add secret manager kms condition

lycbrian · lycbrian · commit 70d650666279 · 2025-04-30T14:22:35.000+07:00
diff --git a/locals.tf b/locals.tf
@@ -40,6 +40,8 @@ locals {
     | 1 | 1 | use custom kms */
   cloudwatch_log_group_kms_key_arn = var.is_create_cloudwatch_log_group ? var.cloudwatch_log_group_kms_key_arn != null ? var.cloudwatch_log_group_kms_key_arn : var.is_create_default_kms ? module.cloudwatch_log_group_kms[0].key_arn : null : null
 
+  secret_kms_key_arn = var.is_create_default_kms && var.secret_kms_key_arn == null ? module.secret_kms_key[0].key_arn : var.secret_kms_key_arn
+
   tags = merge(
     {
       "Environment" = var.environment,
diff --git a/main.tf b/main.tf
@@ -104,7 +104,7 @@ module "cloudwatch_log_group_kms" {
   name                 = format("%s-log-group", var.name)
   key_type             = "service"
   append_random_suffix = true
-  description          = format("Secure Secrets Manager's service secrets for service %s", local.name)
+  description          = format("Secure log group for service %s", local.name)
   additional_policies  = [data.aws_iam_policy_document.cloudwatch_log_group_kms_policy.json]
 
   tags = merge(local.tags, { "Name" : format("%s-log-group", local.name) })
@@ -193,6 +193,7 @@ resource "aws_lb_listener_rule" "this" {
 /*                                   Secret                                   */
 /* -------------------------------------------------------------------------- */
 module "secret_kms_key" {
+  count   = var.is_create_default_kms && var.secret_kms_key_arn == null ? 1 : 0
   source  = "oozou/kms-key/aws"
   version = "1.0.0"
 
@@ -226,7 +227,7 @@ resource "aws_secretsmanager_secret" "this" {
 
   name        = "${each.value.name}/${random_string.service_secret_random_suffix[each.key].result}"
   description = "Secret for service ${local.name}"
-  kms_key_id  = module.secret_kms_key.key_arn
+  kms_key_id  = local.secret_kms_key_arn
 
   tags = merge({ Name = "${each.value.name}/${random_string.service_secret_random_suffix[each.key].result}" }, local.tags)
 }
diff --git a/variables.tf b/variables.tf
@@ -97,6 +97,12 @@ variable "cloudwatch_log_group_kms_key_arn" {
   default     = null
 }
 
+variable "secret_kms_key_arn" {
+  description = "The ARN for the secret manager KMS encryption key."
+  type        = string
+  default     = null
+}
+
 /* -------------------------------------------------------------------------- */
 /*                                LoadBalancer                                */
 /* -------------------------------------------------------------------------- */

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ locals {`
`40`	`40`	`\| 1 \| 1 \| use custom kms */`
`41`	`41`	`cloudwatch_log_group_kms_key_arn = var.is_create_cloudwatch_log_group ? var.cloudwatch_log_group_kms_key_arn != null ? var.cloudwatch_log_group_kms_key_arn : var.is_create_default_kms ? module.cloudwatch_log_group_kms[0].key_arn : null : null`
`42`	`42`
	`43`	`+ secret_kms_key_arn = var.is_create_default_kms && var.secret_kms_key_arn == null ? module.secret_kms_key[0].key_arn : var.secret_kms_key_arn`
	`44`	`+`
`43`	`45`	`tags = merge(`
`44`	`46`	`{`
`45`	`47`	`"Environment" = var.environment,`