Merge pull request #56 from worldcoin/mtls-variable

tcharewicz · web-flow · commit 6303fa265a15 · 2025-11-25T13:18:53.000+01:00
fix(mTLS): add variable mtls_enabled to module eks
diff --git a/kubernetes-traefik-external.tf b/kubernetes-traefik-external.tf
@@ -118,6 +118,8 @@ module "alb" {
   drop_invalid_header_fields = var.drop_invalid_header_fields
   acm_extra_arns             = var.acm_extra_arns
 
-  mtls_enabled   = !var.open_to_all
+  # if open_to_all is true, mtls_enabled must be false
+  # if open_to_all is false, mtls_enabled can be true or false based on var.mtls_enabled
+  mtls_enabled   = var.open_to_all ? false : var.mtls_enabled
   mtls_s3_bucket = format("wld-mtls-ca-%s", var.region)
 }
diff --git a/variables.tf b/variables.tf
@@ -723,3 +723,9 @@ variable "on_demand_percentage_above_base_capacity" {
   type        = number
   default     = 50
 }
+
+variable "mtls_enabled" {
+  description = "Enable mutual TLS (mTLS) on the ALB TLS listener"
+  type        = bool
+  default     = true
+}

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,8 @@ module "alb" {`
`118`	`118`	`drop_invalid_header_fields = var.drop_invalid_header_fields`
`119`	`119`	`acm_extra_arns = var.acm_extra_arns`
`120`	`120`
`121`		`- mtls_enabled = !var.open_to_all`
	`121`	`+ # if open_to_all is true, mtls_enabled must be false`
	`122`	`+ # if open_to_all is false, mtls_enabled can be true or false based on var.mtls_enabled`
	`123`	`+ mtls_enabled = var.open_to_all ? false : var.mtls_enabled`
`122`	`124`	`mtls_s3_bucket = format("wld-mtls-ca-%s", var.region)`
`123`	`125`	`}`