From e33cba7dbc5a973d6736099f1e0e6635a8d290b8 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 12:17:57 +0000
Subject: [PATCH 01/17] pass in custom kms key

---
 main.tf      | 11 ++++++++---
 variables.tf |  5 +++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index b481cb4..391c90b 100644
--- a/main.tf
+++ b/main.tf
@@ -50,6 +50,7 @@ data "aws_vpc_endpoint" "s3" {
 
 # S3
 resource "aws_kms_key" "bastion_s3" {
+  count               = len(var.s3_kms_arn) > 1 ? 0 : 1
   enable_key_rotation = true
 
   tags = merge(
@@ -61,11 +62,15 @@ resource "aws_kms_key" "bastion_s3" {
 }
 
 resource "aws_kms_alias" "bastion_s3_alias" {
+  count = len(var.s3_kms_arn) > 1 ? 0 : 1
+
   name          = "alias/s3-${var.bucket_name}_key"
   target_key_id = aws_kms_key.bastion_s3.arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
+  count = len(var.s3_kms_arn) > 1 ? 0 : 1
+
   key_id = aws_kms_key.bastion_s3.id
   policy = jsonencode({
     Id = "bastion-key-access"
@@ -169,7 +174,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.s3_kms_arn) > 1 ? var.s3_kms_arn : aws_kms_key.bastion_s3.arn
 
   tags = merge(
     var.tags_common,
@@ -186,7 +191,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.s3_kms_arn) > 1 ? var.s3_kms_arn : aws_kms_key.bastion_s3.arn
 
   tags = merge(
     var.tags_common,
@@ -313,7 +318,7 @@ data "aws_iam_policy_document" "bastion_policy_document" {
       "kms:Encrypt",
       "kms:Decrypt"
     ]
-    resources = [aws_kms_key.bastion_s3.arn]
+    resources = [aws_kms_key.bastion_s3[0].arn]
   }
 }
 
diff --git a/variables.tf b/variables.tf
index 9197d55..7ef0fc7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -126,3 +126,8 @@ variable "autoscaling_cron" {
     "down" = "0 20 * * *" # 20.00 UTC or 21.00 BST
   }
 }
+
+variable "s3_kms_arn" {
+  description = "KMS ARN for S3 bucket encryption"
+  type        = string
+}
\ No newline at end of file

From 7280f93acb3eacc8a042635fc738b0cd3b49b9fd Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 12:18:32 +0000
Subject: [PATCH 02/17] rename to custom

---
 main.tf      | 10 +++++-----
 variables.tf |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index 391c90b..ae1359f 100644
--- a/main.tf
+++ b/main.tf
@@ -50,7 +50,7 @@ data "aws_vpc_endpoint" "s3" {
 
 # S3
 resource "aws_kms_key" "bastion_s3" {
-  count               = len(var.s3_kms_arn) > 1 ? 0 : 1
+  count               = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
   enable_key_rotation = true
 
   tags = merge(
@@ -62,14 +62,14 @@ resource "aws_kms_key" "bastion_s3" {
 }
 
 resource "aws_kms_alias" "bastion_s3_alias" {
-  count = len(var.s3_kms_arn) > 1 ? 0 : 1
+  count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
   name          = "alias/s3-${var.bucket_name}_key"
   target_key_id = aws_kms_key.bastion_s3.arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
-  count = len(var.s3_kms_arn) > 1 ? 0 : 1
+  count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
   key_id = aws_kms_key.bastion_s3.id
   policy = jsonencode({
@@ -174,7 +174,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = len(var.s3_kms_arn) > 1 ? var.s3_kms_arn : aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3.arn
 
   tags = merge(
     var.tags_common,
@@ -191,7 +191,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = len(var.s3_kms_arn) > 1 ? var.s3_kms_arn : aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3.arn
 
   tags = merge(
     var.tags_common,
diff --git a/variables.tf b/variables.tf
index 7ef0fc7..ae289ba 100644
--- a/variables.tf
+++ b/variables.tf
@@ -127,7 +127,7 @@ variable "autoscaling_cron" {
   }
 }
 
-variable "s3_kms_arn" {
+variable "custom_s3_kms_arn" {
   description = "KMS ARN for S3 bucket encryption"
   type        = string
 }
\ No newline at end of file

From 2d5f82df690bb2a5bc87fe9d423b5e7dab1f3b62 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 12:36:50 +0000
Subject: [PATCH 03/17] add role output

---
 README.md  | 5 +++++
 outputs.tf | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 480075b..fc3a61e 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,11 @@ module "bastion_linux" {
 }
 ```
 
+#### Note:
+Passing in a custom KMS key? You'll need to make sure the bastion iam role has permissions to use it.
+See `aws_kms_key_policy.bastion_s3` in `main.tf` for an example.
+This module ouputs the bastion iam role object (see `outputs.tf`), so you can use it in your own policy.
+
 ## Looking for issues?
 If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues).
 
diff --git a/outputs.tf b/outputs.tf
index 55e380b..0d39930 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -12,3 +12,9 @@ output "bastion_s3_bucket" {
   description = "S3 bucket of bastion"
   value       = module.s3-bucket
 }
+
+
+output "bastion_iam_role" {
+  description = "IAM role of bastion"
+  value       = aws_iam_role.bastion_role
+}
\ No newline at end of file

From 0067569c869a8f5bd67d6f79e92e214bfbf4ff9a Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 12:46:17 +0000
Subject: [PATCH 04/17] indexing for count

---
 main.tf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index ae1359f..7b7a138 100644
--- a/main.tf
+++ b/main.tf
@@ -65,13 +65,13 @@ resource "aws_kms_alias" "bastion_s3_alias" {
   count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
   name          = "alias/s3-${var.bucket_name}_key"
-  target_key_id = aws_kms_key.bastion_s3.arn
+  target_key_id = aws_kms_key.bastion_s3[0].arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
   count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
-  key_id = aws_kms_key.bastion_s3.id
+  key_id = aws_kms_key.bastion_s3[0].id
   policy = jsonencode({
     Id = "bastion-key-access"
     Statement = [
@@ -82,7 +82,7 @@ resource "aws_kms_key_policy" "bastion_s3" {
           "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         },
         "Action" : "kms:*",
-        "Resource" : aws_kms_key.bastion_s3.arn
+        "Resource" : aws_kms_key.bastion_s3[0].arn
       },
       {
         Action = [
@@ -94,7 +94,7 @@ resource "aws_kms_key_policy" "bastion_s3" {
           AWS = aws_iam_role.bastion_role.arn
         }
 
-        Resource = aws_kms_key.bastion_s3.arn
+        Resource = aws_kms_key.bastion_s3[0].arn
       },
     ]
     Version = "2012-10-17"
@@ -174,7 +174,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 
   tags = merge(
     var.tags_common,
@@ -191,7 +191,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3.arn
+  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 
   tags = merge(
     var.tags_common,

From b74069ec78d0b1da0b039953aba032f04de47c58 Mon Sep 17 00:00:00 2001
From: George Taylor <george.taylor@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 12:50:17 +0000
Subject: [PATCH 05/17] also use for s3 bucket module

---
 README.md | 2 ++
 main.tf   | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/README.md b/README.md
index fc3a61e..6c749a8 100644
--- a/README.md
+++ b/README.md
@@ -165,6 +165,7 @@ In order to prevent older versions from being retained forever, in addition to t
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket used for bucket log storage and user public keys | `string` | n/a | yes |
 | <a name="input_bucket_versioning"></a> [bucket\_versioning](#input\_bucket\_versioning) | Enable bucket versioning or not | `bool` | n/a | yes |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Fixed variable to specify business-unit for RAM shared subnets | `string` | n/a | yes |
+| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | application environment | `string` | n/a | yes |
 | <a name="input_extra_user_data_content"></a> [extra\_user\_data\_content](#input\_extra\_user\_data\_content) | Extra user data content for Bastion ec2 | `string` | `""` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of instance | `string` | `"bastion_linux"` | no |
@@ -182,6 +183,7 @@ In order to prevent older versions from being retained forever, in addition to t
 
 | Name | Description |
 |------|-------------|
+| <a name="output_bastion_iam_role"></a> [bastion\_iam\_role](#output\_bastion\_iam\_role) | IAM role of bastion |
 | <a name="output_bastion_launch_template"></a> [bastion\_launch\_template](#output\_bastion\_launch\_template) | Launch template of bastion |
 | <a name="output_bastion_s3_bucket"></a> [bastion\_s3\_bucket](#output\_bastion\_s3\_bucket) | S3 bucket of bastion |
 | <a name="output_bastion_security_group"></a> [bastion\_security\_group](#output\_bastion\_security\_group) | Security group of bastion |
diff --git a/main.tf b/main.tf
index 7b7a138..421228a 100644
--- a/main.tf
+++ b/main.tf
@@ -120,6 +120,8 @@ module "s3-bucket" {
   replication_enabled = false
   force_destroy       = true
 
+  custom_kms_key = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : null
+
   lifecycle_rule = [
     {
       id      = "log"

From 64783818d626129e49d73795bb0baed2b2315dd6 Mon Sep 17 00:00:00 2001
From: David Elliott <david.elliott@digital.justice.gov.uk>
Date: Thu, 1 Feb 2024 16:38:37 +0000
Subject: [PATCH 06/17] Fix kms_key var required and len not valid function

---
 main.tf      | 12 ++++++------
 variables.tf |  3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/main.tf b/main.tf
index 421228a..cfb46d3 100644
--- a/main.tf
+++ b/main.tf
@@ -50,7 +50,7 @@ data "aws_vpc_endpoint" "s3" {
 
 # S3
 resource "aws_kms_key" "bastion_s3" {
-  count               = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count               = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
   enable_key_rotation = true
 
   tags = merge(
@@ -62,14 +62,14 @@ resource "aws_kms_key" "bastion_s3" {
 }
 
 resource "aws_kms_alias" "bastion_s3_alias" {
-  count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
   name          = "alias/s3-${var.bucket_name}_key"
   target_key_id = aws_kms_key.bastion_s3[0].arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
-  count = len(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
 
   key_id = aws_kms_key.bastion_s3[0].id
   policy = jsonencode({
@@ -120,7 +120,7 @@ module "s3-bucket" {
   replication_enabled = false
   force_destroy       = true
 
-  custom_kms_key = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : null
+  custom_kms_key = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : null
 
   lifecycle_rule = [
     {
@@ -176,7 +176,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_id = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 
   tags = merge(
     var.tags_common,
@@ -193,7 +193,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = len(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_id = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 
   tags = merge(
     var.tags_common,
diff --git a/variables.tf b/variables.tf
index ae289ba..e627d31 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,4 +130,5 @@ variable "autoscaling_cron" {
 variable "custom_s3_kms_arn" {
   description = "KMS ARN for S3 bucket encryption"
   type        = string
-}
\ No newline at end of file
+  default = "null"
+}

From c089af6783bf9472a7ec9130ce29bb5737bfa95e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 1 Feb 2024 16:39:01 +0000
Subject: [PATCH 07/17] terraform-docs: automated action

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6c749a8..8ebea65 100644
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ In order to prevent older versions from being retained forever, in addition to t
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket used for bucket log storage and user public keys | `string` | n/a | yes |
 | <a name="input_bucket_versioning"></a> [bucket\_versioning](#input\_bucket\_versioning) | Enable bucket versioning or not | `bool` | n/a | yes |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Fixed variable to specify business-unit for RAM shared subnets | `string` | n/a | yes |
-| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | n/a | yes |
+| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `"null"` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | application environment | `string` | n/a | yes |
 | <a name="input_extra_user_data_content"></a> [extra\_user\_data\_content](#input\_extra\_user\_data\_content) | Extra user data content for Bastion ec2 | `string` | `""` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of instance | `string` | `"bastion_linux"` | no |

From a1bb699380a2dd00cc141abd0de3a3eb42df9068 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 1 Feb 2024 16:39:28 +0000
Subject: [PATCH 08/17] Commit changes made by code formatters

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index e627d31..38fb636 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,5 +130,5 @@ variable "autoscaling_cron" {
 variable "custom_s3_kms_arn" {
   description = "KMS ARN for S3 bucket encryption"
   type        = string
-  default = "null"
+  default     = "null"
 }

From b6af4a30fd9bea4befa25fc19aa38f745370d4ad Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:14:49 +0000
Subject: [PATCH 09/17] kms-key

---
 locals.tf | 3 +++
 main.tf   | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 locals.tf

diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..41eb3ce
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  kms_key_arn = length(var.custom_s3_kms_arn) > 1 ? [var.custom_s3_kms_arn] : [aws_kms_key.bastion_s3[0].arn]
+}
diff --git a/main.tf b/main.tf
index cfb46d3..314ec20 100644
--- a/main.tf
+++ b/main.tf
@@ -176,7 +176,7 @@ resource "aws_s3_object" "bucket_public_keys_readme" {
 
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
-  kms_key_id = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_id = local.kms_key_arn
 
   tags = merge(
     var.tags_common,
@@ -193,7 +193,7 @@ resource "aws_s3_object" "user_public_keys" {
   bucket     = module.s3-bucket.bucket.id
   key        = "public-keys/${each.key}.pub"
   content    = each.value
-  kms_key_id = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_id = local.kms_key_arn
 
   tags = merge(
     var.tags_common,
@@ -320,7 +320,7 @@ data "aws_iam_policy_document" "bastion_policy_document" {
       "kms:Encrypt",
       "kms:Decrypt"
     ]
-    resources = [aws_kms_key.bastion_s3[0].arn]
+    resources = local.kms_key_arn
   }
 }
 

From d07c4287d12e1d9300ae6042589552fde6d7c916 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:16:45 +0000
Subject: [PATCH 10/17] list

---
 locals.tf | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/locals.tf b/locals.tf
index 41eb3ce..883432b 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,3 +1,3 @@
 locals {
-  kms_key_arn = length(var.custom_s3_kms_arn) > 1 ? [var.custom_s3_kms_arn] : [aws_kms_key.bastion_s3[0].arn]
+  kms_key_arn = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 }
diff --git a/main.tf b/main.tf
index 314ec20..6bd2665 100644
--- a/main.tf
+++ b/main.tf
@@ -320,7 +320,7 @@ data "aws_iam_policy_document" "bastion_policy_document" {
       "kms:Encrypt",
       "kms:Decrypt"
     ]
-    resources = local.kms_key_arn
+    resources = [local.kms_key_arn]
   }
 }
 

From 03ca2ae0f60fe9004a6d2cd4ca9a1b7775503792 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:18:52 +0000
Subject: [PATCH 11/17] local logic

---
 locals.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/locals.tf b/locals.tf
index 883432b..26f3606 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,3 +1,3 @@
 locals {
-  kms_key_arn = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_arn = try(var.custom_s3_kms_arn, false) ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 }

From b2e082a0f10b78414e065752eeb773feba893201 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:20:30 +0000
Subject: [PATCH 12/17] default null

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index 38fb636..ad01431 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,5 +130,5 @@ variable "autoscaling_cron" {
 variable "custom_s3_kms_arn" {
   description = "KMS ARN for S3 bucket encryption"
   type        = string
-  default     = "null"
+  default     = null
 }

From 3ed3bef522c5de851cc3af8ae03179454d2167ec Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 2 Feb 2024 12:20:49 +0000
Subject: [PATCH 13/17] terraform-docs: automated action

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8ebea65..604415b 100644
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ In order to prevent older versions from being retained forever, in addition to t
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket used for bucket log storage and user public keys | `string` | n/a | yes |
 | <a name="input_bucket_versioning"></a> [bucket\_versioning](#input\_bucket\_versioning) | Enable bucket versioning or not | `bool` | n/a | yes |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Fixed variable to specify business-unit for RAM shared subnets | `string` | n/a | yes |
-| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `"null"` | no |
+| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | application environment | `string` | n/a | yes |
 | <a name="input_extra_user_data_content"></a> [extra\_user\_data\_content](#input\_extra\_user\_data\_content) | Extra user data content for Bastion ec2 | `string` | `""` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of instance | `string` | `"bastion_linux"` | no |

From d02c574052108a54b0f3e8a87cce26ccf7c38540 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:25:14 +0000
Subject: [PATCH 14/17] empty string required for s3 moduel

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 6bd2665..9890880 100644
--- a/main.tf
+++ b/main.tf
@@ -120,7 +120,7 @@ module "s3-bucket" {
   replication_enabled = false
   force_destroy       = true
 
-  custom_kms_key = length(var.custom_s3_kms_arn) > 1 ? var.custom_s3_kms_arn : null
+  custom_kms_key = try(var.custom_s3_kms_arn, false) ? var.custom_s3_kms_arn : ""
 
   lifecycle_rule = [
     {

From afc99e61da939165f75300499cde09cc85615893 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:31:19 +0000
Subject: [PATCH 15/17] refactor

---
 locals.tf | 2 +-
 main.tf   | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/locals.tf b/locals.tf
index 26f3606..7bf0855 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,3 +1,3 @@
 locals {
-  kms_key_arn = try(var.custom_s3_kms_arn, false) ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
+  kms_key_arn = var.custom_s3_kms_arn != "" ? var.custom_s3_kms_arn : aws_kms_key.bastion_s3[0].arn
 }
diff --git a/main.tf b/main.tf
index 9890880..ec97454 100644
--- a/main.tf
+++ b/main.tf
@@ -50,7 +50,7 @@ data "aws_vpc_endpoint" "s3" {
 
 # S3
 resource "aws_kms_key" "bastion_s3" {
-  count               = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count               = var.custom_s3_kms_arn != "" ? 0 : 1
   enable_key_rotation = true
 
   tags = merge(
@@ -62,14 +62,14 @@ resource "aws_kms_key" "bastion_s3" {
 }
 
 resource "aws_kms_alias" "bastion_s3_alias" {
-  count = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count = var.custom_s3_kms_arn != "" ? 0 : 1
 
   name          = "alias/s3-${var.bucket_name}_key"
   target_key_id = aws_kms_key.bastion_s3[0].arn
 }
 
 resource "aws_kms_key_policy" "bastion_s3" {
-  count = length(var.custom_s3_kms_arn) > 1 ? 0 : 1
+  count = var.custom_s3_kms_arn != "" ? 0 : 1
 
   key_id = aws_kms_key.bastion_s3[0].id
   policy = jsonencode({
@@ -120,7 +120,7 @@ module "s3-bucket" {
   replication_enabled = false
   force_destroy       = true
 
-  custom_kms_key = try(var.custom_s3_kms_arn, false) ? var.custom_s3_kms_arn : ""
+  custom_kms_key = var.custom_s3_kms_arn != "" ? var.custom_s3_kms_arn : ""
 
   lifecycle_rule = [
     {

From 4b5b7a0451651138c1a1da3296740821e3efd711 Mon Sep 17 00:00:00 2001
From: George Taylor <georgepstaylor@icloud.com>
Date: Fri, 2 Feb 2024 12:34:59 +0000
Subject: [PATCH 16/17] change defautl

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index ad01431..c6c11df 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,5 +130,5 @@ variable "autoscaling_cron" {
 variable "custom_s3_kms_arn" {
   description = "KMS ARN for S3 bucket encryption"
   type        = string
-  default     = null
+  default     = ""
 }

From f34f3ea6e5b2ed71c59081cff1fa12b8d366f97e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 2 Feb 2024 12:35:17 +0000
Subject: [PATCH 17/17] terraform-docs: automated action

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 604415b..78a3094 100644
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ In order to prevent older versions from being retained forever, in addition to t
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket used for bucket log storage and user public keys | `string` | n/a | yes |
 | <a name="input_bucket_versioning"></a> [bucket\_versioning](#input\_bucket\_versioning) | Enable bucket versioning or not | `bool` | n/a | yes |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Fixed variable to specify business-unit for RAM shared subnets | `string` | n/a | yes |
-| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `null` | no |
+| <a name="input_custom_s3_kms_arn"></a> [custom\_s3\_kms\_arn](#input\_custom\_s3\_kms\_arn) | KMS ARN for S3 bucket encryption | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | application environment | `string` | n/a | yes |
 | <a name="input_extra_user_data_content"></a> [extra\_user\_data\_content](#input\_extra\_user\_data\_content) | Extra user data content for Bastion ec2 | `string` | `""` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | Name of instance | `string` | `"bastion_linux"` | no |