fix: Don't create KMS key and related resources for CH by default (#244)

* fix: Don't create KMS key and related resources for CH by default

* fix

* guess what, straight to fix

main.tf

@@ -6,14 +6,15 @@ module "kms" {
   key_alias  = var.kms_key_alias == null ? "${var.namespace}-kms-alias" : var.kms_key_alias
   key_policy = var.kms_key_policy
 
+  create_clickhouse_key = var.enable_clickhouse
   clickhouse_key_alias  = var.kms_clickhouse_key_alias == null ? "${var.namespace}-kms-clickhouse-alias" : var.kms_clickhouse_key_alias
   clickhouse_key_policy = var.kms_clickhouse_key_policy
 }
 
 locals {
 
   default_kms_key                           = module.kms.key.arn
-  clickhouse_kms_key                        = module.kms.clickhouse_key.arn
+  clickhouse_kms_key                        = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
   s3_kms_key_arn                            = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key
   database_kms_key_arn                      = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
   database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key

modules/kms/main.tf

@@ -91,6 +91,8 @@ resource "aws_kms_grant" "main" {
 }
 
 resource "aws_kms_key" "clickhouse_key" {
+  count = var.create_clickhouse_key ? 1 : 0
+
   deletion_window_in_days = var.key_deletion_window
   description             = "AWS KMS Customer-managed key to encrypt Weave resources in Clickhouse"
   key_usage               = "ENCRYPT_DECRYPT"
@@ -133,16 +135,18 @@ resource "aws_kms_key" "clickhouse_key" {
 
 
 resource "aws_kms_alias" "clickhouse_key" {
+  count = var.create_clickhouse_key ? 1 : 0
+
   name          = "alias/${var.clickhouse_key_alias}"
-  target_key_id = aws_kms_key.clickhouse_key.key_id
+  target_key_id = aws_kms_key.clickhouse_key[0].key_id
 }
 
 
 resource "aws_kms_grant" "clickhouse" {
-  count = var.iam_principal_arn == "" ? 0 : 1
+  count = !var.create_clickhouse_key && (var.iam_principal_arn == "") ? 0 : 1
 
   grantee_principal = var.iam_principal_arn
-  key_id            = aws_kms_key.clickhouse_key.key_id
+  key_id            = aws_kms_key.clickhouse_key[0].key_id
   operations = [
     "Decrypt",
     "DescribeKey",

modules/kms/outputs.tf

@@ -5,6 +5,6 @@ output "key" {
 
 
 output "clickhouse_key" {
-  value       = aws_kms_key.clickhouse_key
+  value       = var.create_clickhouse_key ? aws_kms_key.clickhouse_key[0] : null
   description = "The KMS key used to encrypt Weave data in Clickhouse."
 }

modules/kms/variables.tf

@@ -20,9 +20,16 @@ variable "key_policy" {
   default     = ""
 }
 
+variable "create_clickhouse_key" {
+  description = "Whether to create a KMS key for Clickhouse CMEK."
+  type        = bool
+  default     = false
+}
+
 variable "clickhouse_key_alias" {
   description = "The key alias for AWS KMS Customer managed key."
   type        = string
+  default     = "wandb-kms-clickhouse-key"
 }
 
 variable "clickhouse_key_policy" {

variables.tf

@@ -487,8 +487,14 @@ variable "yace_sa_name" {
   default = "wandb-yace"
 }
 
+variable "enable_clickhouse" {
+  type        = bool
+  description = "Provision clickhouse resources"
+  default     = false
+}
+
 variable "clickhouse_endpoint_service_id" {
   type        = string
-  description = "The service ID of the VPC endpoint service for Clickhouse."
+  description = "The service ID of the VPC endpoint service for Clickhouse"
   default     = ""
 }