check for policy_statements vs new var

README.md

@@ -178,7 +178,6 @@ No modules.
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_throughput_mode"></a> [throughput\_mode](#input\_throughput\_mode) | Throughput mode for the file system. Defaults to `bursting`. Valid values: `bursting`, `elastic`, and `provisioned`. When using `provisioned`, also set `provisioned_throughput_in_mibps` | `string` | `null` | no |
-| <a name="input_use_default_deny_nonsecure_transport_policy"></a> [use\_default\_deny\_nonsecure\_transport\_policy](#input\_use\_default\_deny\_nonsecure\_transport\_policy) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no |
 
 ## Outputs
 

examples/complete/main.tf

@@ -42,9 +42,8 @@ module "efs" {
   }
 
   # File system policy
-  attach_policy                               = true
-  use_default_deny_nonsecure_transport_policy = false
-  bypass_policy_lockout_safety_check          = false
+  attach_policy                      = true
+  bypass_policy_lockout_safety_check = false
   policy_statements = [
     {
       sid     = "Example"

main.tf

@@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" {
   }
 
   dynamic "statement" {
-    for_each = var.deny_nonsecure_transport && var.use_default_deny_nonsecure_transport_policy ? [1] : []
+    for_each = var.deny_nonsecure_transport && length(var.policy_statements) == 0 ? [1] : []
 
     content {
       sid    = "NonSecureTransportAccessedViaMountTarget"

variables.tf

@@ -108,12 +108,6 @@ variable "deny_nonsecure_transport" {
   default     = true
 }
 
-variable "use_default_deny_nonsecure_transport_policy" {
-  description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target"
-  type        = bool
-  default     = true
-}
-
 ################################################################################
 # Mount Target(s)
 ################################################################################

wrappers/main.tf

@@ -3,34 +3,33 @@ module "wrapper" {
 
   for_each = var.items
 
-  access_points                               = try(each.value.access_points, var.defaults.access_points, {})
-  attach_policy                               = try(each.value.attach_policy, var.defaults.attach_policy, true)
-  availability_zone_name                      = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
-  bypass_policy_lockout_safety_check          = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
-  create                                      = try(each.value.create, var.defaults.create, true)
-  create_backup_policy                        = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
-  create_replication_configuration            = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
-  create_security_group                       = try(each.value.create_security_group, var.defaults.create_security_group, true)
-  creation_token                              = try(each.value.creation_token, var.defaults.creation_token, null)
-  deny_nonsecure_transport                    = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
-  enable_backup_policy                        = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
-  encrypted                                   = try(each.value.encrypted, var.defaults.encrypted, true)
-  kms_key_arn                                 = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
-  lifecycle_policy                            = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
-  mount_targets                               = try(each.value.mount_targets, var.defaults.mount_targets, {})
-  name                                        = try(each.value.name, var.defaults.name, "")
-  override_policy_documents                   = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
-  performance_mode                            = try(each.value.performance_mode, var.defaults.performance_mode, null)
-  policy_statements                           = try(each.value.policy_statements, var.defaults.policy_statements, [])
-  provisioned_throughput_in_mibps             = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
-  replication_configuration_destination       = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
-  security_group_description                  = try(each.value.security_group_description, var.defaults.security_group_description, null)
-  security_group_name                         = try(each.value.security_group_name, var.defaults.security_group_name, null)
-  security_group_rules                        = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
-  security_group_use_name_prefix              = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
-  security_group_vpc_id                       = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
-  source_policy_documents                     = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
-  tags                                        = try(each.value.tags, var.defaults.tags, {})
-  throughput_mode                             = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
-  use_default_deny_nonsecure_transport_policy = try(each.value.use_default_deny_nonsecure_transport_policy, var.defaults.use_default_deny_nonsecure_transport_policy, true)
+  access_points                         = try(each.value.access_points, var.defaults.access_points, {})
+  attach_policy                         = try(each.value.attach_policy, var.defaults.attach_policy, true)
+  availability_zone_name                = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
+  bypass_policy_lockout_safety_check    = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
+  create                                = try(each.value.create, var.defaults.create, true)
+  create_backup_policy                  = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
+  create_replication_configuration      = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
+  create_security_group                 = try(each.value.create_security_group, var.defaults.create_security_group, true)
+  creation_token                        = try(each.value.creation_token, var.defaults.creation_token, null)
+  deny_nonsecure_transport              = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
+  enable_backup_policy                  = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
+  encrypted                             = try(each.value.encrypted, var.defaults.encrypted, true)
+  kms_key_arn                           = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
+  lifecycle_policy                      = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
+  mount_targets                         = try(each.value.mount_targets, var.defaults.mount_targets, {})
+  name                                  = try(each.value.name, var.defaults.name, "")
+  override_policy_documents             = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
+  performance_mode                      = try(each.value.performance_mode, var.defaults.performance_mode, null)
+  policy_statements                     = try(each.value.policy_statements, var.defaults.policy_statements, [])
+  provisioned_throughput_in_mibps       = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
+  replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
+  security_group_description            = try(each.value.security_group_description, var.defaults.security_group_description, null)
+  security_group_name                   = try(each.value.security_group_name, var.defaults.security_group_name, null)
+  security_group_rules                  = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
+  security_group_use_name_prefix        = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
+  security_group_vpc_id                 = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
+  source_policy_documents               = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
+  tags                                  = try(each.value.tags, var.defaults.tags, {})
+  throughput_mode                       = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
 }