Draft Proposal: Establish a dedicated "NIST Mode" for easing compliance

[apmarshall]

Description

This PR introduces a new variable, nist_mode, which, when set to true overrides other variables within the module to guarantee certain values for compliance purposes.

For this KMS module, the impact is fairly trivial, but it demonstrates the concept. For a more complex implementation, see this PR for the S3 Bucket module: terraform-aws-modules/terraform-aws-s3-bucket#275

Motivation and Context

There are some environments, especially those in the government space, where adherence to NIST SP 800-53 standards is required. Rather than creating separate modules that enforce these requirements, this allows users in those environments to continue using these community supported modules by setting a single variable to ensure compliance requirements are met.

Breaking Changes

This should not introduce any breaking changes to uses who do not enable nist_mode. The default for nist_mode is set to false, which means that the module should continue to perform exactly as it currently does for users who have not enabled nist_mode. Enabling nist_mode overrides certain variables, as documented in the README, which could result in breaking changes for module implementations that would have been out of compliance before setting nist_mode to true.

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

[bryantbiggs]

thank you for the PR, but unfortunately I don't think this is necessary. On one hand, we already default to rotating keys

terraform-aws-kms/variables.tf

Line 56 in 22226b6

default = true

But more importantly, I don't know that its appropriate for us to say that something is or is not compliant per a standard or specification. We always try to default to a preferred/recommended posture, but ultimately its up to users to chose based on their requirements. - cc @antonbabenko

[antonbabenko]

I agree that this PR is unnecessary for the same reasons as @bryantbiggs said. It is always up to users to provide the values they want to become compliant-ready.

PS: My project https://compliance.tf is in development. It aims to help people like @apmarshall

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.