Skip to content

feat: Allow conditional to enable default envelope encryption #3342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: Allow conditional to enable default envelope encryption #3342

wants to merge 1 commit into from

Conversation

@dale-park
Copy link

@dale-park dale-park commented Apr 16, 2025
edited
Loading

Description

Previously, an error would occur if var.cluster_encryption_config was null.
This PR updates the logic to treat a null value the same as an empty object {}.

Motivation and Context

It was impossible to conditionally enable EKS default envelope encryption using a Terraform conditional.

Previously, var.cluster_encryption_config had to be set to {} to enable EKS default envelope encryption. However, the following code fails due to the incompatible object types.

cluster_encryption_config = var.enable_default_envelope_encryption ?  {} : {
    provider_key_arn =  var.cmk_arn
    resources        = ["secrets"]
  }

To avoid this error, cluster_encryption_config should accept both null and {} as valid values.

This PR enables support for the following configuration:

cluster_encryption_config = var.enable_default_envelope_encryption ?  null : {
    provider_key_arn =  var.cmk_arn
    resources        = ["secrets"]
  }

This PR resolves #3036

Breaking Changes

None

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@bryantbiggs
Copy link
Member

null and {} mean two different things - null in Terraform usually means "use the default value". here, a default value has been provided and if you wish to remove it, you need to set its empty value which is {}

@dale-park
Copy link
Author

@bryantbiggs

Thank you for your review and the clear explanation.

I understand your concern and the principle you outlined.

However, the Terraform code maintained by our team depends on this module, and it needs to set EKS default envelope encryption conditionally. This approach allows newly created clusters to use default envelope encryption while keeping existing clusters unchanged.

I’m wondering if you have any suggestions for addressing this issue while still aligning with the principle you applied during your review.

@bryantbiggs
Copy link
Member

and it needs to set EKS default envelope encryption conditionally

You can do that today without any code changes required in this module

@dale-park
Copy link
Author

dale-park commented Apr 29, 2025
edited
Loading

@bryantbiggs

Thank you for your response.

As we know, setting cluster_encryption_config to {} enables EKS's default envelope encryption.

The following code attempts to conditionally enable or disable it. I might have no choice but to use a Terraform conditional because the code I maintain calls a module that , in turn, calls this module , and I need to ensure that existing clusters remain unchanged.

cluster_encryption_config = var.enable_default_envelope_encryption ? {} : {
provider_key_arn = data.aws_kms_key.eks[0].key_id
resources = ["secrets"]
}

However, this approach fails with an error because {} and { provider_key_arn = data.aws_kms_key.eks[0].key_id , resources = ["secrets"] } have different Terraform object types , violating the constraints of the Terraform conditionals.

Error:

 Error: Inconsistent conditional result types
│ 
│   on .terraform/modules/eks/main.tf line 36, in module "eks":
│   36:   cluster_encryption_config = var.enable_default_envelope_encryption ?  {} : {
│   37:     provider_key_arn = data.aws_kms_key.eks[0].key_id
│   38:     resources        = ["secrets"]
│   39:   }
│     ├────────────────
│     │ data.aws_kms_key.eks[0].key_id is "alias/pink/eks-envelope-encryption"
│     │ var.enable_default_envelope_encryption is false
│ 
│ The true and false result expressions must have consistent types. The 'false' value includes object attribute
│ "provider_key_arn", which is absent in the 'true' value.

Do you have any suggestions for avoiding this problem without modifying the module's code ?

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 29, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Module argument cluster_encryption_config does not handle a null value

2 participants

@dale-park @bryantbiggs