Correct enabled behavior (#147)

* correct enabled behavior

* Auto Format

* fix docs

* Auto Format

* use indexes

* wrap outputs in try

* do not generate data if we arent using it

* wrap data in try

* wrap check

* wrap more checks

* wrap more checks

* change s3 bucket check

* change s3 policy bucket check

* update docs

* Auto Format

* fix

* remove leftover

Co-authored-by: cloudpossebot <[email protected]>

Author: syphernl

README.md

@@ -277,6 +277,7 @@ Available targets:
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| <a name="input_distribution_enabled"></a> [distribution\_enabled](#input\_distribution\_enabled) | Set to `true` if you want CloudFront to begin processing requests as soon as the distribution is created, or to false if you do not want CloudFront to begin processing requests after the distribution is created. | `bool` | `true` | no |
 | <a name="input_dns_alias_enabled"></a> [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name` | `bool` | `false` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_encryption_enabled"></a> [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have aes256 encryption enabled by default | `bool` | `true` | no |

docs/terraform.md

@@ -63,6 +63,7 @@
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| <a name="input_distribution_enabled"></a> [distribution\_enabled](#input\_distribution\_enabled) | Set to `true` if you want CloudFront to begin processing requests as soon as the distribution is created, or to false if you do not want CloudFront to begin processing requests after the distribution is created. | `bool` | `true` | no |
 | <a name="input_dns_alias_enabled"></a> [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name` | `bool` | `false` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_encryption_enabled"></a> [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have aes256 encryption enabled by default | `bool` | `true` | no |

main.tf

@@ -23,12 +23,14 @@ module "origin_label" {
 }
 
 resource "aws_cloudfront_origin_access_identity" "default" {
-  count = local.using_existing_cloudfront_origin ? 0 : 1
+  count = (! module.this.enabled || local.using_existing_cloudfront_origin) ? 0 : 1
 
   comment = module.this.id
 }
 
 data "aws_iam_policy_document" "origin" {
+  count = module.this.enabled ? 1 : 0
+
   override_json = var.additional_bucket_policy
 
   statement {
@@ -57,6 +59,8 @@ data "aws_iam_policy_document" "origin" {
 }
 
 data "aws_iam_policy_document" "origin_website" {
+  count = module.this.enabled ? 1 : 0
+
   override_json = var.additional_bucket_policy
 
   statement {
@@ -73,7 +77,7 @@ data "aws_iam_policy_document" "origin_website" {
 }
 
 resource "aws_s3_bucket_policy" "default" {
-  count  = ! local.using_existing_origin || var.override_origin_bucket_policy ? 1 : 0
+  count  = (module.this.enabled && (! local.using_existing_origin || var.override_origin_bucket_policy)) ? 1 : 0
   bucket = join("", aws_s3_bucket.origin.*.bucket)
   policy = local.iam_policy_document
 }
@@ -82,7 +86,7 @@ resource "aws_s3_bucket" "origin" {
   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
-  count         = local.using_existing_origin ? 0 : 1
+  count         = (! module.this.enabled || local.using_existing_origin) ? 0 : 1
   bucket        = module.origin_label.id
   acl           = "private"
   tags          = module.origin_label.tags
@@ -135,7 +139,7 @@ resource "aws_s3_bucket" "origin" {
 }
 
 resource "aws_s3_bucket_public_access_block" "origin" {
-  count                   = ! local.using_existing_origin && var.block_origin_public_access_enabled ? 1 : 0
+  count                   = (module.this.enabled && ! local.using_existing_origin && var.block_origin_public_access_enabled) ? 1 : 0
   bucket                  = local.bucket
   block_public_acls       = true
   block_public_policy     = true
@@ -150,7 +154,7 @@ resource "aws_s3_bucket_public_access_block" "origin" {
 module "logs" {
   source                   = "cloudposse/s3-log-storage/aws"
   version                  = "0.20.0"
-  enabled                  = var.logging_enabled
+  enabled                  = (module.this.enabled && var.logging_enabled)
   attributes               = compact(concat(module.this.attributes, var.extra_logs_attributes))
   lifecycle_prefix         = var.log_prefix
   standard_transition_days = var.log_standard_transition_days
@@ -163,7 +167,7 @@ module "logs" {
 }
 
 data "aws_s3_bucket" "selected" {
-  count  = local.using_existing_origin ? 1 : 0
+  count  = (module.this.enabled && local.using_existing_origin) ? 1 : 0
   bucket = var.origin_bucket
 }
 
@@ -174,7 +178,7 @@ locals {
 
   origin_path                               = coalesce(var.origin_path, "/")
   cloudfront_origin_access_identity_iam_arn = local.using_existing_cloudfront_origin ? var.cloudfront_origin_access_identity_iam_arn : join("", aws_cloudfront_origin_access_identity.default.*.iam_arn)
-  iam_policy_document                       = var.website_enabled ? data.aws_iam_policy_document.origin_website.json : data.aws_iam_policy_document.origin.json
+  iam_policy_document                       = var.website_enabled ? try(data.aws_iam_policy_document.origin_website[0].json, "") : try(data.aws_iam_policy_document.origin[0].json, "")
 
   bucket = join("",
     compact(
@@ -188,8 +192,10 @@ locals {
 }
 
 resource "aws_cloudfront_distribution" "default" {
+  count = module.this.enabled ? 1 : 0
+
   #bridgecrew:skip=BC_AWS_LOGGING_20:Skipping `CloudFront Access Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
-  enabled             = module.this.enabled
+  enabled             = var.distribution_enabled
   is_ipv6_enabled     = var.ipv6_enabled
   comment             = var.comment
   default_root_object = var.default_root_object
@@ -362,12 +368,12 @@ resource "aws_cloudfront_distribution" "default" {
 module "dns" {
   source           = "cloudposse/route53-alias/aws"
   version          = "0.12.0"
-  enabled          = module.this.enabled && var.dns_alias_enabled ? true : false
+  enabled          = (module.this.enabled && var.dns_alias_enabled) ? true : false
   aliases          = var.aliases
   parent_zone_id   = var.parent_zone_id
   parent_zone_name = var.parent_zone_name
-  target_dns_name  = aws_cloudfront_distribution.default.domain_name
-  target_zone_id   = aws_cloudfront_distribution.default.hosted_zone_id
+  target_dns_name  = try(aws_cloudfront_distribution.default[0].domain_name, "")
+  target_zone_id   = try(aws_cloudfront_distribution.default[0].hosted_zone_id, "")
   ipv6_enabled     = var.ipv6_enabled
 
   context = module.this.context

outputs.tf

@@ -1,30 +1,30 @@
 output "cf_id" {
-  value       = aws_cloudfront_distribution.default.id
+  value       = try(aws_cloudfront_distribution.default[0].id, "")
   description = "ID of AWS CloudFront distribution"
 }
 
 output "cf_arn" {
-  value       = aws_cloudfront_distribution.default.arn
+  value       = try(aws_cloudfront_distribution.default[0].arn, "")
   description = "ARN of AWS CloudFront distribution"
 }
 
 output "cf_status" {
-  value       = aws_cloudfront_distribution.default.status
+  value       = try(aws_cloudfront_distribution.default[0].status, "")
   description = "Current status of the distribution"
 }
 
 output "cf_domain_name" {
-  value       = aws_cloudfront_distribution.default.domain_name
+  value       = try(aws_cloudfront_distribution.default[0].domain_name, "")
   description = "Domain name corresponding to the distribution"
 }
 
 output "cf_etag" {
-  value       = aws_cloudfront_distribution.default.etag
+  value       = try(aws_cloudfront_distribution.default[0].etag, "")
   description = "Current version of the distribution's information"
 }
 
 output "cf_hosted_zone_id" {
-  value       = aws_cloudfront_distribution.default.hosted_zone_id
+  value       = try(aws_cloudfront_distribution.default[0].hosted_zone_id, "")
   description = "CloudFront Route 53 zone ID"
 }
 

variables.tf

@@ -424,3 +424,9 @@ variable "access_log_bucket_name" {
   default     = ""
   description = "Name of the S3 bucket where s3 access log will be sent to"
 }
+
+variable "distribution_enabled" {
+  type        = bool
+  default     = true
+  description = "Set to `true` if you want CloudFront to begin processing requests as soon as the distribution is created, or to false if you do not want CloudFront to begin processing requests after the distribution is created."
+}