Question posted in 
I Am trying to create S3 bucket module, currently i am stuck with one scenario. For example user don’t bucket to be encrypted then kms key shouldn’t be created. It is working till here, how ever there is a variable kms_policy. Now even if i set encrypt_s3_bucket false during validation it is asking me to pass variable.
resource "aws_kms_key" "mykey" {
count = var.encrypt_s3_bucket ? 1:0
description = "This key is used to encrypt bucket objects"
deletion_window_in_days = 10
enable_key_rotation = false
multi_region = false
policy = var.encrypt_s3_bucket ? var.kms_policy : null
}
variables.tf
variable "kms_policy" {
type = string
}
2
Answers
Its not possible to skip variable creation. Instead make a default value, and this way it will not ask you for the variable all the time.
It seems that you have an implied dependency between two of your input variables: if
encrypt_s3_bucketis true thenkms_policymust be set, but ifencrypt_s3_bucketis false then it need not be set.In a situation like that, I would suggest combining both of these into a single variable so that it’s clearer that they are strongly connected. For example:
This declares a single variable called
s3_bucket_encryptionwhose type constraint is for an object type with akms_policyattribute. The user of this module can then choose either to leave that variable unset (null), or to set it to an object with a policy specified:Notice that there’s now no way to enable S3 bucket encryption without providing a policy, and also no way to provide a policy without enabling encryption.
Then to use this within your module: