add_kms_key_id: Allow user to supply their own kms_key_id (cloudposse#75)

ac-hibbert · Andy Hibbert · actions-bot · web-flow · commit f727ef5d1f7a · 2020-08-18T10:55:35.000-07:00
* add_kms_key_id: Allow user to supply their own kms_key_id

Change-Id: I23d1288851301328afaa61686b42d8376d303415

* Updated README.md

Co-authored-by: Andy Hibbert &lt;anhibber@cisco.com&gt;
Co-authored-by: actions-bot &lt;58130806+actions-bot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -187,6 +187,7 @@ Available targets:
 | existing\_security\_groups | List of existing Security Group IDs to place the cluster into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster | `list(string)` | `[]` | no |
 | family | Redis family | `string` | `"redis4.0"` | no |
 | instance\_type | Elastic cache instance type | `string` | `"cache.t2.micro"` | no |
+| kms\_key\_id | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no |
 | maintenance\_window | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no |
 | name | Name of the application | `string` | n/a | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -39,6 +39,7 @@
 | existing\_security\_groups | List of existing Security Group IDs to place the cluster into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster | `list(string)` | `[]` | no |
 | family | Redis family | `string` | `"redis4.0"` | no |
 | instance\_type | Elastic cache instance type | `string` | `"cache.t2.micro"` | no |
+| kms\_key\_id | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no |
 | maintenance\_window | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no |
 | name | Name of the application | `string` | n/a | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | `string` | `""` | no |
diff --git a/main.tf b/main.tf
@@ -97,6 +97,7 @@ resource "aws_elasticache_replication_group" "default" {
   engine_version                = var.engine_version
   at_rest_encryption_enabled    = var.at_rest_encryption_enabled
   transit_encryption_enabled    = var.transit_encryption_enabled
+  kms_key_id                    = var.at_rest_encryption_enabled ? var.kms_key_id : null
   snapshot_window               = var.snapshot_window
   snapshot_retention_limit      = var.snapshot_retention_limit
   apply_immediately             = var.apply_immediately
diff --git a/variables.tf b/variables.tf
@@ -204,6 +204,12 @@ variable "auth_token" {
   default     = null
 }
 
+variable "kms_key_id" {
+  type        = string
+  description = "The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true`"
+  default     = null
+}
+
 variable "replication_group_id" {
   type        = string
   description = "Replication group ID with the following constraints: \nA name must contain from 1 to 20 alphanumeric characters or hyphens. \n The first character must be a letter. \n A name cannot end with a hyphen or contain two consecutive hyphens."
