diff --git a/elasticache-redis/replication-group/README.md b/elasticache-redis/replication-group/README.md
index 86b6cec..2604756 100644
--- a/elasticache-redis/replication-group/README.md
+++ b/elasticache-redis/replication-group/README.md
@@ -15,15 +15,16 @@ Provision a Redis cluster using AWS ElastiCache.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | ~> 4.0 |
-| [random](#provider\_random) | ~> 3.0 |
+| [aws](#provider\_aws) | 4.67.0 |
+| [random](#provider\_random) | 3.5.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [client\_security\_group](#module\_client\_security\_group) | ../../security-group | |
-| [server\_security\_group](#module\_server\_security\_group) | ../../security-group | |
+| [client\_security\_group](#module\_client\_security\_group) | ../../security-group | n/a |
+| [customer\_kms](#module\_customer\_kms) | github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms | 3e5155d |
+| [server\_security\_group](#module\_server\_security\_group) | ../../security-group | n/a |
## Resources
diff --git a/elasticache-redis/replication-group/main.tf b/elasticache-redis/replication-group/main.tf
index 8950d6f..a782d39 100644
--- a/elasticache-redis/replication-group/main.tf
+++ b/elasticache-redis/replication-group/main.tf
@@ -5,7 +5,7 @@ resource "aws_elasticache_replication_group" "this" {
automatic_failover_enabled = local.replica_enabled
engine = var.engine
engine_version = var.engine_version
- kms_key_id = var.kms_key == null ? null : var.kms_key.id
+ kms_key_id = var.kms_key == null ? module.customer_kms.kms_key_arn : var.kms_key.id
multi_az_enabled = local.replica_enabled
node_type = var.node_type
num_cache_clusters = local.instance_count
@@ -35,6 +35,12 @@ resource "aws_elasticache_replication_group" "this" {
}
}
+module "customer_kms" {
+ source = "github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms?ref=3e5155d"
+
+ name = var.name
+}
+
resource "aws_elasticache_subnet_group" "this" {
name = coalesce(
var.subnet_group_name,
diff --git a/rds-postgres/primary-instance/README.md b/rds-postgres/primary-instance/README.md
index 682f861..481943f 100644
--- a/rds-postgres/primary-instance/README.md
+++ b/rds-postgres/primary-instance/README.md
@@ -24,6 +24,7 @@ Provision a Postgres database using AWS RDS.
|------|--------|---------|
| [alarms](#module\_alarms) | ../cloudwatch-alarms | n/a |
| [client\_security\_group](#module\_client\_security\_group) | ../../security-group | n/a |
+| [customer\_kms](#module\_customer\_kms) | github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms | 3e5155d |
| [parameter\_group](#module\_parameter\_group) | ../parameter-group | n/a |
| [server\_security\_group](#module\_server\_security\_group) | ../../security-group | n/a |
@@ -95,5 +96,6 @@ Provision a Postgres database using AWS RDS.
| [identifier](#output\_identifier) | Identifier of the created RDS database |
| [initial\_password](#output\_initial\_password) | Initial admin password for connecting to this database |
| [instance](#output\_instance) | The created RDS database instance |
+| [primary\_kms\_key](#output\_primary\_kms\_key) | KMS key arn in use by primary database instance. |
| [server\_security\_group\_id](#output\_server\_security\_group\_id) | Name of the security group created for the server |
diff --git a/rds-postgres/primary-instance/main.tf b/rds-postgres/primary-instance/main.tf
index f28146a..a19eeb5 100644
--- a/rds-postgres/primary-instance/main.tf
+++ b/rds-postgres/primary-instance/main.tf
@@ -11,7 +11,7 @@ resource "aws_db_instance" "this" {
identifier = var.identifier
instance_class = var.instance_class
iops = var.iops
- kms_key_id = var.kms_key_id
+ kms_key_id = local.primary_kms_key
maintenance_window = var.maintenance_window
max_allocated_storage = var.max_allocated_storage
multi_az = var.multi_az
@@ -50,6 +50,12 @@ resource "aws_db_instance" "this" {
}
}
+module "customer_kms" {
+ source = "github.com/thoughtbot/terraform-aws-secrets//customer-managed-kms?ref=3e5155d"
+
+ name = var.identifier
+}
+
resource "random_id" "snapshot_suffix" {
byte_length = 4
}
@@ -148,4 +154,6 @@ locals {
local.owned_vpc_security_group_ids,
local.shared_vpc_security_group_ids
)
+
+ primary_kms_key = var.kms_key_id == null ? module.customer_kms.kms_key_arn : var.kms_key_id
}
diff --git a/rds-postgres/primary-instance/outputs.tf b/rds-postgres/primary-instance/outputs.tf
index c146e40..53fcd85 100644
--- a/rds-postgres/primary-instance/outputs.tf
+++ b/rds-postgres/primary-instance/outputs.tf
@@ -38,6 +38,11 @@ output "instance" {
value = aws_db_instance.this
}
+output "primary_kms_key" {
+ description = "KMS key arn in use by primary database instance."
+ value = local.primary_kms_key
+}
+
output "server_security_group_id" {
description = "Name of the security group created for the server"
value = join("", module.server_security_group.*.id)