feature/kms-optional: Making Encryption configuration of SNS less constraining (also to opt out)

[azec-pdx]

what

• I was using cloudposse/terraform-aws-sns-topic to deploy SNS Topic and subscriber SQS queues for routing Bounce and Complaint notifications from AWS SES service. AWS SES won't accept SNS Topic as the notifications target unless it has enough permissions for KMS key that is configured for SNS Topic Encryption settings. With module cloudposse/terraform-aws-sns-topic using default AWS KMS key alias/aws/sns, this is limiting in two ways:
  1. It forces users of cloudposse/terraform-aws-sns-topic TF module to use encryption even if they don't provide their own KMS key. Users don't have option to deploy SNS Topic with Encryption disabled.
  2. Since users are already forced to use SNS Topic Encryption, their only option becomes to configure their own KMS key and pass it to cloudposse/terraform-aws-sns-topic module, but then there is additional requirement for users to do more IAM permissions on KMS key to allow AWS SES service access to the key to encrypt messages as they are fanned out to SNS Topic.
• This PR makes an Encryption settings of SNS Topic deployed with cloudposse/terraform-aws-sns-topic optional by providing users with some better choices:
  1. To use their own KMS key if they really want fully customized Encryption configuration of SNS Topic
  2. To opt-in to use default AWS SNS KMS key alias/aws/sns
  3. To have Encryption disabled on SNS Topic by default if they don't put effort into 1. and 2.

why

• Business case: mostly described above, to be able to have better defaults when needing SNS Topic with Encryption disabled in order to work with other AWS service (SES in this case) - especially since it is all in the same AWS account.

• The PR uses cascading logic for configuring Encryption settings of SNS Topic resource. By introducing use_default_aws_sns_kms_master_key_id, and defaulting kms_master_key_id to "", following cascading logic is applied:

  • If use_default_aws_sns_kms_master_key_id is set explicitly to true, no other variables are analyzed. In this case Encryption becomes enabled on SNS Topic and default KMS key alias/aws/sns is used in the Encryption configuration.
  • If use_default_aws_sns_kms_master_key_id is not set, then variable kms_master_key_id is analyzed (see below subcases).
    • If kms_master_key_id is set to explicit non-empty value, the Encryption becomes enabled on SNS Topic and user-specified KMS key is used in the Encryption configuration.
    • If kms_master_key_id is not passed, then module default value "" is passed to aws_sns_topic resource which then behaves in a way that Encryption on SNS Topic becomes disabled (this was tested and verified).

• This now makes possible to deploy SNS Topic without Encryption by being totally lazy with something like:

   module "sns" {
      #source = "git::https://github.com/cloudposse/terraform-aws-sns-topic.git//?ref=tags/0.16.0"
      source = "git::https://github.com/SkywardIO/terraform-aws-sns-topic.git//?ref=feature/kms-optional"
      name   = module.this.id
  
      subscribers                            = var.subscribers
      allowed_aws_services_for_sns_published = var.allowed_aws_services_for_sns_published
      sqs_dlq_enabled                        = false # Until valid case neeed for this and until CP fixes https://github.com/cloudposse/terraform-aws-sns-topic/blob/master/main.tf#L20
  }

references

• N/A?

[azec-pdx]

Reopened as #34 after some rebasing issues of our fork ...