fix: honour cloudtrail_kms_enable on resource creation (#45)

iru · web-flow · commit 9bf3cba94b40 · 2021-11-23T18:03:38.000+01:00
diff --git a/modules/infrastructure/cloudtrail/kms.tf b/modules/infrastructure/cloudtrail/kms.tf
@@ -1,17 +1,19 @@
-resource "aws_kms_alias" "kms" {
-  target_key_id = aws_kms_key.cloudtrail_kms.id
-  name          = "alias/${var.name}"
-}
-
-
 resource "aws_kms_key" "cloudtrail_kms" {
+  count               = var.cloudtrail_kms_enable ? 1 : 0
   is_enabled          = true
   enable_key_rotation = true
-  policy              = data.aws_iam_policy_document.cloudtrail_kms.json
+  policy              = data.aws_iam_policy_document.cloudtrail_kms[0].json
   tags                = var.tags
 }
 
+resource "aws_kms_alias" "kms" {
+  count         = var.cloudtrail_kms_enable ? 1 : 0
+  target_key_id = aws_kms_key.cloudtrail_kms[0].id
+  name          = "alias/${var.name}"
+}
+
 data "aws_iam_policy_document" "cloudtrail_kms" {
+  count = var.cloudtrail_kms_enable ? 1 : 0
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"
diff --git a/modules/infrastructure/cloudtrail/main.tf b/modules/infrastructure/cloudtrail/main.tf
@@ -8,7 +8,7 @@ resource "aws_cloudtrail" "cloudtrail" {
   s3_bucket_name        = aws_s3_bucket.cloudtrail.id
   is_multi_region_trail = var.is_multi_region_trail
 
-  kms_key_id     = var.cloudtrail_kms_enable ? aws_kms_key.cloudtrail_kms.arn : null
+  kms_key_id     = var.cloudtrail_kms_enable ? aws_kms_key.cloudtrail_kms[0].arn : null
   sns_topic_name = aws_sns_topic.cloudtrail.id
 
   enable_logging                = true
