fix: Add create_kms_key variable.

jamesiarmes · jamesiarmes · commit 2e1c9a33fe0a · 2026-01-27T19:22:20.000-05:00
diff --git a/README.md b/README.md
@@ -60,16 +60,17 @@ tofu init -upgrade
 
 ## Inputs
 
-| Name                | Description                                                                                                                                     | Type          | Default | Required |
-| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------- | -------- |
-| project             | Name of the project.                                                                                                                            | `string`      | n/a     | yes      |
-| add_suffix          | Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult. | `bool`        | `true`  | no       |
-| environment         | Environment for the project.                                                                                                                    | `string`      | `"dev"` | no       |
-| key_recovery_period | Number of days to recover the KMS key after deletion.                                                                                           | `number`      | `30`    | no       |
-| kms_key_arn         | Optional KMS key ARN to use for encryption. If not provided, a new KMS key will be created.                                                     | `string`      | `null`  | no       |
-| [secrets]           | Secrets to be created.                                                                                                                          | `map(object)` | `{}`    | no       |
-| service             | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"`                                                     | `string`      | n/a     | no       |
-| tags                | Optional tags to be applied to all resources.                                                                                                   | `list`        | `[]`    | no       |
+| Name                | Description                                                                                                                                     | Type          | Default | Required    |
+| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------- | ----------- |
+| project             | Name of the project.                                                                                                                            | `string`      | n/a     | yes         |
+| kms_key_arn         | ARN for an existing KMS key to use for encryption. Required if `create_kms_key` is set to `false`; ignored otherwise.                           | `string`      | `null`  | conditional |
+| add_suffix          | Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult. | `bool`        | `true`  | no          |
+| create_kms_key      | Whether to create a new KMS key for encrypting secrets. If set to `false`, `kms_key_arn` must be provided.                                      | `bool`        | `true`  | no          |
+| environment         | Environment for the project.                                                                                                                    | `string`      | `"dev"` | no          |
+| key_recovery_period | Recovery period for deleted KMS keys in days. Must be between 7 and 30. Only used if `create_kms_key` is set to `true`.                         | `number`      | `30`    | no          |
+| [secrets]           | Secrets to be created.                                                                                                                          | `map(object)` | `{}`    | no          |
+| service             | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"`                                                     | `string`      | n/a     | no          |
+| tags                | Optional tags to be applied to all resources.                                                                                                   | `list`        | `[]`    | no          |
 
 ### secrets
 
diff --git a/data.tf b/data.tf
@@ -5,7 +5,7 @@ data "aws_partition" "current" {}
 data "aws_region" "current" {}
 
 data "aws_kms_key" "secrets" {
-  for_each = var.kms_key_arn != null ? toset(["this"]) : toset([])
+  for_each = var.create_kms_key ? toset([]) : toset(["this"])
 
   key_id = var.kms_key_arn
 }
diff --git a/outputs.tf b/outputs.tf
@@ -3,7 +3,7 @@ output "kms_key_alias" {
     Alias for the created KMS key. If `kms_key_arn`is provided, this will be
     `null`.
     EOT
-  value       = var.kms_key_arn == null ? aws_kms_alias.secrets["this"].name : null
+  value       = var.create_kms_key ? aws_kms_alias.secrets["this"].name : null
 }
 
 output "kms_key_arn" {
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,15 @@ variable "add_suffix" {
   default     = true
 }
 
+variable "create_kms_key" {
+  type        = bool
+  description = <<-EOT
+    Whether to create a new KMS key for encrypting secrets. If set to `false`,
+    `kms_key_arn` must be provided.
+    EOT
+  default     = true
+}
+
 variable "environment" {
   type        = string
   description = "Environment for the deployment."
@@ -13,7 +22,10 @@ variable "environment" {
 variable "key_recovery_period" {
   type        = number
   default     = 30
-  description = "Recovery period for deleted KMS keys in days. Must be between 7 and 30."
+  description = <<-EOT
+    Recovery period for deleted KMS keys in days. Must be between 7 and 30. Only
+    used if `create_kms_key` is set to `true`.
+    EOT
 
   validation {
     condition     = var.key_recovery_period > 6 && var.key_recovery_period < 31
@@ -24,8 +36,8 @@ variable "key_recovery_period" {
 variable "kms_key_arn" {
   type        = string
   description = <<-EOT
-    Optional KMS key ARN to use for encryption. If not provided, a new KMS key
-    will be created.
+    ARN for an existing KMS key to use for encryption. Required if
+    `create_kms_key` is set to `false`; ignored otherwise.
     EOT
   default     = null
 }

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ data "aws_partition" "current" {}`
`5`	`5`	`data "aws_region" "current" {}`
`6`	`6`
`7`	`7`	`data "aws_kms_key" "secrets" {`
`8`		`- for_each = var.kms_key_arn != null ? toset(["this"]) : toset([])`
	`8`	`+ for_each = var.create_kms_key ? toset([]) : toset(["this"])`
`9`	`9`
`10`	`10`	`key_id = var.kms_key_arn`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ output "kms_key_alias" {`
`3`	`3`	Alias for the created KMS key. If `kms_key_arn`is provided, this will be
`4`	`4`	`null`.
`5`	`5`	`EOT`
`6`		`- value = var.kms_key_arn == null ? aws_kms_alias.secrets["this"].name : null`
	`6`	`+ value = var.create_kms_key ? aws_kms_alias.secrets["this"].name : null`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`output "kms_key_arn" {`