From 63326ed6d0d93ef8d5fe5f60702d0a09ce3e6c1a Mon Sep 17 00:00:00 2001
From: Rahul Nimbalkar <rahul.nimbalkar@braingu.com>
Date: Wed, 8 Oct 2025 17:12:48 -0400
Subject: [PATCH] feat: make kms key rotation period configurable

---
 README.md    | 1 +
 main.tf      | 1 +
 variables.tf | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/README.md b/README.md
index f596586f76..08b05dfff4 100644
--- a/README.md
+++ b/README.md
@@ -486,6 +486,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_kms_key_enable_default_policy"></a> [kms\_key\_enable\_default\_policy](#input\_kms\_key\_enable\_default\_policy) | Specifies whether to enable the default key policy | `bool` | `true` | no |
 | <a name="input_kms_key_override_policy_documents"></a> [kms\_key\_override\_policy\_documents](#input\_kms\_key\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
 | <a name="input_kms_key_owners"></a> [kms\_key\_owners](#input\_kms\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| <a name="input_kms_key_rotation_period_in_days"></a> [kms\_key\_rotation\_period\_in\_days](#input\_kms\_key\_rotation\_period\_in\_days) | Custom period of time between each key rotation date. If you specify a value, it must be between `90` and `2560`, inclusive. If you do not specify a value, it defaults to `365` | `number` | `null` | no |
 | <a name="input_kms_key_service_users"></a> [kms\_key\_service\_users](#input\_kms\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
 | <a name="input_kms_key_source_policy_documents"></a> [kms\_key\_source\_policy\_documents](#input\_kms\_key\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_kms_key_users"></a> [kms\_key\_users](#input\_kms\_key\_users) | A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users) | `list(string)` | `[]` | no |
diff --git a/main.tf b/main.tf
index 5d260d4dae..7a6ddbd2e4 100644
--- a/main.tf
+++ b/main.tf
@@ -340,6 +340,7 @@ module "kms" {
   key_usage               = "ENCRYPT_DECRYPT"
   deletion_window_in_days = var.kms_key_deletion_window_in_days
   enable_key_rotation     = var.enable_kms_key_rotation
+  rotation_period_in_days = var.kms_key_rotation_period_in_days
 
   # Policy
   enable_default_policy     = var.kms_key_enable_default_policy
diff --git a/variables.tf b/variables.tf
index 842d473499..6f3497eacf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -263,6 +263,12 @@ variable "enable_kms_key_rotation" {
   default     = true
 }
 
+variable "kms_key_rotation_period_in_days" {
+  description = "Custom period of time between each key rotation date. If you specify a value, it must be between `90` and `2560`, inclusive. If you do not specify a value, it defaults to `365`"
+  type        = number
+  default     = null
+}
+
 variable "kms_key_enable_default_policy" {
   description = "Specifies whether to enable the default key policy"
   type        = bool