fix(aws_eks): correct encryption_config object

[wolf31o2]

Summary by cubic

Corrected the aws_eks encryption_config variable to the expected object shape, removing the nested provider and defaulting resources to ["secrets"]. This fixes schema mismatches and simplifies configuration.

• Bug Fixes

  • Changed type from list(object({ provider.key_arn, resources })) to object with optional provider_key_arn and resources (default ["secrets"]).
  • Default updated from [] to {} to match the new object shape.

• Migration

  • If you set encryption_config, switch from a list to a single object: provider.key_arn → provider_key_arn; resources stays a list (defaults to ["secrets"] if omitted).

^{Written for commit 4275dd0. Summary will update automatically on new commits.}

Summary by CodeRabbit

• Breaking Changes
  • Updated encryption configuration variable structure from a list to a single object format with simplified defaults. Users must update their configuration accordingly when upgrading.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR modifies the encryption_config variable in aws_eks/variables.tf. The variable type transforms from a list of objects with a nested provider structure to a single object with optional fields. The nested provider object containing key_arn is flattened into a single provider_key_arn field at the root level. The default value changes from an empty list [] to an empty object {}, and the resources field now includes a default value of ["secrets"]. The variable description is updated accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Breaking change to module input: The variable structure is fundamentally altered (list to object, nested to flat), which will break existing module usage
• Field renaming: provider.key_arn becomes provider_key_arn, requiring validation that all consumers are identified
• Default behavior shift: resources now defaults to ["secrets"] instead of requiring explicit specification
• Verify downstream impacts: Need to confirm if this variable is consumed elsewhere in the module or in calling code that requires adaptation

Possibly related PRs

• feat: add cluster encryption config support to aws_eks module #25: Also modifies the aws_eks encryption_config variable and its corresponding module mapping, suggesting coordinated refactoring of this configuration structure

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing the encryption_config variable structure from a list of objects to a single object in aws_eks.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/aws-eks-encryption-config

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b769147 and 4275dd0.

📒 Files selected for processing (1)

• aws_eks/variables.tf (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🔇 Additional comments (1)

aws_eks/variables.tf (1)

30-37: ## Summary of Verification

I've completed the verification and found critical information that contradicts the original review comment:

Key Findings:

1. This module uses terraform-aws-modules/eks/aws v~21.0, not a direct aws_eks_cluster resource
2. The upstream module expects encryption_config as an object with:
   • provider_key_arn (optional string)
   • resources (optional list(string), default ["secrets"])
   • Default: {}
3. The git commit message is: "fix(aws_eks): correct encryption_config object" — explicitly labeled as a correction/fix
4. The PR change aligns the variable structure exactly with what the upstream module v21.0 expects

The Original Review Comment is Incorrect:

• This is NOT a breaking change; it's a bug fix
• The old structure was incompatible with the upstream module specifications
• The PR corrects this misalignment
• The verification script request is unnecessary because the change is demonstrably correct

---

encryption_config variable corrected to align with terraform-aws-modules/eks/aws v21.0 — this is a bug fix, not a breaking change.

The PR fixes the encryption_config variable structure to match what terraform-aws-modules/eks/aws v~21.0 actually expects:

• Change purpose: Align module input with upstream module specifications
• New structure: object({ provider_key_arn = optional(string), resources = optional(list(string), ["secrets"]) })
• This matches upstream module expectations exactly

The original concern about a "breaking change" misses the point: the old list-based structure was incompatible with the upstream module's expectations. This is a necessary correction, not an arbitrary refactoring. External callers using the old structure may need to update their calls, but this reflects fixing previously non-functional behavior.

No further verification needed — the git commit message ("fix(aws_eks): correct encryption_config object") confirms this is an intentional correctional fix.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file