remove 'use_default_backup_encryption_key' from sec-enf, update validation

Author: whoffler

ibm_catalog.json

@@ -631,9 +631,6 @@
             {
               "key": "existing_backup_kms_key_crn"
             },
-            {
-              "key": "use_default_backup_encryption_key"
-            },
             {
               "key": "elasticsearch_key_ring_name"
             },

solutions/fully-configurable/variables.tf

@@ -233,8 +233,15 @@ variable "kms_encryption_enabled" {
   default     = false
 
   validation {
-    condition     = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null : true
-    error_message = "When variable `kms_encryption_enabled` is true and KMS encryption is enabled, you must provide either an existing KMS instance with variable `existing_kms_instance_crn` or an existing KMS key using variable `existing_kms_key_crn` or `existing_backup_kms_key_crn`"
+    condition = (
+      var.existing_elasticsearch_instance_crn != null ||
+      (var.kms_encryption_enabled && (
+        var.existing_kms_instance_crn != null ||
+        var.existing_kms_key_crn != null ||
+        var.existing_backup_kms_key_crn != null
+      ))
+    )
+    error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'kms_encryption_enabled' input must be set to true."
   }
 }
 

solutions/security-enforced/main.tf

@@ -31,7 +31,7 @@ module "elasticsearch" {
   existing_kms_instance_crn         = var.existing_kms_instance_crn
   existing_kms_key_crn              = var.existing_kms_key_crn
   existing_backup_kms_key_crn       = var.existing_backup_kms_key_crn
-  use_default_backup_encryption_key = var.use_default_backup_encryption_key
+  use_default_backup_encryption_key = false
   kms_endpoint_type                 = "private"
   skip_es_kms_auth_policy           = var.skip_es_kms_auth_policy
   elasticsearch_key_ring_name       = var.elasticsearch_key_ring_name

solutions/security-enforced/variables.tf

@@ -250,12 +250,6 @@ variable "existing_backup_kms_key_crn" {
   }
 }
 
-variable "use_default_backup_encryption_key" {
-  type        = bool
-  description = "When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `existing_kms_key_crn`, in `existing_backup_kms_key_crn`, or with a new key that will be created in the instance specified in the `existing_kms_instance_crn` input. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data."
-  default     = false
-}
-
 variable "skip_es_kms_auth_policy" {
   type        = bool
   description = "Set to true to skip the creation of IAM authorization policies that permits all Databases for Elasticsearch instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true."