Initial windows-only mdm option in terraform addon module (#14639)

2026-05-23 08:58:41 +00:00 · 2023-10-27 07:09:20 -05:00 · 2023-10-27 07:09:20 -05:00 · aa843e7725
commit aa843e7725
parent ae669e1749
4 changed files with 21 additions and 14 deletions
--- a/terraform/addons/mdm/.terraform.lock.hcl
+++ b/terraform/addons/mdm/.terraform.lock.hcl
@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/aws" {
  version = "4.53.0"
  hashes = [
    "h1:CymaUpULY6LR/rHl+4+Vs0i2jVHXMhSZuJj8VXqGIPs=",
+    "h1:P6ZZ716SRIimw0t/SAgYbOMZtO0HDvwVQKxyHEW6aaE=",
    "zh:0d44171544a916adf0fa96b7d0851a49d8dec98f71f0229dfd2d178958b3996b",
    "zh:16945808ce26b86af7f5a77c4ab1154da786208c793abb95b8f918b4f48daded",
    "zh:1a57a5a30cef9a5867579d894b74f60bb99afc7ca0d030d49a80ad776958b428",
--- a/terraform/addons/mdm/main.tf
+++ b/terraform/addons/mdm/main.tf
@ -1,7 +1,8 @@
 data "aws_region" "current" {}

 resource "aws_secretsmanager_secret" "apn" {
-  name = var.apn_secret_name
+  count = var.apn_secret_name == null ? 0 : 1
+  name  = var.apn_secret_name

  recovery_window_in_days = "0"
  lifecycle {
@ -31,10 +32,9 @@ resource "aws_secretsmanager_secret" "dep" {
 data "aws_iam_policy_document" "main" {
  statement {
    actions = ["secretsmanager:GetSecretValue"]
-    resources = concat([
-      aws_secretsmanager_secret.apn.arn,
-      aws_secretsmanager_secret.scep.arn,
-    ], var.dep_secret_name == null ? [] : [aws_secretsmanager_secret.dep[0].arn])
+    resources = concat(var.enable_apple_mdm == false ? [] : [aws_secretsmanager_secret.apn[0].arn],
+      [aws_secretsmanager_secret.scep.arn],
+    var.dep_secret_name == null ? [] : [aws_secretsmanager_secret.dep[0].arn])
  }
 }

--- a/terraform/addons/mdm/outputs.tf
+++ b/terraform/addons/mdm/outputs.tf
@ -1,5 +1,5 @@
 output "extra_environment_variables" {
-  value = merge({
+  value = merge(var.enable_apple_mdm == false ? {} : {
    FLEET_MDM_APPLE_SERVER_ADDRESS = var.public_domain_name
    }, var.enable_windows_mdm == false ? {} : {
    FLEET_DEV_MDM_ENABLED = "1"
@ -7,17 +7,17 @@ output "extra_environment_variables" {
 }

 output "extra_secrets" {
-  value = merge({
+  value = merge(var.enable_apple_mdm == false ? {} : {
    FLEET_MDM_APPLE_SCEP_CERT_BYTES   = "${aws_secretsmanager_secret.scep.arn}:crt::"
    FLEET_MDM_APPLE_SCEP_CA_CERT_PEM  = "${aws_secretsmanager_secret.scep.arn}:crt::"
    FLEET_MDM_APPLE_SCEP_KEY_BYTES    = "${aws_secretsmanager_secret.scep.arn}:key::"
    FLEET_MDM_APPLE_SCEP_CA_KEY_PEM   = "${aws_secretsmanager_secret.scep.arn}:key::"
    FLEET_MDM_APPLE_SCEP_CHALLENGE    = "${aws_secretsmanager_secret.scep.arn}:challenge::"
-    FLEET_MDM_APPLE_APNS_CERT_BYTES   = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
-    FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
-    FLEET_MDM_APPLE_APNS_KEY_BYTES    = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
-    FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM  = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
-    }, var.dep_secret_name == null ? {} : {
+    FLEET_MDM_APPLE_APNS_CERT_BYTES   = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
+    FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
+    FLEET_MDM_APPLE_APNS_KEY_BYTES    = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
+    FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM  = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
+    }, var.dep_secret_name == null || var.enable_apple_mdm == false ? {} : {
    FLEET_MDM_APPLE_DEP_TOKEN             = "${aws_secretsmanager_secret.dep[0].arn}:token::"
    FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES = "${aws_secretsmanager_secret.dep[0].arn}:token-encrypted::"
    FLEET_MDM_APPLE_BM_CERT_BYTES         = "${aws_secretsmanager_secret.dep[0].arn}:cert::"
@ -43,5 +43,5 @@ output "dep" {
 }

 output "apn" {
-  value = aws_secretsmanager_secret.apn
+  value = var.enable_apple_mdm == false ? null : aws_secretsmanager_secret.apn
 }
--- a/terraform/addons/mdm/variables.tf
+++ b/terraform/addons/mdm/variables.tf
@ -1,6 +1,6 @@
 variable "apn_secret_name" {
  default  = "fleet-apn"
-  nullable = false
+  nullable = true
  type     = string
 }

@ -26,3 +26,9 @@ variable "enable_windows_mdm" {
  nullable = false
  type     = bool
 }
+
+variable "enable_apple_mdm" {
+  default  = true
+  nullable = false
+  type     = bool
+}