fix(deploy-role): pass enable_deploy_ variables to gitlab submodule to toggle resources creation based on values known during plan (#43)

jindraj · web-flow · commit 88121eb5d872 · 2025-04-25T10:14:13.000+02:00
diff --git a/README.md b/README.md
@@ -102,7 +102,7 @@ module "static-site" {
 |------|--------|---------|
 | <a name="module_certificate"></a> [certificate](#module\_certificate) | terraform-aws-modules/acm/aws | 5.1.1 |
 | <a name="module_gitlab"></a> [gitlab](#module\_gitlab) | ./modules/gitlab | n/a |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.6.1 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.7.0 |
 
 ## Resources
 
diff --git a/deploy.tf b/deploy.tf
@@ -36,7 +36,6 @@ data "aws_iam_policy_document" "assume_role" {
 resource "aws_iam_role" "deploy" {
   count              = var.enable_deploy_role ? 1 : 0
   assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
-  description        = format("Role used by the GitLab project %s", "GITLAB_PROJECT_PLACEHOLDER")
   name               = "zvirt-${local.main_domain_sanitized}-deploy"
   tags               = var.tags
 }
@@ -99,11 +98,13 @@ module "gitlab" {
   gitlab_project_ids = local.gitlab_project_ids
   gitlab_environment = var.gitlab_environment
 
+  enable_deploy_role             = var.enable_deploy_role
+  enable_deploy_user             = var.enable_deploy_user
   aws_s3_bucket_name             = module.s3_bucket.s3_bucket_id
   aws_cloudfront_distribution_id = aws_cloudfront_distribution.this.id
-  aws_role_arn                   = aws_iam_role.deploy[0].arn
-  aws_access_key_id              = aws_iam_access_key.deploy[0].id
-  aws_secret_access_key          = aws_iam_access_key.deploy[0].secret
+  aws_role_arn                   = var.enable_deploy_role ? aws_iam_role.deploy[0].arn : null
+  aws_access_key_id              = var.enable_deploy_user ? aws_iam_access_key.deploy[0].id : null
+  aws_secret_access_key          = var.enable_deploy_user ? aws_iam_access_key.deploy[0].secret : null
   aws_default_region             = data.aws_region.current.name
   aws_env_vars_suffix            = var.aws_env_vars_suffix
 }
diff --git a/modules/gitlab/README.md b/modules/gitlab/README.md
@@ -85,6 +85,8 @@ No modules.
 | <a name="input_aws_role_arn"></a> [aws\_role\_arn](#input\_aws\_role\_arn) | n/a | `string` | n/a | yes |
 | <a name="input_aws_s3_bucket_name"></a> [aws\_s3\_bucket\_name](#input\_aws\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
 | <a name="input_aws_secret_access_key"></a> [aws\_secret\_access\_key](#input\_aws\_secret\_access\_key) | n/a | `string` | n/a | yes |
+| <a name="input_enable_deploy_role"></a> [enable\_deploy\_role](#input\_enable\_deploy\_role) | n/a | `bool` | n/a | yes |
+| <a name="input_enable_deploy_user"></a> [enable\_deploy\_user](#input\_enable\_deploy\_user) | n/a | `bool` | n/a | yes |
 | <a name="input_gitlab_environment"></a> [gitlab\_environment](#input\_gitlab\_environment) | n/a | `string` | `"*"` | no |
 | <a name="input_gitlab_project_ids"></a> [gitlab\_project\_ids](#input\_gitlab\_project\_ids) | n/a | `list(string)` | n/a | yes |
 
diff --git a/modules/gitlab/main.tf b/modules/gitlab/main.tf
@@ -49,7 +49,7 @@ resource "gitlab_project_variable" "cloudfront_distribution_id" {
 }
 
 resource "gitlab_project_variable" "site_aws_role_arn" {
-  for_each = data.gitlab_project.this
+  for_each = var.enable_deploy_role ? data.gitlab_project.this : {}
 
   project = each.value.id
 
@@ -64,7 +64,7 @@ resource "gitlab_project_variable" "site_aws_role_arn" {
 }
 
 resource "gitlab_project_variable" "site_aws_access_key_id" {
-  for_each = data.gitlab_project.this
+  for_each = var.enable_deploy_user ? data.gitlab_project.this : {}
 
   project = each.value.id
 
@@ -79,7 +79,7 @@ resource "gitlab_project_variable" "site_aws_access_key_id" {
 }
 
 resource "gitlab_project_variable" "site_aws_secret_access_key" {
-  for_each = data.gitlab_project.this
+  for_each = var.enable_deploy_user ? data.gitlab_project.this : {}
 
   project = each.value.id
 
diff --git a/modules/gitlab/variables.tf b/modules/gitlab/variables.tf
@@ -23,6 +23,14 @@ variable "aws_access_key_id" {
   type = string
 }
 
+variable "enable_deploy_role" {
+  type = bool
+}
+
+variable "enable_deploy_user" {
+  type = bool
+}
+
 variable "aws_secret_access_key" {
   type      = string
   sensitive = true

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ resource "gitlab_project_variable" "cloudfront_distribution_id" {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`resource "gitlab_project_variable" "site_aws_role_arn" {`
`52`		`- for_each = data.gitlab_project.this`
	`52`	`+ for_each = var.enable_deploy_role ? data.gitlab_project.this : {}`
`53`	`53`
`54`	`54`	`project = each.value.id`
`55`	`55`
`@@ -64,7 +64,7 @@ resource "gitlab_project_variable" "site_aws_role_arn" {`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`resource "gitlab_project_variable" "site_aws_access_key_id" {`
`67`		`- for_each = data.gitlab_project.this`
	`67`	`+ for_each = var.enable_deploy_user ? data.gitlab_project.this : {}`
`68`	`68`
`69`	`69`	`project = each.value.id`
`70`	`70`
`@@ -79,7 +79,7 @@ resource "gitlab_project_variable" "site_aws_access_key_id" {`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`resource "gitlab_project_variable" "site_aws_secret_access_key" {`
`82`		`- for_each = data.gitlab_project.this`
	`82`	`+ for_each = var.enable_deploy_user ? data.gitlab_project.this : {}`
`83`	`83`
`84`	`84`	`project = each.value.id`
`85`	`85`