fix: Avoid invalid-index when controllers disabled

When emrcontainers or step function capabilties were disabled, Terraform would try to assign the associated policy. The policy doesn't exist because that component is disabled. As a test, an all controllers disabled module has been added to the example. fixes: #43
aws-ia · Jul 5, 2023 · bcec04c · bcec04c
1 parent 2bf218c
commit bcec04c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -145,6 +145,25 @@ module "eks_ack_addons" {
   tags = local.tags
 }
 
+module "eks_ack_addons_disabled" {
+  source = "../../"
+
+  # This tests all controllers in disabled mode.
+
+  # Cluster Info
+  cluster_name      = module.eks.cluster_name
+  cluster_endpoint  = module.eks.cluster_endpoint
+  oidc_provider_arn = module.eks.oidc_provider_arn
+
+  # ECR Credentials
+  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
+  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
+
+  # Controllers to enable (default is disabled)
+
+  tags = local.tags
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################

diff --git a/main.tf b/main.tf
@@ -589,7 +589,7 @@ module "emrcontainers" {
   role_permissions_boundary_arn = lookup(var.emrcontainers, "role_permissions_boundary_arn", null)
   role_description              = try(var.emrcontainers.role_description, "IRSA for emrcontainers controller for ACK")
   role_policies = lookup(var.emrcontainers, "role_policies", {
-    AmazonEmrContainers = aws_iam_policy.emrcontainers[0].arn
+    AmazonEmrContainers = var.enable_emrcontainers ? aws_iam_policy.emrcontainers[0].arn : null
   })
   create_policy = try(var.emrcontainers.create_policy, false)
 
@@ -770,7 +770,7 @@ module "sfn" {
   role_description              = try(var.sfn.role_description, "IRSA for sfn controller for ACK")
   role_policies = lookup(var.sfn, "role_policies", {
     AWSStepFunctionsFullAccess  = "${local.iam_role_policy_prefix}/AWSStepFunctionsFullAccess"
-    AWSStepFunctionsIamPassRole = aws_iam_policy.sfnpasspolicy[0].arn
+    AWSStepFunctionsIamPassRole = var.enable_emrcontainers ? aws_iam_policy.sfnpasspolicy[0].arn : null
   })
   create_policy = try(var.sfn.create_policy, false)