comments-resolved

sourcefuse · Nov 15, 2022 · 46e9ea8 · 46e9ea8
1 parent 4b47cf1
commit 46e9ea8
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 11 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/locals.tf b/locals.tf
@@ -1,3 +1,4 @@
 locals {
-  bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${var.bucket_name}"
+  bucket_arn               = "arn:${data.aws_partition.current.partition}:s3:::${var.bucket_name}"
+  dynamo_kms_master_key_id = var.dynamo_kms_master_key_id == null ? "alias/aws/dynamo" : var.dynamo_kms_master_key_id
 }
diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@
 ## defaults
 ################################################
 terraform {
-   required_version = ">= 1.0.8"
+  required_version = ">= 1.0.8"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
@@ -90,8 +90,8 @@ resource "aws_s3_bucket" "private" {
 
   logging {}
   versioning {
-    enabled = var.enable_versioning
-    mfa_delete = true
+    enabled    = var.enable_versioning
+    mfa_delete = var.mfa_delete
   }
 
   lifecycle_rule {
@@ -264,8 +264,8 @@ resource "aws_dynamodb_table" "terraform_state_lock" {
   write_capacity = 2
 
   server_side_encryption {
-    enabled = true
-    kms_key_arn = data.aws_iam_policy_document.policy.arn
+    enabled     = true
+    kms_key_arn = local.dynamo_kms_master_key_id
   }
 
   attribute {

diff --git a/variables.tf b/variables.tf
@@ -2,7 +2,7 @@
 ## dynamodb
 ################################################
 variable "dynamodb_name" {
-  type = string
+  type        = string
   description = "The name of the table, this needs to be unique within a region."
 }
 
@@ -13,11 +13,17 @@ variable "enable_dynamodb_point_in_time_recovery" {
 }
 
 variable "dynamodb_hash_key" {
-  type = string
+  type        = string
   description = "The attribute to use as the hash (partition) key."
   default     = "LockID"
 }
 
+variable "dynamo_kms_master_key_id" {
+  type        = string
+  description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK"
+  default     = null
+}
+
 ################################################
 ## s3
 ################################################
@@ -35,7 +41,7 @@ variable "bucket_key_enabled" {
 }
 
 variable "bucket_name" {
-  type = string
+  type        = string
   description = "The name of the bucket."
 }
 
@@ -63,6 +69,12 @@ variable "enable_versioning" {
   default     = true
 }
 
+variable "mfa_delete" {
+  description = "mfa_delete is disabled"
+  type        = bool
+  default     = false
+}
+
 variable "expiration" {
   description = "Specifies a period in the object's expire."
   type        = list(any)
@@ -88,13 +100,13 @@ variable "kms_master_key_id" {
 }
 
 variable "logging_bucket_name" {
-  type = string
+  type        = string
   description = "The S3 bucket to send S3 access logs."
   default     = ""
 }
 
 variable "logging_bucket_target_prefix" {
-  type = string
+  type        = string
   description = "To specify a key prefix for log objects."
   default     = ""
 }