From 4f119f302cfe4eab868b8cc6ec293925483ff3a8 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Thu, 24 Jul 2025 17:01:03 -0500
Subject: [PATCH] fix: Correct encryption configuration enable logic; avoid
 creating Auto Mode policy when Auto Mode is not enabled

---
 README.md    | 2 +-
 main.tf      | 8 ++++----
 variables.tf | 6 ++----
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 83365b1d0f..fec86afc14 100644
--- a/README.md
+++ b/README.md
@@ -411,7 +411,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
 | <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
 | <a name="input_enabled_log_types"></a> [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | <pre>[<br/>  "audit",<br/>  "api",<br/>  "authenticator"<br/>]</pre> | no |
-| <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/>    provider_key_arn = optional(string)<br/>    resources        = optional(list(string))<br/>  })</pre> | <pre>{<br/>  "resources": [<br/>    "secrets"<br/>  ]<br/>}</pre> | no |
+| <a name="input_encryption_config"></a> [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | <pre>object({<br/>    provider_key_arn = optional(string)<br/>    resources        = optional(list(string), ["secrets"])<br/>  })</pre> | `{}` | no |
 | <a name="input_encryption_policy_description"></a> [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
 | <a name="input_encryption_policy_name"></a> [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
 | <a name="input_encryption_policy_path"></a> [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index b8811e0997..4e423488b5 100644
--- a/main.tf
+++ b/main.tf
@@ -24,7 +24,7 @@ locals {
   role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)
 
   create_outposts_local_cluster = var.outpost_config != null
-  enable_encryption_config      = length(var.encryption_config) > 0 && !local.create_outposts_local_cluster
+  enable_encryption_config      = var.encryption_config != null && !local.create_outposts_local_cluster
 
   auto_mode_enabled = try(var.compute_config.enabled, false)
 }
@@ -590,7 +590,7 @@ resource "aws_iam_policy" "cluster_encryption" {
 }
 
 data "aws_iam_policy_document" "custom" {
-  count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+  count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
 
   dynamic "statement" {
     for_each = var.enable_auto_mode_custom_tags ? [1] : []
@@ -724,7 +724,7 @@ data "aws_iam_policy_document" "custom" {
 }
 
 resource "aws_iam_policy" "custom" {
-  count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+  count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
 
   name        = var.iam_role_use_name_prefix ? null : local.iam_role_name
   name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -737,7 +737,7 @@ resource "aws_iam_policy" "custom" {
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+  count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
 
   policy_arn = aws_iam_policy.custom[0].arn
   role       = aws_iam_role.this[0].name
diff --git a/variables.tf b/variables.tf
index fa7c0604f5..5e23df6c98 100644
--- a/variables.tf
+++ b/variables.tf
@@ -165,11 +165,9 @@ variable "encryption_config" {
   description = "Configuration block with encryption configuration for the cluster"
   type = object({
     provider_key_arn = optional(string)
-    resources        = optional(list(string))
+    resources        = optional(list(string), ["secrets"])
   })
-  default = {
-    resources = ["secrets"]
-  }
+  default = {}
 }
 
 variable "attach_encryption_policy" {