3 should restrict public bucket policies for this bucket"
+  default     = true
+}
+
+variable "prevent_unencrypted_uploads" {
+  type        = bool
+  default     = true
+  description = "Prevent uploads of unencrypted objects to S3"
+}
+
+variable "profile" {
+  type        = string
+  default     = ""
+  description = "AWS profile name as set in the shared credentials file"
+}
+
+variable "role_arn" {
+  type        = string
+  default     = ""
+  description = "The role to be assumed"
+}
+
+variable "terraform_backend_config_file_name" {
+  type        = string
+  default     = "terraform.tf"
+  description = "Name of terraform backend config file"
+}
+
+variable "terraform_backend_config_file_path" {
+  type        = string
+  default     = ""
+  description = "Directory for the terraform backend config file, usually `.`. The default is to create no file."
+}
+
+variable "terraform_backend_config_template_file" {
+  type        = string
+  default     = ""
+  description = "The path to the template used to generate the config file"
+}
+
+variable "terraform_version" {
+  type        = string
+  default     = "0.12.2"
+  description = "The minimum required terraform version"
+}
+
+variable "terraform_state_file" {
+  type        = string
+  default     = "terraform.tfstate"
+  description = "The path to the state file inside the bucket"
+}
+
+variable "s3_bucket_name" {
+  type        = string
+  default     = ""
+  description = "S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name"
+}
+
+variable "s3_replication_enabled" {
+  type        = bool
+  default     = false
+  description = "Set this to true and specify `s3_replica_bucket_arn` to enable replication"
+}
+
+variable "s3_replica_bucket_arn" {
+  type        = string
+  default     = ""
+  description = "The ARN of the S3 replica bucket (destination)"
+}
+
+variable "logging" {
+  type = object({
+    bucket_name = string
+    prefix      = string
+  })
+  default     = null
+  description = "Bucket access logging configuration."
+}
+
+variable "bucket_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to create the s3 bucket."
+}
+
+variable "dynamodb_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to create the dynamodb table."
+}
diff --git a/main.tf b/main.tf
@@ -1,6 +1,9 @@
 locals {
   enabled = module.this.enabled
 
+  bucket_enabled   = local.enabled && var.bucket_enabled
+  dynamodb_enabled = local.enabled && var.dynamodb_enabled
+
   prevent_unencrypted_uploads = local.enabled && var.prevent_unencrypted_uploads && var.enable_server_side_encryption
 
   policy = local.prevent_unencrypted_uploads ? join(
@@ -105,7 +108,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
 }
 
 resource "aws_s3_bucket" "default" {
-  count = local.enabled ? 1 : 0
+  count = local.bucket_enabled ? 1 : 0
 
   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
@@ -157,7 +160,7 @@ resource "aws_s3_bucket" "default" {
 }
 
 resource "aws_s3_bucket_public_access_block" "default" {
-  count                   = local.enabled && var.enable_public_access_block ? 1 : 0
+  count                   = local.bucket_enabled && var.enable_public_access_block ? 1 : 0
   bucket                  = join("", aws_s3_bucket.default.*.id)
   block_public_acls       = var.block_public_acls
   ignore_public_acls      = var.ignore_public_acls
@@ -170,10 +173,11 @@ module "dynamodb_table_label" {
   version    = "0.22.0"
   attributes = compact(concat(var.attributes, ["lock"]))
   context    = module.this.context
+  enabled    = local.dynamodb_enabled
 }
 
 resource "aws_dynamodb_table" "with_server_side_encryption" {
-  count          = local.enabled && var.enable_server_side_encryption ? 1 : 0
+  count          = local.dynamodb_enabled && var.enable_server_side_encryption ? 1 : 0
   name           = module.dynamodb_table_label.id
   billing_mode   = var.billing_mode
   read_capacity  = var.billing_mode == "PROVISIONED" ? var.read_capacity : null
@@ -207,7 +211,7 @@ resource "aws_dynamodb_table" "with_server_side_encryption" {
 }
 
 resource "aws_dynamodb_table" "without_server_side_encryption" {
-  count          = local.enabled && ! var.enable_server_side_encryption ? 1 : 0
+  count          = local.dynamodb_enabled && ! var.enable_server_side_encryption ? 1 : 0
   name           = module.dynamodb_table_label.id
   billing_mode   = var.billing_mode
   read_capacity  = var.billing_mode == "PROVISIONED" ? var.read_capacity : null
@@ -250,7 +254,8 @@ data "template_file" "terraform_backend_config" {
     dynamodb_table = element(
       coalescelist(
         aws_dynamodb_table.with_server_side_encryption.*.name,
-        aws_dynamodb_table.without_server_side_encryption.*.name
+        aws_dynamodb_table.without_server_side_encryption.*.name,
+        [""]
       ),
       0
     )
diff --git a/variables.tf b/variables.tf
@@ -152,3 +152,15 @@ variable "logging" {
   default     = null
   description = "Bucket access logging configuration."
 }
+
+variable "bucket_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to create the s3 bucket."
+}
+
+variable "dynamodb_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to create the dynamodb table."
+}

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,8 @@ module "tfstate_backend" {`
`7`	`7`
`8`	`8`	`force_destroy = true`
`9`	`9`
	`10`	`+ bucket_enabled = var.bucket_enabled`
	`11`	`+ dynamodb_enabled = var.dynamodb_enabled`
	`12`	`+`
`10`	`13`	`context = module.this.context`
`11`	`14`	`}`