add support to empty kms key (#80)

lorenzo-merici · web-flow · commit c2cdd1b4826f · 2025-07-31T10:43:49.000+02:00
diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
@@ -79,8 +79,8 @@ locals {
   is_cross_account = var.bucket_account_id != null && var.bucket_account_id != data.aws_caller_identity.current.account_id
 
   # KMS variables
-  kms_account_id = split(":", var.kms_key_arn)[3]
-  need_kms_policy = var.bucket_account_id != null && var.bucket_account_id != local.kms_account_id
+  kms_account_id = var.kms_key_arn != null && var.kms_key_arn != "" ? split(":", var.kms_key_arn)[3] : null
+  need_kms_policy = var.bucket_account_id != null && local.kms_account_id != null && var.bucket_account_id != local.kms_account_id
 
   # Role variables
   role_name = var.role_name != null ? var.role_name : split("/", var.role_arn)[1]
@@ -171,7 +171,7 @@ data "aws_iam_policy_document" "cloudlogs_s3_access" {
   }
 
   dynamic "statement" {
-    for_each = var.kms_key_arn != null ? [1] : []
+    for_each = var.kms_key_arn != null && var.kms_key_arn != "" ? [1] : []
     content {
       sid = "CloudlogsKMSDecrypt"
       
