feat: add kms key arn input for customer-managed keys

[RoseSecurity]

why

• This PR introduces a new kms_key_arn variable, allowing consumers to supply their own customer-managed KMS key

what

1. Default behavior

   • Deploy without setting kms_key_arn
   • Module-created CMK is used for both RDS and SSM

2. Override behavior

   • Deploy with kms_key_arn = "arn:aws:kms:…:key/EXAMPLE"
   • Verify that both the RDS cluster and SSM parameter use the supplied ARN

references

• Resolves this discussion

Summary by CodeRabbit

• New Features
  • Added support for specifying a custom KMS encryption key ARN through a new configuration variable.
  • Improved flexibility by allowing fallback to a user-provided KMS key ARN if the default is not available.

[coderabbitai]

Walkthrough

A new variable, kms_key_arn, has been introduced in the Terraform variables file, allowing users to optionally specify a KMS encryption key ARN. In the main Terraform configuration, the assignment of the local variable kms_key_arn has been updated to use the coalesce function, which selects module.aurora_postgres.outputs.kms_key_arn if present, or falls back to the newly added var.kms_key_arn if not. No other logic or exported entities were changed.

Changes

File(s)	Change Summary
src/variables.tf	Added a new variable kms_key_arn of type string, with a description and default value of null.
src/main.tf	Updated local kms_key_arn assignment to use coalesce, falling back to var.kms_key_arn.

Poem

A hop and a skip, a key in the air,
Now KMS secrets can come from elsewhere!
With coalesce magic, the logic is neat—
If one key is missing, the fallback’s a treat.
Terraform rabbits, with paws oh so fleet,
Secure all your data, encryption complete!
🐇🔑✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Require terratest

Wonderful, this rule succeeded.

This rule require terratest status

• check-success = test/terratest

[RoseSecurity]

/terratest

[Gowiem]

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/variables.tf (1)

50-54: Add validation for KMS Key ARN format
To ensure users provide a valid KMS key ARN (or leave it null to let the module generate one), consider adding a validation block that checks the ARN pattern. This will catch typos early and surface a clear error message.

variable "kms_key_arn" {
  type        = string
  description = "The ARN for the KMS encryption key."
  default     = null

  validation {
    condition     = var.kms_key_arn == null || can(regex("^arn:aws:kms:[^:]+:[0-9]{12}:key/[A-Za-z0-9\\-_/]+$", var.kms_key_arn))
    error_message = "The value for kms_key_arn must be a valid AWS KMS Key ARN or null."
  }
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8cfe4d8 and b905c97.

📒 Files selected for processing (2)

• src/main.tf (1 hunks)
• src/variables.tf (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: component / terraform / Lint (./src/modules/postgresql-user)
• GitHub Check: component / terraform / Lint (./src)
• GitHub Check: component / terraform / Format HCL
• GitHub Check: component / terraform / bats
• GitHub Check: Mergify Merge Protections
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (1)

src/main.tf (1)

11-11:

❓ Verification inconclusive

Verify precedence of coalesce arguments
Currently,

kms_key_arn = coalesce(module.aurora_postgres.outputs.kms_key_arn, var.kms_key_arn)

will always select the module output if it’s non-null, which may mask a user-supplied var.kms_key_arn. Please confirm whether module.aurora_postgres.outputs.kms_key_arn is set to null when a custom key ARN is provided. If not, swap the arguments to give explicit override precedence:

kms_key_arn = coalesce(var.kms_key_arn, module.aurora_postgres.outputs.kms_key_arn)

---

🏁 Script executed:

#!/bin/bash
# Locate the kms_key_arn output in the Aurora Postgres module to confirm its behavior
rg -R --include "*.tf" 'output "kms_key_arn"' -n .

Length of output: 457

---

I’ll re-run the search without the invalid -R flag to locate any kms_key_arn definitions in the repo:

If these still return nothing (e.g. because the module is remote), please manually verify whether module.aurora_postgres.outputs.kms_key_arn ever returns null when var.kms_key_arn is set to ensure the correct coalesce argument order.

---

🏁 Script executed:

#!/bin/bash
# Look for output and variable definitions for kms_key_arn across all .tf files
rg --with-filename --line-number --context=3 --include '*.tf' 'output "kms_key_arn"'
rg --with-filename --line-number --context=3 --include '*.tf' 'variable "kms_key_arn"'

Length of output: 1059

---

I’ll switch to a grep-based search to find any local definitions or references:

---

🏁 Script executed:

#!/bin/bash
# Search for kms_key_arn outputs, variables, and the aurora_postgres module declaration
grep -RIn --include='*.tf' 'output "kms_key_arn"' .
grep -RIn --include='*.tf' 'variable "kms_key_arn"' .
grep -RIn --include='*.tf' 'module "aurora_postgres"' .

Length of output: 265

---

Confirm coalesce argument precedence

It looks like module.aurora_postgres.outputs.kms_key_arn comes from a remote module (no local output "kms_key_arn" found), so we can’t verify from source whether it returns null when you supply var.kms_key_arn. Please double-check that behavior and, if the module always emits a non-null ARN, swap the arguments so a user-provided key wins:

• File: src/main.tf
Line: 11

- kms_key_arn = coalesce(module.aurora_postgres.outputs.kms_key_arn, var.kms_key_arn)
+ kms_key_arn = coalesce(var.kms_key_arn, module.aurora_postgres.outputs.kms_key_arn)

Until you’ve confirmed the module output can be null, leave a note or adjust accordingly.

[github-actions]

These changes were released in v1.537.0.