feat: add feature flag to remove dynamodb backups

main.tf

@@ -44,6 +44,7 @@ module "aft_account_request_framework" {
   aft_vpc_public_subnet_02_cidr               = var.aft_vpc_public_subnet_02_cidr
   aft_vpc_endpoints                           = var.aft_vpc_endpoints
   aft_feature_disable_private_networking      = var.aft_feature_disable_private_networking
+  aft_feature_disable_dynamodb_backups = var.aft_feature_disable_dynamodb_backups
   request_framework_archive_path              = module.packaging.request_framework_archive_path
   request_framework_archive_hash              = module.packaging.request_framework_archive_hash
 }

modules/aft-account-request-framework/backup.tf

@@ -2,22 +2,25 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 resource "aws_backup_vault" "aft_controltower_backup_vault" {
+  count = var.aft_feature_disable_dynamodb_backups ? 1 : 0
   name        = "aft-controltower-backup-vault"
   kms_key_arn = aws_kms_key.aft.arn
 }
 resource "aws_backup_plan" "aft_controltower_backup_plan" {
+  count = var.aft_feature_disable_dynamodb_backups ? 1 : 0
   name = "aft-controltower-backup-plan"
   rule {
     rule_name         = "aft_controltower_backup_rule"
-    target_vault_name = aws_backup_vault.aft_controltower_backup_vault.name
+    target_vault_name = aws_backup_vault.aft_controltower_backup_vault[0].name
     schedule          = "cron(0 * * * ? *)"
   }
 }
 
 resource "aws_backup_selection" "aft_controltower_backup_selection" {
-  iam_role_arn = aws_iam_role.aft_aws_backup.arn
+  count = var.aft_feature_disable_dynamodb_backups ? 1 : 0
+  iam_role_arn = aws_iam_role.aft_aws_backup[0].arn
   name         = "aft-controltower-backup-selection"
-  plan_id      = aws_backup_plan.aft_controltower_backup_plan.id
+  plan_id      = aws_backup_plan.aft_controltower_backup_plan[0].id
   resources = [
     aws_dynamodb_table.aft_request_metadata.arn,
     aws_dynamodb_table.aft_request.arn,

modules/aft-account-request-framework/iam.tf

@@ -169,10 +169,12 @@ resource "aws_iam_role_policy" "aft_invoke_aft_account_provisioning_framework" {
 ######### aft_aws_backup #########
 
 resource "aws_iam_role" "aft_aws_backup" {
+  count = var.aft_feature_disable_dynamodb_backups ? 1 : 0
   name               = "aft-aws-backup"
   assume_role_policy = templatefile("${path.module}/iam/trust-policies/backup.tpl", { none = "none" })
 }
 resource "aws_iam_role_policy_attachment" "aft_aws_backup_service_role" {
-  role       = aws_iam_role.aft_aws_backup.name
+  count = var.aft_feature_disable_dynamodb_backups ? 1 : 0
+  role       = aws_iam_role.aft_aws_backup[0].name
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
 }

modules/aft-account-request-framework/variables.tf

@@ -45,10 +45,17 @@ variable "aft_feature_disable_private_networking" {
   type = bool
 }
 
+variable "aft_feature_disable_dynamodb_backups" {
+  type        = bool
+}
+
+
 variable "request_framework_archive_path" {
   type = string
 }
 
 variable "request_framework_archive_hash" {
   type = string
 }
+
+

variables.tf

@@ -153,6 +153,16 @@ variable "aft_feature_disable_private_networking" {
   }
 }
 
+variable "aft_feature_disable_dynamodb_backups" {
+  description = "Feature flag toggling disabling dynamodb on/off"
+  type        = bool
+  default     = false
+  validation {
+    condition     = contains([true, false], var.aft_feature_disable_dynamodb_backups)
+    error_message = "Valid values for var: aft_feature_disable_dynamodb_backups are (true, false)."
+  }
+}
+
 #########################################
 # AFT Customer VCS Variables
 #########################################