From 0d2123c387cd56782f1ad879e12585af4340b37e Mon Sep 17 00:00:00 2001
From: Marco Kilchhofer <marco.kilchhofer.2@post.ch>
Date: Mon, 23 Jan 2023 14:05:44 +0100
Subject: [PATCH] chore: Apply changes from code review

- nullable=false on `kms_enabled`
- Validate kms_enabled and UserAssigned identity
---
 main.tf      | 4 ++++
 variables.tf | 1 +
 2 files changed, 5 insertions(+)

diff --git a/main.tf b/main.tf
index 29d4c384..778aef25 100644
--- a/main.tf
+++ b/main.tf
@@ -291,6 +291,10 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = var.role_based_access_control_enabled || !var.rbac_aad
       error_message = "Enabling Azure Active Directory integration requires that `role_based_access_control_enabled` be set to true."
     }
+    precondition {
+      condition     = var.kms_enabled && var.identity_type != "UserAssigned"
+      error_message = "KMS etcd encryption doesn't work with system-assigned managed identity."
+    }
   }
 }
 
diff --git a/variables.tf b/variables.tf
index 72537b31..4e703cf9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -339,6 +339,7 @@ variable "kms_enabled" {
   type        = bool
   description = "(Optional) Enable Azure KeyVault Key Management Service."
   default     = false
+  nullable    = false
 }
 
 variable "kms_key_vault_key_id" {