feat: Allow overriding Performance Insights KMS key

[vyrwu]

What

Add a performance_insights_kms_key_arn variable to allow users to specify a custom KMS key ARN for Performance Insights encryption. When null (default), the component falls back to the existing RDS CMK — preserving current behavior.

Why

If the cluster already has a PI KMS key assigned by AWS (typically the default aws/rds managed key — e.g. from a prior manual enablement or a partially applied change), AWS rejects the modification with:

InvalidParameterCombination: You can't change your Performance Insights KMS key.

This is because Performance Insights KMS keys are immutable after cluster creation. There is currently no way to tell the component to use a different key, forcing users to work around this with lifecycle ignore rules or manual state manipulation.

Changes

• src/variables.tf: New performance_insights_kms_key_arn variable (string, default null)
• src/cluster-regional.tf: Use coalesce(var.performance_insights_kms_key_arn, module.kms_key_rds.key_arn) so the override takes precedence when set

Usage

# Use the AWS-managed key already assigned to an existing cluster
performance_insights_kms_key_arn: "arn:aws:kms:eu-west-1:123456789012:key/abcd1234-5678-90ab-cdef-example11111"

Generated with Claude Opus 4.6

Summary by CodeRabbit

• New Features
  • Added support for custom KMS key management for Performance Insights encryption. Users can now provide their own KMS key ARN, with automatic fallback to the default RDS-managed key when not configured.

[coderabbitai]

Warning

Rate limit exceeded

@vyrwu has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 25 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 25 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4f13481a-0a11-4214-bf93-06b50653656f

📥 Commits

Reviewing files that changed from the base of the PR and between 7753c69 and e3d73ee.

📒 Files selected for processing (2)

• src/cluster-regional.tf
• src/variables.tf

📝 Walkthrough

Walkthrough

Adds a new optional input variable performance_insights_kms_key_arn to allow users to supply a custom KMS key ARN for Performance Insights encryption in Aurora PostgreSQL clusters. When provided, it takes precedence over the default RDS CMK.

Changes

Cohort / File(s)	Summary
Variable Declaration src/variables.tf	Introduces new optional input variable performance_insights_kms_key_arn (type: string, default: null) for configuring Performance Insights KMS key encryption.
Module Configuration src/cluster-regional.tf	Updates aurora_postgres_cluster module to conditionally assign the performance_insights_kms_key_id using the user-supplied variable when provided, falling back to the default RDS CMK when unset.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

needs-test

Suggested reviewers

• goruha
• oycyc

Poem

🐰 A key for your insights, now yours to declare,
Performance Insights, encrypted with care,
No more defaults—custom KMS is here,
Variables wired with logic so clear! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: allowing users to override the Performance Insights KMS key instead of always using the default RDS CMK.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/cluster-regional.tf (1)

37-37: Override wiring is correct; consider an ARN-format validation on the variable.

coalesce(var.performance_insights_kms_key_arn, module.kms_key_rds.key_arn) behaves as intended: when the override is null, coalesce skips it and returns the RDS CMK ARN; when set, the user-supplied ARN wins. Note that coalesce also treats an empty string "" as a valid value and would pass it through to the upstream module, causing an AWS API error at apply time. Since the input is semantically an ARN, consider adding a lightweight validation on the variable to reject empty strings and enforce an arn: prefix, e.g.:

🛡️ Optional validation on performance_insights_kms_key_arn

 variable "performance_insights_kms_key_arn" {
   type        = string
   default     = null
   description = "ARN of the KMS key for Performance Insights encryption. If null, defaults to the RDS CMK."
+
+  validation {
+    condition     = var.performance_insights_kms_key_arn == null || can(regex("^arn:aws[a-zA-Z-]*:kms:", var.performance_insights_kms_key_arn))
+    error_message = "performance_insights_kms_key_arn must be null or a valid KMS key ARN (starting with 'arn:aws:kms:')."
+  }
 }

Also worth confirming: the upstream cloudposse/rds-cluster/aws v2.4.0 input performance_insights_kms_key_id accepts an ARN (AWS allows either a key ID or ARN here), which is consistent with how kms_key_arn is used on line 36.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/cluster-regional.tf` at line 37, Summary: coalesce(...) will accept an
empty string and pass it through causing AWS apply errors; add validation to
reject empty strings and enforce ARN format on the override variable. Update the
variable declaration for performance_insights_kms_key_arn: make sure its default
is null (not ""), and add a validation block that allows null OR a string
matching an ARN prefix (e.g., condition: var.performance_insights_kms_key_arn ==
null || can(regex("^arn:", var.performance_insights_kms_key_arn))), with a clear
error_message; this ensures the coalesce in performance_insights_kms_key_id
continues to prefer the override but will never receive an empty string or
non-ARN value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/cluster-regional.tf`:
- Line 37: Summary: coalesce(...) will accept an empty string and pass it
through causing AWS apply errors; add validation to reject empty strings and
enforce ARN format on the override variable. Update the variable declaration for
performance_insights_kms_key_arn: make sure its default is null (not ""), and
add a validation block that allows null OR a string matching an ARN prefix
(e.g., condition: var.performance_insights_kms_key_arn == null ||
can(regex("^arn:", var.performance_insights_kms_key_arn))), with a clear
error_message; this ensures the coalesce in performance_insights_kms_key_id
continues to prefer the override but will never receive an empty string or
non-ARN value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c8e84bf-0f6e-441f-8a65-91b75106c3de

📥 Commits

Reviewing files that changed from the base of the PR and between 4cdb023 and 7753c69.

📒 Files selected for processing (2)

• src/cluster-regional.tf
• src/variables.tf

[RoseSecurity]

/terratest