fix: Ensure that custom KMS key is not created if encryption is not e…

…nabled, support computed values in cluster name (terraform-aws-modules#2328) Co-authored-by: Bryant Biggs <[email protected]> Resolves undefined Resolved undefined Closes undefined
spring-media · Jan 4, 2023 · 310d76c · 310d76c
1 parent d3db020
commit 310d76c
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 8 deletions.
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -54,6 +54,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_eks"></a> [eks](#module\_eks) | ../.. | n/a |
 | <a name="module_eks_managed_node_group"></a> [eks\_managed\_node\_group](#module\_eks\_managed\_node\_group) | ../../modules/eks-managed-node-group | n/a |
 | <a name="module_fargate_profile"></a> [fargate\_profile](#module\_fargate\_profile) | ../../modules/fargate-profile | n/a |
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | 1.1.0 |
 | <a name="module_self_managed_node_group"></a> [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | ../../modules/self-managed-node-group | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
@@ -64,6 +65,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -15,6 +15,7 @@ provider "kubernetes" {
 }
 
 data "aws_availability_zones" "available" {}
+data "aws_caller_identity" "current" {}
 
 locals {
   name   = "ex-${replace(basename(path.cwd), "_", "-")}"
@@ -58,13 +59,12 @@ module "eks" {
     }
   }
 
-  # Encryption key
-  create_kms_key = true
+  # External encryption key
+  create_kms_key = false
   cluster_encryption_config = {
-    resources = ["secrets"]
+    resources        = ["secrets"]
+    provider_key_arn = module.kms.key_arn
   }
-  kms_key_deletion_window_in_days = 7
-  enable_kms_key_rotation         = true
 
   iam_role_additional_policies = {
     additional = aws_iam_policy.additional.arn
@@ -460,3 +460,15 @@ resource "aws_iam_policy" "additional" {
     ]
   })
 }
+
+module "kms" {
+  source  = "terraform-aws-modules/kms/aws"
+  version = "1.1.0"
+
+  aliases               = ["eks/${local.name}"]
+  description           = "${local.name} cluster encryption key"
+  enable_default_policy = true
+  key_owners            = [data.aws_caller_identity.current.arn]
+
+  tags = local.tags
+}
diff --git a/main.tf b/main.tf
@@ -112,7 +112,7 @@ module "kms" {
   source  = "terraform-aws-modules/kms/aws"
   version = "1.1.0" # Note - be mindful of Terraform/provider version compatibility between modules
 
-  create = local.create && var.create_kms_key && !local.create_outposts_local_cluster # not valid on Outposts
+  create = local.create && var.create_kms_key && local.enable_cluster_encryption_config # not valid on Outposts
 
   description             = coalesce(var.kms_key_description, "${var.cluster_name} cluster encryption key")
   key_usage               = "ENCRYPT_DECRYPT"
@@ -129,7 +129,11 @@ module "kms" {
   override_policy_documents = var.kms_key_override_policy_documents
 
   # Aliases
-  aliases = concat(["eks/${var.cluster_name}"], var.kms_key_aliases)
+  aliases = var.kms_key_aliases
+  computed_aliases = {
+    # Computed since users can pass in computed values for cluster name such as random provider resources
+    cluster = { name = "eks/${var.cluster_name}" }
+  }
 
   tags = var.tags
 }

diff --git a/modules/eks-managed-node-group/main.tf b/modules/eks-managed-node-group/main.tf
@@ -308,7 +308,7 @@ resource "aws_launch_template" "this" {
 ################################################################################
 
 locals {
-  launch_template_id = var.create && var.create_launch_template ? aws_launch_template.this[0].id : var.launch_template_id
+  launch_template_id = var.create && var.create_launch_template ? try(aws_launch_template.this[0].id, null) : var.launch_template_id
   # Change order to allow users to set version priority before using defaults
   launch_template_version = coalesce(var.launch_template_version, try(aws_launch_template.this[0].default_version, "$Default"))
 }