infra(fix): Make temporal secrets optional

TracecatHQ · Jan 24, 2025 · d52b27d · d52b27d
1 parent 7ca9d28
commit d52b27d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/deployments/aws/ecs/iam.tf b/deployments/aws/ecs/iam.tf
@@ -60,6 +60,7 @@ resource "aws_iam_policy" "secrets_access" {
 }
 
 resource "aws_iam_policy" "task_secrets_access" {
+  count       = var.disable_temporal_autosetup ? 0 : 1
   name        = "TracecatTaskSecretsAccessPolicy"
   description = "Policy for accessing Tracecat secrets at runtime"
   policy = jsonencode({
@@ -158,7 +159,8 @@ resource "aws_iam_role_policy" "api_worker_task_db_access" {
   })
 }
 resource "aws_iam_role_policy_attachment" "api_worker_task_secrets" {
-  policy_arn = aws_iam_policy.task_secrets_access.arn
+  count      = var.disable_temporal_autosetup ? 0 : 1
+  policy_arn = aws_iam_policy.task_secrets_access[0].arn
   role       = aws_iam_role.api_worker_task.name
 }
 
@@ -291,10 +293,10 @@ resource "aws_iam_policy" "temporal_ui_secrets_access" {
       {
         Effect = "Allow"
         Action = ["secretsmanager:GetSecretValue"]
-        Resource = [
+        Resource = compact([
           var.temporal_auth_client_id_arn,
           var.temporal_auth_client_secret_arn
-        ]
+        ])
       }
     ]
   })

diff --git a/deployments/aws/variables.tf b/deployments/aws/variables.tf
@@ -117,7 +117,7 @@ variable "TFC_CONFIGURATION_VERSION_GIT_COMMIT_SHA" {
 variable "disable_temporal_ui" {
   type        = bool
   description = "Whether to disable the Temporal UI service in the deployment"
-  default     = false
+  default     = true
 }
 
 variable "disable_temporal_autosetup" {