From 0a3c754b3d836036e397f7d66a9454eeea8da92e Mon Sep 17 00:00:00 2001
From: Samuel CHNIBER <schniber@amazon.com>
Date: Thu, 5 Jun 2025 21:17:53 +0200
Subject: [PATCH 1/2] fix: condition on the creation of the kms key

---
 main.tf                                   | 1 +
 modules/terminate-agent-hook/iam.tf       | 8 ++++----
 modules/terminate-agent-hook/variables.tf | 6 ++++++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index 5b46fa501..c364227b8 100644
--- a/main.tf
+++ b/main.tf
@@ -388,6 +388,7 @@ module "terminate_agent_hook" {
   name_iam_objects                       = local.name_iam_objects
   name_docker_machine_runners            = local.runner_tags_merged["Name"]
   role_permissions_boundary              = var.iam_permissions_boundary == "" ? null : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.iam_permissions_boundary}"
+  enable_managed_kms_key                 = var.enable_managed_kms_key
   kms_key_id                             = local.kms_key_arn
   asg_hook_terminating_heartbeat_timeout = local.runner_worker_graceful_terminate_heartbeat_timeout
   environment_variables                  = var.runner_terminate_ec2_environment_variables
diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf
index 16daede6b..d76db1ecb 100644
--- a/modules/terminate-agent-hook/iam.tf
+++ b/modules/terminate-agent-hook/iam.tf
@@ -33,14 +33,14 @@ resource "aws_iam_role" "lambda" {
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_kms" {
-  count = var.kms_key_id != "" ? 1 : 0
+  count = !var.enable_managed_kms_key ? 1 : 0
 
   role       = aws_iam_role.lambda.name
   policy_arn = aws_iam_policy.lambda_kms[0].arn
 }
 
 resource "aws_iam_policy" "lambda_kms" {
-  count = var.kms_key_id != "" ? 1 : 0
+  count = !var.enable_managed_kms_key ? 1 : 0
 
   name   = "${var.name_iam_objects}-${var.name}-lambda-kms"
   path   = "/"
@@ -50,7 +50,7 @@ resource "aws_iam_policy" "lambda_kms" {
 }
 
 data "aws_iam_policy_document" "kms_key" {
-  count = var.kms_key_id != "" ? 1 : 0
+  count = !var.enable_managed_kms_key ? 1 : 0
 
   # checkov:skip=CKV_AWS_111:Write access is limited to the resources needed
   statement {
@@ -189,5 +189,5 @@ resource "aws_iam_role_policy_attachment" "spot_request_housekeeping" {
 
 resource "aws_iam_role_policy_attachment" "aws_lambda_vpc_access_execution_role" {
   role       = aws_iam_role.lambda.name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
diff --git a/modules/terminate-agent-hook/variables.tf b/modules/terminate-agent-hook/variables.tf
index ef6c10f07..98e86598b 100644
--- a/modules/terminate-agent-hook/variables.tf
+++ b/modules/terminate-agent-hook/variables.tf
@@ -56,6 +56,12 @@ variable "name_docker_machine_runners" {
   type        = string
 }
 
+variable "enable_managed_kms_key" {
+  description = "Let the module manage a KMS key. Be-aware of the costs of an custom key. Do not specify a `kms_key_id` when `enable_kms` is set to `true`."
+  type        = bool
+  default     = false
+}
+
 variable "kms_key_id" {
   description = "(optional) KMS key id to encrypt the resources, e.g. logs, lambda environment variables, ..."
   type        = string

From 1c2d7daf4ef6893f390db276763dd6c6fb867ef8 Mon Sep 17 00:00:00 2001
From: Samuel CHNIBER <schniber@amazon.com>
Date: Fri, 6 Jun 2025 02:23:26 +0200
Subject: [PATCH 2/2] fix: condition on the creation of the kms key

---
 modules/terminate-agent-hook/iam.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/terminate-agent-hook/iam.tf b/modules/terminate-agent-hook/iam.tf
index d76db1ecb..7cc114d83 100644
--- a/modules/terminate-agent-hook/iam.tf
+++ b/modules/terminate-agent-hook/iam.tf
@@ -189,5 +189,6 @@ resource "aws_iam_role_policy_attachment" "spot_request_housekeeping" {
 
 resource "aws_iam_role_policy_attachment" "aws_lambda_vpc_access_execution_role" {
   role       = aws_iam_role.lambda.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+
 }