Make IAM user conditional

README.md

@@ -85,6 +85,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_okta_iam_user"></a> [create\_okta\_iam\_user](#input\_create\_okta\_iam\_user) | Create IAM user for Okta and related resources | `bool` | `true` | no |
 | <a name="input_iam_group_name"></a> [iam\_group\_name](#input\_iam\_group\_name) | Name of the IAM group Okta IAM policies will be attached to | `string` | `"okta-sso"` | no |
 | <a name="input_iam_user_name"></a> [iam\_user\_name](#input\_iam\_user\_name) | Username for the Okta service account | `string` | `"okta-sso"` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | kms key id to encrypt Okta Secret | `string` | `""` | no |

main.tf

@@ -29,30 +29,65 @@ resource "aws_iam_group_policy" "this" {
 }
 
 resource "aws_iam_user" "this" {
+  count = var.create_okta_iam_user ? 1 : 0
+
   name = var.iam_user_name
   path = "/"
   tags = var.tags
 }
 
 resource "aws_iam_user_group_membership" "this" {
-  user = aws_iam_user.this.name
+  count = var.create_okta_iam_user ? 1 : 0
+
+  user = aws_iam_user.this[0].name
   groups = [
     aws_iam_group.this.name
   ]
 }
 
 resource "aws_iam_access_key" "this" {
-  user = aws_iam_user.this.name
+  count = var.create_okta_iam_user ? 1 : 0
+
+  user = aws_iam_user.this[0].name
 }
 
 resource "aws_secretsmanager_secret" "this" {
+  count = var.create_okta_iam_user ? 1 : 0
+
   name_prefix = "terraform-okta-sso"
   description = "Okta SSO user access key"
   kms_key_id  = var.kms_key_id
   tags        = var.tags
 }
 
 resource "aws_secretsmanager_secret_version" "this" {
-  secret_id     = aws_secretsmanager_secret.this.id
-  secret_string = aws_iam_access_key.this.secret
+  count = var.create_okta_iam_user ? 1 : 0
+
+  secret_id     = aws_secretsmanager_secret.this[0].id
+  secret_string = aws_iam_access_key.this[0].secret
+}
+
+moved {
+  from = aws_iam_user.this
+  to   = aws_iam_user.this[0]
+}
+
+moved {
+  from = aws_iam_user_group_membership.this
+  to   = aws_iam_user_group_membership.this[0]
+}
+
+moved {
+  from = aws_iam_access_key.this
+  to   = aws_iam_access_key.this[0]
+}
+
+moved {
+  from = aws_secretsmanager_secret.this
+  to   = aws_secretsmanager_secret.this[0]
+}
+
+moved {
+  from = aws_secretsmanager_secret_version.this
+  to   = aws_secretsmanager_secret_version.this[0]
 }

outputs.tf

@@ -1,14 +1,14 @@
 output "iam_access_key_okta_user" {
   description = "ID of IAM access key for new Okta user"
-  value       = aws_iam_access_key.this.id
+  value       = var.create_okta_iam_user ? aws_iam_access_key.this[0].id : null
 }
 
 output "iam_user_okta" {
   description = "User name for new Okta user"
-  value       = aws_iam_user.this.name
+  value       = var.create_okta_iam_user ? aws_iam_user.this[0].name : null
 }
 
 output "secretsmanager_secret_okta_user_secret_key" {
   description = "ARN of Secrets Manager secret containing new Okta user's IAM access key"
-  value       = aws_secretsmanager_secret.this.id
+  value       = var.create_okta_iam_user ? aws_secretsmanager_secret.this[0].id : null
 }

variables.tf

@@ -26,3 +26,9 @@ variable "tags" {
   description = "Tags to apply to supported resources"
   type        = map(string)
 }
+
+variable "create_okta_iam_user" {
+  description = "Create IAM user for Okta and related resources"
+  type        = bool
+  default     = true
+}