fix: invalid reference when flow logs is disabled (#157)

fixes #156
nozaq · Dec 12, 2020 · 10c7ead · 10c7ead
1 parent a31fd70
commit 10c7ead
Show file tree

Hide file tree

Showing 8 changed files with 10 additions and 10 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.31.0
+  rev: v1.45.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
diff --git a/README.md b/README.md
@@ -173,7 +173,7 @@ This module is composed of several submodules and each of which can be used inde
 | securityhub\_enable\_pci\_dss\_standard | Boolean whether PCI DSS standard is enabled. | `bool` | `false` | no |
 | support\_iam\_role\_name | The name of the the support role. | `string` | `"IAM-Support"` | no |
 | support\_iam\_role\_policy\_name | The name of the support role policy. | `string` | `"IAM-Support-Role"` | no |
-| support\_iam\_role\_principal\_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list` | n/a | yes |
+| support\_iam\_role\_principal\_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(any)` | n/a | yes |
 | tags | Specifies object tags key and value. This applies to all resources created by this module. | `map` | `{}` | no |
 | target\_regions | A list of regions to set up with this module. | `list` | <pre>[<br>  "ap-northeast-1",<br>  "ap-northeast-2",<br>  "ap-south-1",<br>  "ap-southeast-1",<br>  "ap-southeast-2",<br>  "ca-central-1",<br>  "eu-central-1",<br>  "eu-north-1",<br>  "eu-west-1",<br>  "eu-west-2",<br>  "eu-west-3",<br>  "sa-east-1",<br>  "us-east-1",<br>  "us-east-2",<br>  "us-west-1",<br>  "us-west-2"<br>]</pre> | no |
 | use\_external\_audit\_log\_bucket | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | `false` | no |

diff --git a/bucket.tf b/bucket.tf
@@ -35,7 +35,7 @@ module "audit_log_bucket" {
   log_bucket_name                   = "${var.audit_log_bucket_name}-access-logs"
   lifecycle_glacier_transition_days = var.audit_log_lifecycle_glacier_transition_days
   force_destroy                     = var.audit_log_bucket_force_destroy
-  enabled                           = ! local.use_external_bucket
+  enabled                           = !local.use_external_bucket
 
   tags = var.tags
 }
@@ -209,7 +209,7 @@ data "aws_iam_policy_document" "audit_log_config" {
 # https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
 # --------------------------------------------------------------------------------------------------
 data "aws_iam_policy_document" "audit_log_flow_logs" {
-  count = ! local.use_external_bucket && local.flow_logs_use_s3 ? 1 : 0
+  count = !local.use_external_bucket && local.flow_logs_use_s3 ? 1 : 0
 
   source_json = data.aws_iam_policy_document.audit_log_config[0].json
 

diff --git a/modules/iam-baseline/README.md b/modules/iam-baseline/README.md
@@ -35,7 +35,7 @@
 | require\_uppercase\_characters | Whether to require uppercase characters for user passwords. | `bool` | `true` | no |
 | support\_iam\_role\_name | The name of the the support role. | `string` | `"IAM-Support"` | no |
 | support\_iam\_role\_policy\_name | The name of the support role policy. | `string` | `"IAM-Support-Role"` | no |
-| support\_iam\_role\_principal\_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list` | n/a | yes |
+| support\_iam\_role\_principal\_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(any)` | n/a | yes |
 | tags | Specifies object tags key and value. This applies to all resources created by this module. | `map` | <pre>{<br>  "Terraform": true<br>}</pre> | no |
 
 ## Outputs

diff --git a/modules/iam-baseline/variables.tf b/modules/iam-baseline/variables.tf
@@ -13,7 +13,7 @@ variable "support_iam_role_policy_name" {
 }
 
 variable "support_iam_role_principal_arns" {
-  type        = list
+  type        = list(any)
   description = "List of ARNs of the IAM principal elements by which the support role could be assumed."
 }
 

diff --git a/modules/vpc-baseline/main.tf b/modules/vpc-baseline/main.tf
@@ -1,5 +1,5 @@
 locals {
-  is_cw_logs         = var.flow_logs_destination_type == "cloud-watch-logs"
+  is_cw_logs         = var.enable_flow_logs && var.flow_logs_destination_type == "cloud-watch-logs"
   s3_destination_arn = "${var.flow_logs_s3_arn}/${var.flow_logs_s3_key_prefix}"
 }
 

diff --git a/variables.tf b/variables.tf
@@ -142,7 +142,7 @@ variable "support_iam_role_policy_name" {
 }
 
 variable "support_iam_role_principal_arns" {
-  type        = list
+  type        = list(any)
   description = "List of ARNs of the IAM principal elements by which the support role could be assumed."
 }
 

diff --git a/vpc_baselines.tf b/vpc_baselines.tf
@@ -1,6 +1,6 @@
 locals {
-  is_cw_logs = var.vpc_flow_logs_destination_type == "cloud-watch-logs"
-  is_s3      = var.vpc_flow_logs_destination_type == "s3"
+  is_cw_logs = var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "cloud-watch-logs")
+  is_s3      = var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "s3")
   flow_logs_s3_arn = local.is_s3 ? (
     var.vpc_flow_logs_s3_arn != "" ? var.vpc_flow_logs_s3_arn : local.audit_log_bucket_arn
   ) : ""