diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index d6c3a567..256bb1a7 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -54,7 +54,7 @@ resource "aws_autoscaling_group" "autoscaling_group" { tag { key = "s3_bucket_id" - value = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) + value = local.s3_bucket_id propagate_at_launch = true } @@ -268,8 +268,13 @@ data "aws_iam_policy_document" "instance_role" { } } +locals { + s3_bucket_arn = var.use_existing_s3_bucket ? element(concat(data.aws_s3_bucket.vault_storage.*.arn, [""]), 0) : element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) + s3_bucket_id = var.use_existing_s3_bucket ? element(concat(data.aws_s3_bucket.vault_storage.*.id, [""]), 0) : element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) +} + resource "aws_s3_bucket" "vault_storage" { - count = var.enable_s3_backend ? 1 : 0 + count = ( var.enable_s3_backend && var.use_existing_s3_bucket == false ) ? 1 : 0 bucket = var.s3_bucket_name force_destroy = var.force_destroy_s3_bucket @@ -292,6 +297,11 @@ resource "aws_s3_bucket" "vault_storage" { } } +data "aws_s3_bucket" "vault_storage" { + count = ( var.enable_s3_backend && var.use_existing_s3_bucket == true ) ? 1 : 0 + bucket = var.s3_bucket_name +} + resource "aws_iam_role_policy" "vault_s3" { count = var.enable_s3_backend ? 1 : 0 name = "vault_s3" @@ -317,8 +327,8 @@ data "aws_iam_policy_document" "vault_s3" { actions = ["s3:*"] resources = [ - aws_s3_bucket.vault_storage[0].arn, - "${aws_s3_bucket.vault_storage[0].arn}/*", + local.s3_bucket_arn, + "${local.s3_bucket_arn}/*", ] } } diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf index 4aab60f1..71a1804f 100644 --- a/modules/vault-cluster/outputs.tf +++ b/modules/vault-cluster/outputs.tf @@ -47,6 +47,6 @@ output "security_group_id" { } output "s3_bucket_arn" { - value = join(",", aws_s3_bucket.vault_storage.*.arn) + value = local.s3_bucket_arn } diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index df58075c..1abbd403 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -192,24 +192,29 @@ variable "enable_s3_backend" { default = false } +variable "use_existing_s3_bucket" { + description = "If true, use an existing S3 bucket (provided by s3_bucket_name) instead of creating the bucket within this module." + default = false +} + variable "s3_bucket_name" { description = "The name of the S3 bucket to create and use as a storage backend. Only used if 'enable_s3_backend' is set to true." default = "" } variable "s3_bucket_tags" { - description = "Tags to be applied to the S3 bucket." + description = "Tags to be applied to the S3 bucket. Applied only when 'use_existing_s3_bucket' is false." type = map(string) default = {} } variable "enable_s3_bucket_versioning" { - description = "Whether to enable bucket versioning for the S3 bucket." + description = "Whether to enable bucket versioning for the S3 bucket. Applied only when 'use_existing_s3_bucket' is false." default = false } variable "force_destroy_s3_bucket" { - description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true." + description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true and 'use_existing_s3_bucket' is false." default = false }