fix: Step function enrichment

README.md

@@ -341,6 +341,7 @@ module "eventbridge" {
   create_archives         = false  # to control creation of EventBridge Archives
   create_permissions      = false  # to control creation of EventBridge Permissions
   create_role             = false  # to control creation of the IAM role and policies required for EventBridge
+  create_pipe_role_only   = false  # to control creation of the IAM role and policies required for EventBridge Pipes only
   create_connections      = false  # to control creation of EventBridge Connection resources
   create_api_destinations = false  # to control creation of EventBridge Destination resources
   create_schedule_groups  = false  # to control creation of EventBridge Schedule Group resources
@@ -496,6 +497,7 @@ No modules.
 | <a name="input_create_bus"></a> [create\_bus](#input\_create\_bus) | Controls whether EventBridge Bus resource should be created | `bool` | `true` | no |
 | <a name="input_create_connections"></a> [create\_connections](#input\_create\_connections) | Controls whether EventBridge Connection resources should be created | `bool` | `false` | no |
 | <a name="input_create_permissions"></a> [create\_permissions](#input\_create\_permissions) | Controls whether EventBridge Permission resources should be created | `bool` | `true` | no |
+| <a name="input_create_pipe_role_only"></a> [create\_pipe\_role\_only](#input\_create\_pipe\_role\_only) | Controls whether an IAM role should be created for the pipes only | `bool` | `false` | no |
 | <a name="input_create_pipes"></a> [create\_pipes](#input\_create\_pipes) | Controls whether EventBridge Pipes resources should be created | `bool` | `true` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Controls whether IAM roles should be created | `bool` | `true` | no |
 | <a name="input_create_rules"></a> [create\_rules](#input\_create\_rules) | Controls whether EventBridge Rule resources should be created | `bool` | `true` | no |

examples/with-pipes/README.md

@@ -59,6 +59,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_iam_role_policy_attachment.pipe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_kinesis_firehose_delivery_stream.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
 | [aws_kinesis_stream.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource |
+| [aws_kinesis_stream.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource |
 | [aws_sqs_queue.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |

iam.tf

@@ -1,7 +1,7 @@
 locals {
   create_role           = var.create && var.create_role
   create_pipes          = var.create && var.create_pipes
-  create_role_for_pipes = local.create_pipes && var.create_role
+  create_role_for_pipes = local.create_pipes && var.create_role ? true : var.create_pipe_role_only
 
   # Defaulting to "*" (an invalid character for an IAM Role name) will cause an error when
   # attempting to plan if the role_name and bus_name are not set. This is a workaround

iam_pipes.tf

@@ -33,7 +33,7 @@ locals {
           matching_services = ["lambda"]
         },
         step_functions = {
-          values            = [v.target, try(aws_cloudwatch_event_api_destination.this[v.enrichment].arn, null)],
+          values            = [v.target, try(v.enrichment, null)],
           matching_services = ["states"]
         },
         api_gateway = {

main.tf

@@ -694,7 +694,7 @@ resource "aws_pipes_pipe" "this" {
 
             content {
               client_certificate_tls_auth = credentials.value.client_certificate_tls_auth
-              sasl_scram_512_auth = credentials.value.sasl_scram_512_auth
+              sasl_scram_512_auth         = credentials.value.sasl_scram_512_auth
             }
           }
         }

variables.tf

@@ -10,6 +10,12 @@ variable "create_role" {
   default     = true
 }
 
+variable "create_pipe_role_only" {
+  description = "Controls whether an IAM role should be created for the pipes only"
+  type        = bool
+  default     = false
+}
+
 variable "append_rule_postfix" {
   description = "Controls whether to append '-rule' to the name of the rule"
   type        = bool