hashicorp · queglay · Apr 1, 2021
@@ -54,7 +54,7 @@ resource "aws_autoscaling_group" "autoscaling_group" {
 
   tag {
     key                 = "s3_bucket_id"
-    value               = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0)
+    value               = local.s3_bucket_id
     propagate_at_launch = true
   }
 
@@ -268,8 +268,13 @@ data "aws_iam_policy_document" "instance_role" {
   }
 }
 
+locals {
+  s3_bucket_arn = var.use_existing_s3_bucket ? element(concat(data.aws_s3_bucket.vault_storage.*.arn, [""]), 0) : element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0)
+  s3_bucket_id = var.use_existing_s3_bucket ? element(concat(data.aws_s3_bucket.vault_storage.*.id, [""]), 0) : element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0)
+}
+
 resource "aws_s3_bucket" "vault_storage" {
-  count         = var.enable_s3_backend ? 1 : 0
+  count         = ( var.enable_s3_backend && var.use_existing_s3_bucket == false ) ? 1 : 0
   bucket        = var.s3_bucket_name
   force_destroy = var.force_destroy_s3_bucket
 
@@ -292,6 +297,11 @@ resource "aws_s3_bucket" "vault_storage" {
   }
 }
 
+data "aws_s3_bucket" "vault_storage" {
+  count         = ( var.enable_s3_backend && var.use_existing_s3_bucket == true ) ? 1 : 0
+  bucket        = var.s3_bucket_name
+}
+
 resource "aws_iam_role_policy" "vault_s3" {
   count = var.enable_s3_backend ? 1 : 0
   name  = "vault_s3"
@@ -317,8 +327,8 @@ data "aws_iam_policy_document" "vault_s3" {
     actions = ["s3:*"]
 
     resources = [
-      aws_s3_bucket.vault_storage[0].arn,
-      "${aws_s3_bucket.vault_storage[0].arn}/*",
+      local.s3_bucket_arn,
+      "${local.s3_bucket_arn}/*",
     ]
   }
 }

@@ -47,6 +47,6 @@ output "security_group_id" {
 }
 
 output "s3_bucket_arn" {
-  value = join(",", aws_s3_bucket.vault_storage.*.arn)
+  value = local.s3_bucket_arn
 }
 
@@ -192,24 +192,29 @@ variable "enable_s3_backend" {
   default     = false
 }
 
+variable "use_existing_s3_bucket" {
+  description = "If true, use an existing S3 bucket (provided by s3_bucket_name) instead of creating the bucket within this module."
+  default     = false
+}
+
 variable "s3_bucket_name" {
   description = "The name of the S3 bucket to create and use as a storage backend. Only used if 'enable_s3_backend' is set to true."
   default     = ""
 }
 
 variable "s3_bucket_tags" {
-  description = "Tags to be applied to the S3 bucket."
+  description = "Tags to be applied to the S3 bucket. Applied only when 'use_existing_s3_bucket' is false."
   type        = map(string)
   default     = {}
 }
 
 variable "enable_s3_bucket_versioning" {
-  description = "Whether to enable bucket versioning for the S3 bucket."
+  description = "Whether to enable bucket versioning for the S3 bucket.  Applied only when 'use_existing_s3_bucket' is false."
   default     = false
 }
 
 variable "force_destroy_s3_bucket" {
-  description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true."
+  description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true and 'use_existing_s3_bucket' is false."
   default     = false
 }