Skip to content

fix: Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled #3439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 25, 2025
Merged

fix: Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled #3439

merged 1 commit into from
Jul 25, 2025
+7 −9

Conversation

bryantbiggs
Copy link
Member

Description

  • Correct encryption configuration enable logic to allow users to disable CMK encryption
  • Avoid creating Auto Mode policy when Auto Mode is not enabled

Motivation and Context

Breaking Changes

  • No

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@bryantbiggs
fix: Correct encryption configuration enable logic; avoid creating Au…
4f119f3 
…to Mode policy when Auto Mode is not enabled
@bryantbiggs bryantbiggs mentioned this pull request Jul 24, 2025
Closed
@bryantbiggs bryantbiggs requested a review from antonbabenko July 24, 2025 22:03
@bryantbiggs bryantbiggs merged commit 6b8a3d9 into terraform-aws-modules:master Jul 25, 2025
20 checks passed
@bryantbiggs bryantbiggs deleted the fix/secret-encryption-disable branch July 25, 2025 12:19
antonbabenko pushed a commit that referenced this pull request Jul 25, 2025
@semantic-release-bot
chore(release): version 21.0.4 [skip ci]
074abf1 
## [21.0.4](v21.0.3...v21.0.4) (2025-07-25)

### Bug Fixes

* Correct encryption configuration enable logic; avoid creating Auto Mode policy when Auto Mode is not enabled ([#3439](#3439)) ([6b8a3d9](6b8a3d9))
@antonbabenko
Copy link
Member

This PR is included in version 21.0.4 🎉

@tluck
Copy link

tluck commented Jul 27, 2025

something is not right here with enable_encryption_config

  • if one wants to use an aws owned kms key and not a customer managed key...
locals {
  create = var.create && var.putin_khuylo

  account_id = try(data.aws_caller_identity.current[0].account_id, "")
  partition  = try(data.aws_partition.current[0].partition, "")

  role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)

  create_outposts_local_cluster = var.outpost_config != null
  enable_encryption_config      = var.encryption_config != null && !local.create_outposts_local_cluster

  auto_mode_enabled = try(var.compute_config.enabled, false)
}

with this line
enable_encryption_config = var.encryption_config != null && !local.create_outposts_local_cluster

enable_encryption seems to become true by default - since the default encryption_config (in variables.tf) is an empty object and not null

edit/setting default encryption_config = null vs {} in module variables .tf (like outpost_config) - then it works as expected (and like v5.)

@bryantbiggs
Copy link
Member Author

We're not triaging unless there is a reproduction

@terraform-aws-modules terraform-aws-modules locked and limited conversation to collaborators Jul 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bryantbiggs @antonbabenko @tluck