diff --git a/README.md b/README.md
index 83365b1d..fec86afc 100644
--- a/README.md
+++ b/README.md
@@ -411,7 +411,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [enable\_irsa](#input\_enable\_irsa) | Determines whether to create an OpenID Connect Provider for EKS to enable IRSA | `bool` | `true` | no |
| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
| [enabled\_log\_types](#input\_enabled\_log\_types) | A list of the desired control plane logs to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | [
"audit",
"api",
"authenticator"
]
| no |
-| [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | object({
provider_key_arn = optional(string)
resources = optional(list(string))
}) | {
"resources": [
"secrets"
]
} | no |
+| [encryption\_config](#input\_encryption\_config) | Configuration block with encryption configuration for the cluster | object({
provider_key_arn = optional(string)
resources = optional(list(string), ["secrets"])
}) | `{}` | no |
| [encryption\_policy\_description](#input\_encryption\_policy\_description) | Description of the cluster encryption policy created | `string` | `"Cluster encryption policy to allow cluster role to utilize CMK provided"` | no |
| [encryption\_policy\_name](#input\_encryption\_policy\_name) | Name to use on cluster encryption policy created | `string` | `null` | no |
| [encryption\_policy\_path](#input\_encryption\_policy\_path) | Cluster encryption policy path | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index b8811e09..4e423488 100644
--- a/main.tf
+++ b/main.tf
@@ -24,7 +24,7 @@ locals {
role_arn = try(aws_iam_role.this[0].arn, var.iam_role_arn)
create_outposts_local_cluster = var.outpost_config != null
- enable_encryption_config = length(var.encryption_config) > 0 && !local.create_outposts_local_cluster
+ enable_encryption_config = var.encryption_config != null && !local.create_outposts_local_cluster
auto_mode_enabled = try(var.compute_config.enabled, false)
}
@@ -590,7 +590,7 @@ resource "aws_iam_policy" "cluster_encryption" {
}
data "aws_iam_policy_document" "custom" {
- count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+ count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
dynamic "statement" {
for_each = var.enable_auto_mode_custom_tags ? [1] : []
@@ -724,7 +724,7 @@ data "aws_iam_policy_document" "custom" {
}
resource "aws_iam_policy" "custom" {
- count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+ count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -737,7 +737,7 @@ resource "aws_iam_policy" "custom" {
}
resource "aws_iam_role_policy_attachment" "custom" {
- count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0
+ count = local.create_iam_role && local.auto_mode_enabled && var.enable_auto_mode_custom_tags ? 1 : 0
policy_arn = aws_iam_policy.custom[0].arn
role = aws_iam_role.this[0].name
diff --git a/variables.tf b/variables.tf
index fa7c0604..5e23df6c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -165,11 +165,9 @@ variable "encryption_config" {
description = "Configuration block with encryption configuration for the cluster"
type = object({
provider_key_arn = optional(string)
- resources = optional(list(string))
+ resources = optional(list(string), ["secrets"])
})
- default = {
- resources = ["secrets"]
- }
+ default = {}
}
variable "attach_encryption_policy" {