Pass KMS environment variables through Terraform modules

allan-thatch · allan-thatch · commit ada3b2bfc07c · 2025-12-18T11:47:12.000-05:00
diff --git a/README.md b/README.md
@@ -67,18 +67,21 @@ terraform apply \
 
 ## Terraform Variables
 
-| Variable                  | Required | Default                      | Description                                            |
-| ------------------------- | -------- | ---------------------------- | ------------------------------------------------------ |
-| `aws_s3_bucket_name`      | Yes      | -                            | Name of the S3 bucket to create for storing audit logs |
-| `render_api_key`          | Yes      | -                            | Render API key for accessing audit logs                |
-| `render_workspace_ids`    | No       | `[]`                         | List of workspace IDs to fetch audit logs from         |
-| `render_organization_id`  | No       | `""`                         | Organization ID for Enterprise audit logs              |
-| `aws_iam_user_name`       | No       | `render-audit-log-processor` | Name of the IAM user created for S3 access             |
-| `render_cronjob_name`     | No       | `render-auditlogs`           | Name of the Render Cron Job                            |
-| `render_cronjob_schedule` | No       | `1/15 * * * *`               | Cron schedule (default: every 15 minutes)              |
-| `render_cronjob_plan`     | No       | `starter`                    | Render plan for the Cron Job                           |
-| `render_cronjob_region`   | No       | `oregon`                     | Region to deploy the Cron Job                          |
-| `render_project_name`     | No       | `audit-logs`                 | Name of the Render project                             |
+| Variable                    | Required | Default                      | Description                                            |
+| --------------------------- | -------- | ---------------------------- | ------------------------------------------------------ |
+| `aws_s3_bucket_name`        | Yes      | -                            | Name of the S3 bucket to create for storing audit logs |
+| `render_api_key`            | Yes      | -                            | Render API key for accessing audit logs                |
+| `render_workspace_ids`      | No       | `[]`                         | List of workspace IDs to fetch audit logs from         |
+| `render_organization_id`    | No       | `""`                         | Organization ID for Enterprise audit logs              |
+| `aws_iam_user_name`         | No       | `render-audit-log-processor` | Name of the IAM user created for S3 access             |
+| `aws_s3_bucket_key_enabled` | No       | `false`                      | Enable S3 bucket key to reduce KMS calls               |
+| `aws_s3_kms_key_id`         | No       | `""`                         | ARN for KMS key to use for encryption                  |
+| `aws_s3_use_kms`            | No       | `false`                      | Use KMS for encryption (instead of SSE-S3)             |
+| `render_cronjob_name`       | No       | `render-auditlogs`           | Name of the Render Cron Job                            |
+| `render_cronjob_schedule`   | No       | `1/15 * * * *`               | Cron schedule (default: every 15 minutes)              |
+| `render_cronjob_plan`       | No       | `starter`                    | Render plan for the Cron Job                           |
+| `render_cronjob_region`     | No       | `oregon`                     | Region to deploy the Cron Job                          |
+| `render_project_name`       | No       | `audit-logs`                 | Name of the Render project                             |
 
 ## Architecture
 
diff --git a/terraform/modules/render-audit-logs/render.tf b/terraform/modules/render-audit-logs/render.tf
@@ -27,6 +27,9 @@ resource "render_cron_job" "render-audit-logs" {
     "WORKSPACE_IDS" = { value = join(",", var.render_workspace_ids) }
     "RENDER_API_KEY" = { value = var.render_api_key }
     "S3_BUCKET" = { value = var.aws_s3_bucket_name }
+    "S3_BUCKET_KEY_ENABLED" = { value = var.aws_s3_bucket_key_enabled }
+    "S3_KMS_KEY_ID" = { value = var.aws_s3_kms_key_id }
+    "S3_USE_KMS" = { value = var.aws_s3_use_kms }
   }
 }
 
diff --git a/terraform/modules/render-audit-logs/variables.tf b/terraform/modules/render-audit-logs/variables.tf
@@ -2,6 +2,21 @@ variable "aws_s3_bucket_name" {
   type = string
 }
 
+variable "aws_s3_bucket_key_enabled" {
+  type = bool
+  default = false
+}
+
+variable "aws_s3_kms_key_id" {
+  type = string
+  default = ""
+}
+
+variable "aws_s3_use_kms" {
+  type = bool
+  default = false
+}
+
 variable "aws_access_key" {
   type = string
   sensitive = true
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -2,12 +2,26 @@ variable "aws_s3_bucket_name" {
     type = string
 }
 
+variable "aws_s3_bucket_key_enabled" {
+  type = bool
+  default = false
+}
+
+variable "aws_s3_kms_key_id" {
+  type = string
+  default = ""
+}
+
+variable "aws_s3_use_kms" {
+  type = bool
+  default = false
+}
+
 variable "aws_iam_user_name" {
   type = string
   default = "render-audit-log-processor"
 }
 
-
 variable "render_api_key" {
   type = string
   sensitive = true

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,9 @@ resource "render_cron_job" "render-audit-logs" {`
`27`	`27`	`"WORKSPACE_IDS" = { value = join(",", var.render_workspace_ids) }`
`28`	`28`	`"RENDER_API_KEY" = { value = var.render_api_key }`
`29`	`29`	`"S3_BUCKET" = { value = var.aws_s3_bucket_name }`
	`30`	`+ "S3_BUCKET_KEY_ENABLED" = { value = var.aws_s3_bucket_key_enabled }`
	`31`	`+ "S3_KMS_KEY_ID" = { value = var.aws_s3_kms_key_id }`
	`32`	`+ "S3_USE_KMS" = { value = var.aws_s3_use_kms }`
`30`	`33`	`}`
`31`	`34`	`}`
`32`	`35`