v21: encryption cannot be turned off with encryption config.

[TheFLHurricane]

Description

encryption_config variable cannot be set to {} to disable encryption. Although {} is the default, the type setting for resources provides a default of ["strings"] which will always override the empty {} even if explicitly set. You can change this by declaring resources = [], however, because the local.enable_encryption_config relies on length(var.encryption_config) > 0, it still considers encryption to be turned on and creates all associated KMS resources.

Versions

• Module version [Required]: v21.0

• Terraform version: v1.12.2

• Provider version(s): v6.4.0

Reproduction Code [Required]

module "eks" {
create = var.create_eks_cluster

source = "terraform-aws-modules/eks/aws"

kubernetes_version = var.eks_cluster_version
name = "${var.cluster}-${var.release_name}-cluster"
vpc_id = var.vpc_id
subnet_ids = flatten(var.subnets)

enable_irsa = true

endpoint_private_access = true
endpoint_public_access = false

create_security_group = false
create_primary_security_group_tags = false
security_group_id = data.aws_security_group.eks_cluster_sg.id
create_node_security_group = false
node_security_group_id = data.aws_security_group.eks_all_workers_sg.id

prefix_separator = ""
iam_role_name = "${var.cluster}-${var.release_name}-cluster"
iam_role_additional_policies = {
AmazonEKSServicePolicy = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
}

addons = {
kube-proxy = {
resolve_conflicts_on_create = "OVERWRITE"
}
eks-node-monitoring-agent = {}
}

encryption_config = {}

timeouts = {
create = "30m"
delete = "15m"
update = "60m"
}

enable_cluster_creator_admin_permissions = true

}

Steps to reproduce the behavior:

Set encryption_config to {}

Expected behavior

Not create any resources related to encryption

Actual behavior

All encryption resources are created and encryption added for secrets.

Additional context

Solution is to remove ["secrets"] as default for resources under type and put resources = ["secrets"] into the default for the variable. This will maintain the existing default functionality while allowing users to still optionally flag off the encryption as before.

[TheFLHurricane]

Provided a fix if accepted - #3436

[antonbabenko]

This issue has been resolved in version 21.0.2 🎉

[gws]

@TheFLHurricane Does this actually fix the issue for you? I'm still getting the following in 21.0.3 when passing encryption_config = {} and create_kms_key = false:

│ Error: Missing required argument
│
│   with module.kubernetes.module.eks.aws_eks_cluster.this[0],
│   on .terraform/modules/kubernetes.eks/main.tf line 36, in resource "aws_eks_cluster" "this":
│   36: resource "aws_eks_cluster" "this" {
│
│ The argument "encryption_config.0.resources" is required, but no definition was found.
╵
╷
│ Error: Missing required argument
│
│   with module.kubernetes.module.eks.aws_eks_cluster.this[0],
│   on .terraform/modules/kubernetes.eks/main.tf line 36, in resource "aws_eks_cluster" "this":
│   36: resource "aws_eks_cluster" "this" {
│
│ The argument "encryption_config.0.provider.0.key_arn" is required, but no definition was found.

Do you think an additional fix is needed, maybe in the code that sets the enable_encryption_config local to do something more robust than a length check on encryption_config?

[gws]

@TheFLHurricane My bad, I now see you have #3438 open as well.

[bryantbiggs]

is the goal here to disable encryption of secrets?

[gws]

As far as this module is concerned, yes, that's my goal at least. I don't have anything against encrypting secrets but for those that don't have a requirement to manage a CMK, since March 2025 on modern cluster versions I don't believe we have to manage a separate CMK for cluster data to be encrypted.

[bryantbiggs]

with #3439 you can set encryption_config = null and it disables the CMK encryption and EKS automatically encrypts the secrets with its own key

[gws]

Tested and the encryption_config = null change works for me, thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.