Add overrule for the SG feature

Add explicit toggle to prevent the "Cannot calculate" error in TF when a new Lambda is deployed.
schubergphilis · Feb 8, 2024 · 43fe6f3 · 43fe6f3
1 parent a942645
commit 43fe6f3
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 #  Local .terraform directories
 **/.terraform/*
+*.lock.hcl
 
 # .tfstate files
 *.tfstate

diff --git a/main.tf b/main.tf
@@ -1,6 +1,7 @@
 locals {
   create_event_invoke_config = var.retries != null || var.destination_on_failure != null || var.destination_on_success != null ? { create : true } : {}
   create_policy              = var.create_policy != null ? var.create_policy : var.role_arn == null
+  create_security_group      = var.create_security_group != null ? var.create_security_group : var.subnet_ids != null && var.security_group_id == null
   dead_letter_config         = var.dead_letter_target_arn != null ? { create : true } : {}
   environment                = var.environment != null ? { create : true } : {}
   ephemeral_storage          = var.ephemeral_storage_size != null ? { create : true } : {}
@@ -72,7 +73,7 @@ data "aws_subnet" "selected" {
 
 resource "aws_security_group" "default" {
   #checkov:skip=CKV2_AWS_5: False positive finding, the security group is attached.
-  count = var.subnet_ids != null && var.security_group_id == null ? 1 : 0
+  count = local.create_security_group ? 1 : 0
 
   name        = var.security_group_name_prefix == null ? var.name : null
   name_prefix = var.security_group_name_prefix != null ? var.security_group_name_prefix : null

diff --git a/variables.tf b/variables.tf
@@ -27,6 +27,12 @@ variable "create_policy" {
   description = "Overrule whether the Lambda role policy has to be created"
 }
 
+variable "create_security_group" {
+  type        = bool
+  default     = null
+  description = "Overrule whether the default VPC Security group has to be created"
+}
+
 variable "create_s3_dummy_object" {
   type        = bool
   default     = true