From 12185bffa6fdebf6eb4f991ee0fc6978e22d3ab8 Mon Sep 17 00:00:00 2001
From: Jun-te Kim <junte.kim@mealcraft.com>
Date: Tue, 10 Feb 2026 16:17:28 +0000
Subject: [PATCH] destroy condition

---
 .github/workflows/_deploy_lambda.yml               | 13 ++++++++++++-
 .github/workflows/deploy_terraform.yml             |  1 +
 .../terraform/modules/s3_iam_policy/main.tf        | 14 ++++++++------
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/_deploy_lambda.yml b/.github/workflows/_deploy_lambda.yml
index 9bd686aa..1ab50e8d 100644
--- a/.github/workflows/_deploy_lambda.yml
+++ b/.github/workflows/_deploy_lambda.yml
@@ -29,6 +29,12 @@ on:
         default: 'false'
         # can only be 'true' or 'false'
 
+      terraform_destroy:
+        required: false
+        type: string
+        default: 'false'
+        # can only be 'true' or 'false'
+
     secrets:
       AWS_ACCESS_KEY_ID:
         required: true
@@ -93,6 +99,11 @@ jobs:
             -out=lambdaplan
 
       - name: Terraform Apply
-        if: inputs.terraform_apply == 'true' || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main'
+        if: (inputs.terraform_apply == 'true' || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') && inputs.terraform_destroy != 'true'
         working-directory: ${{ inputs.lambda_path }}
         run: terraform apply -auto-approve lambdaplan
+
+      - name: Terraform Destroy
+        if: inputs.terraform_destroy == 'true'
+        working-directory: ${{ inputs.lambda_path }}
+        run: terraform destroy -auto-approve
diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
index 88a84257..4c504ba9 100644
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@@ -186,6 +186,7 @@ jobs:
       stage: ${{ needs.determine_stage.outputs.stage }}
       ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
       image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
+      terraform_destroy: 'true'
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
diff --git a/infrastructure/terraform/modules/s3_iam_policy/main.tf b/infrastructure/terraform/modules/s3_iam_policy/main.tf
index e4e1e2f9..397bd963 100644
--- a/infrastructure/terraform/modules/s3_iam_policy/main.tf
+++ b/infrastructure/terraform/modules/s3_iam_policy/main.tf
@@ -16,12 +16,14 @@ resource "aws_iam_policy" "s3_policy" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
-      {
-        Effect   = "Allow"
-        Action   = var.actions
-        Resource = local.resources
-        Condition = var.conditions != null ? var.conditions : null
-      }
+      merge(
+        {
+          Effect   = "Allow"
+          Action   = var.actions
+          Resource = local.resources
+        },
+        var.conditions != null ? { Condition = var.conditions } : {}
+      )
     ]
   })