From aa843e772555dc417aebad9b49898e35709bbb67 Mon Sep 17 00:00:00 2001
From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
Date: Fri, 27 Oct 2023 07:09:20 -0500
Subject: [PATCH] Initial windows-only mdm option in terraform addon module
 (#14639)

---
 terraform/addons/mdm/.terraform.lock.hcl |  1 +
 terraform/addons/mdm/main.tf             | 10 +++++-----
 terraform/addons/mdm/outputs.tf          | 16 ++++++++--------
 terraform/addons/mdm/variables.tf        |  8 +++++++-
 4 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/terraform/addons/mdm/.terraform.lock.hcl b/terraform/addons/mdm/.terraform.lock.hcl
index 9833b48fcb..380e800129 100644
--- a/terraform/addons/mdm/.terraform.lock.hcl
+++ b/terraform/addons/mdm/.terraform.lock.hcl
@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/aws" {
   version = "4.53.0"
   hashes = [
     "h1:CymaUpULY6LR/rHl+4+Vs0i2jVHXMhSZuJj8VXqGIPs=",
+    "h1:P6ZZ716SRIimw0t/SAgYbOMZtO0HDvwVQKxyHEW6aaE=",
     "zh:0d44171544a916adf0fa96b7d0851a49d8dec98f71f0229dfd2d178958b3996b",
     "zh:16945808ce26b86af7f5a77c4ab1154da786208c793abb95b8f918b4f48daded",
     "zh:1a57a5a30cef9a5867579d894b74f60bb99afc7ca0d030d49a80ad776958b428",
diff --git a/terraform/addons/mdm/main.tf b/terraform/addons/mdm/main.tf
index 32da59e5e3..48b82199d8 100644
--- a/terraform/addons/mdm/main.tf
+++ b/terraform/addons/mdm/main.tf
@@ -1,7 +1,8 @@
 data "aws_region" "current" {}
 
 resource "aws_secretsmanager_secret" "apn" {
-  name = var.apn_secret_name
+  count = var.apn_secret_name == null ? 0 : 1
+  name  = var.apn_secret_name
 
   recovery_window_in_days = "0"
   lifecycle {
@@ -31,10 +32,9 @@ resource "aws_secretsmanager_secret" "dep" {
 data "aws_iam_policy_document" "main" {
   statement {
     actions = ["secretsmanager:GetSecretValue"]
-    resources = concat([
-      aws_secretsmanager_secret.apn.arn,
-      aws_secretsmanager_secret.scep.arn,
-    ], var.dep_secret_name == null ? [] : [aws_secretsmanager_secret.dep[0].arn])
+    resources = concat(var.enable_apple_mdm == false ? [] : [aws_secretsmanager_secret.apn[0].arn],
+      [aws_secretsmanager_secret.scep.arn],
+    var.dep_secret_name == null ? [] : [aws_secretsmanager_secret.dep[0].arn])
   }
 }
 
diff --git a/terraform/addons/mdm/outputs.tf b/terraform/addons/mdm/outputs.tf
index 8c5659e5f4..e34e0f83bd 100644
--- a/terraform/addons/mdm/outputs.tf
+++ b/terraform/addons/mdm/outputs.tf
@@ -1,5 +1,5 @@
 output "extra_environment_variables" {
-  value = merge({
+  value = merge(var.enable_apple_mdm == false ? {} : {
     FLEET_MDM_APPLE_SERVER_ADDRESS = var.public_domain_name
     }, var.enable_windows_mdm == false ? {} : {
     FLEET_DEV_MDM_ENABLED = "1"
@@ -7,17 +7,17 @@ output "extra_environment_variables" {
 }
 
 output "extra_secrets" {
-  value = merge({
+  value = merge(var.enable_apple_mdm == false ? {} : {
     FLEET_MDM_APPLE_SCEP_CERT_BYTES   = "${aws_secretsmanager_secret.scep.arn}:crt::"
     FLEET_MDM_APPLE_SCEP_CA_CERT_PEM  = "${aws_secretsmanager_secret.scep.arn}:crt::"
     FLEET_MDM_APPLE_SCEP_KEY_BYTES    = "${aws_secretsmanager_secret.scep.arn}:key::"
     FLEET_MDM_APPLE_SCEP_CA_KEY_PEM   = "${aws_secretsmanager_secret.scep.arn}:key::"
     FLEET_MDM_APPLE_SCEP_CHALLENGE    = "${aws_secretsmanager_secret.scep.arn}:challenge::"
-    FLEET_MDM_APPLE_APNS_CERT_BYTES   = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
-    FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
-    FLEET_MDM_APPLE_APNS_KEY_BYTES    = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
-    FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM  = "${aws_secretsmanager_secret.apn.arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
-    }, var.dep_secret_name == null ? {} : {
+    FLEET_MDM_APPLE_APNS_CERT_BYTES   = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
+    FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM::"
+    FLEET_MDM_APPLE_APNS_KEY_BYTES    = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
+    FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM  = "${aws_secretsmanager_secret.apn[0].arn}:FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM::"
+    }, var.dep_secret_name == null || var.enable_apple_mdm == false ? {} : {
     FLEET_MDM_APPLE_DEP_TOKEN             = "${aws_secretsmanager_secret.dep[0].arn}:token::"
     FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES = "${aws_secretsmanager_secret.dep[0].arn}:token-encrypted::"
     FLEET_MDM_APPLE_BM_CERT_BYTES         = "${aws_secretsmanager_secret.dep[0].arn}:cert::"
@@ -43,5 +43,5 @@ output "dep" {
 }
 
 output "apn" {
-  value = aws_secretsmanager_secret.apn
+  value = var.enable_apple_mdm == false ? null : aws_secretsmanager_secret.apn
 }
diff --git a/terraform/addons/mdm/variables.tf b/terraform/addons/mdm/variables.tf
index b1dc3055f7..a822a627c0 100644
--- a/terraform/addons/mdm/variables.tf
+++ b/terraform/addons/mdm/variables.tf
@@ -1,6 +1,6 @@
 variable "apn_secret_name" {
   default  = "fleet-apn"
-  nullable = false
+  nullable = true
   type     = string
 }
 
@@ -26,3 +26,9 @@ variable "enable_windows_mdm" {
   nullable = false
   type     = bool
 }
+
+variable "enable_apple_mdm" {
+  default  = true
+  nullable = false
+  type     = bool
+}