feat: Make DynamoDB table creation optional

Author: pawelpesz

README.md

@@ -96,6 +96,7 @@ See [the official document](https://www.terraform.io/docs/backends/types/s3.html
 
 | Name | Description | Type | Required |
 |------|-------------|------|:--------:|
+| <a name="input_create_dynamodb_table"></a> [create\_dynamodb\_table](#input\_create\_dynamodb\_table) | Whether or not to create the DynamoDB table for state locking (it's deprecated for Terraform 1.11+). | `bool` | no |
 | <a name="input_dynamodb_deletion_protection_enabled"></a> [dynamodb\_deletion\_protection\_enabled](#input\_dynamodb\_deletion\_protection\_enabled) | Whether or not to enable deletion protection on the DynamoDB table | `bool` | no |
 | <a name="input_dynamodb_enable_server_side_encryption"></a> [dynamodb\_enable\_server\_side\_encryption](#input\_dynamodb\_enable\_server\_side\_encryption) | Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK) | `bool` | no |
 | <a name="input_dynamodb_table_billing_mode"></a> [dynamodb\_table\_billing\_mode](#input\_dynamodb\_table\_billing\_mode) | Controls how you are charged for read and write throughput and how you manage capacity. | `string` | no |

dynamo.tf

@@ -10,6 +10,8 @@ locals {
 }
 
 resource "aws_dynamodb_table" "lock" {
+  count = var.create_dynamodb_table ? 1 : 0
+
   name                        = var.dynamodb_table_name
   billing_mode                = var.dynamodb_table_billing_mode
   hash_key                    = local.lock_key_id

migrations.tf

@@ -1,5 +1,5 @@
 # --------------------------------------------------------------------------------------------------
-# Migrations to 0.7.0
+# Migrations
 # --------------------------------------------------------------------------------------------------
 
 moved {
@@ -22,3 +22,7 @@ moved {
   to   = aws_s3_bucket_policy.replica_force_ssl[0]
 }
 
+moved {
+  from = aws_dynamodb_table.lock
+  to   = aws_dynamodb_table.lock[0]
+}

outputs.tf

@@ -20,7 +20,7 @@ output "replica_bucket" {
 
 output "dynamodb_table" {
   description = "The DynamoDB table to manage lock states."
-  value       = aws_dynamodb_table.lock
+  value       = var.create_dynamodb_table ? aws_dynamodb_table.lock[0] : null
 }
 
 output "kms_key_replica" {

policy.tf

@@ -26,14 +26,17 @@ data "aws_iam_policy_document" "terraform" {
     resources = ["${aws_s3_bucket.state.arn}/*"]
   }
 
-  statement {
-    actions = [
-      "dynamodb:GetItem",
-      "dynamodb:PutItem",
-      "dynamodb:DeleteItem",
-      "dynamodb:DescribeTable"
-    ]
-    resources = [aws_dynamodb_table.lock[0].arn]
+  dynamic "statement" {
+    for_each = var.create_dynamodb_table ? [1] : []
+    content {
+      actions = [
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:DeleteItem",
+        "dynamodb:DescribeTable"
+      ]
+      resources = [aws_dynamodb_table.lock[0].arn]
+    }
   }
 
   statement {

variables.tf

@@ -154,6 +154,12 @@ variable "s3_logging_target_prefix" {
 # DynamoDB Table for State Locking
 #---------------------------------------------------------------------------------------------------
 
+variable "create_dynamodb_table" {
+  description = "Whether or not to create the DynamoDB table for state locking (it's deprecated for Terraform 1.11+)."
+  type        = bool
+  default     = true
+}
+
 variable "dynamodb_table_name" {
   description = "The name of the DynamoDB table to use for state locking."
   type        = string