[Fix]remove required kms_arn in Export (#374)

* remove required kms_arn in Export

* fix test

* handle null check

Author: alice-yin

docs/resources/namespace_export_sink.md

@@ -53,10 +53,13 @@ Required:
 
 - `aws_account_id` (String) The AWS account ID associated with the S3 bucket and the assumed role.
 - `bucket_name` (String) The name of the destination S3 bucket where Temporal will send data.
-- `kms_arn` (String) The AWS Key Management Service (KMS) ARN used for encryption.
 - `region` (String) The region where the S3 bucket is located.
 - `role_name` (String) The IAM role that Temporal Cloud assumes for writing records to the customer's S3 bucket.
 
+Optional:
+
+- `kms_arn` (String) The AWS Key Management Service (KMS) ARN used for encryption.
+
 
 <a id="nestedblock--timeouts"></a>
 ### Nested Schema for `timeouts`

internal/provider/namespace_export_sink_resource.go

@@ -146,7 +146,7 @@ func (r *namespaceExportSinkResource) Schema(ctx context.Context, req resource.S
 					},
 					"kms_arn": schema.StringAttribute{
 						Description: "The AWS Key Management Service (KMS) ARN used for encryption.",
-						Required:    true,
+						Optional:    true,
 					},
 					"aws_account_id": schema.StringAttribute{
 						Description: "The AWS account ID associated with the S3 bucket and the assumed role.",
@@ -274,9 +274,13 @@ func updateSinkModelFromSpec(ctx context.Context, state *namespaceExportSinkReso
 			RoleName:     types.StringValue(sink.GetSpec().GetS3().GetRoleName()),
 			BucketName:   types.StringValue(sink.GetSpec().GetS3().GetBucketName()),
 			Region:       types.StringValue(sink.GetSpec().GetS3().GetRegion()),
-			KmsArn:       types.StringValue(sink.GetSpec().GetS3().GetKmsArn()),
 			AwsAccountId: types.StringValue(sink.GetSpec().GetS3().GetAwsAccountId()),
 		}
+
+		if sink.GetSpec().GetS3().GetKmsArn() != "" {
+			s3Spec.KmsArn = types.StringValue(sink.GetSpec().GetS3().GetKmsArn())
+		}
+
 		s3Obj, diags = types.ObjectValueFrom(ctx, internaltypes.S3SpecModelAttrTypes, s3Spec)
 		diags.Append(diags...)
 		if diags.HasError() {
@@ -411,16 +415,22 @@ func getSinkSpecFromModel(ctx context.Context, plan *namespaceExportSinkResource
 			return nil, diags
 		}
 
+		s3SinkSpec := &sinkv1.S3Spec{
+			RoleName:     s3Spec.RoleName.ValueString(),
+			BucketName:   s3Spec.BucketName.ValueString(),
+			Region:       s3Spec.Region.ValueString(),
+			KmsArn:       s3Spec.KmsArn.ValueString(),
+			AwsAccountId: s3Spec.AwsAccountId.ValueString(),
+		}
+
+		if !s3Spec.KmsArn.IsNull() {
+			s3SinkSpec.KmsArn = s3Spec.KmsArn.ValueString()
+		}
+
 		return &namespacev1.ExportSinkSpec{
 			Name:    plan.SinkName.ValueString(),
 			Enabled: plan.Enabled.ValueBool(),
-			S3: &sinkv1.S3Spec{
-				RoleName:     s3Spec.RoleName.ValueString(),
-				BucketName:   s3Spec.BucketName.ValueString(),
-				Region:       s3Spec.Region.ValueString(),
-				KmsArn:       s3Spec.KmsArn.ValueString(),
-				AwsAccountId: s3Spec.AwsAccountId.ValueString(),
-			},
+			S3:      s3SinkSpec,
 		}, nil
 	} else if !plan.Gcs.IsNull() {
 		var gcsSpec internaltypes.GCSSpecModel

internal/provider/namespace_export_sink_resource_test.go

@@ -50,7 +50,6 @@ func TestAccNamespaceExportSink_S3(t *testing.T) {
 					resource.TestCheckResourceAttr("temporalcloud_namespace_export_sink.test", "s3.region", sinkRegion),
 					resource.TestCheckResourceAttr("temporalcloud_namespace_export_sink.test", "s3.role_name", "test-role"),
 					resource.TestCheckResourceAttr("temporalcloud_namespace_export_sink.test", "s3.aws_account_id", "123456789012"),
-					resource.TestCheckResourceAttr("temporalcloud_namespace_export_sink.test", "s3.kms_arn", "arn:aws:kms:us-east-1:123456789012:key/test-key"),
 				),
 			},
 			// ImportState testing
@@ -186,7 +185,6 @@ resource "temporalcloud_namespace_export_sink" "test" {
     region         = %[4]q
     role_name      = "test-role"
     aws_account_id = "123456789012"
-    kms_arn        = "arn:aws:kms:us-east-1:123456789012:key/test-key"
   }
 
 }