NHSDigital · nc-shahidazim · Feb 20, 2026 · Feb 19, 2026
diff --git a/infrastructure/modules/key-vault/alerts.tf b/infrastructure/modules/key-vault/alerts.tf
@@ -1,5 +1,5 @@
 resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_secret_near_expiry" {
-  count = var.enable_alerting == true ? 1 : 0
+  count = var.enable_alerting == true && var.secret_near_expiry_alert != null ? 1 : 0
 
   name                = "${azurerm_key_vault.keyvault.name}-secret-near-expiry"
   resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name
@@ -48,7 +48,7 @@ QUERY
 }
 
 resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_secret_expired" {
-  count = var.enable_alerting == true ? 1 : 0
+  count = var.enable_alerting == true && var.secret_expired_alert != null ? 1 : 0
 
   name                = "${azurerm_key_vault.keyvault.name}-secret-expired"
   resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name
@@ -97,7 +97,7 @@ QUERY
 }
 
 resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_certificate_near_expiry" {
-  count = var.enable_alerting == true ? 1 : 0
+  count = var.enable_alerting == true && var.certificate_near_expiry_alert != null ? 1 : 0
 
   name                = "${azurerm_key_vault.keyvault.name}-certificate-near-expiry"
   resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name
@@ -146,7 +146,7 @@ QUERY
 }
 
 resource "azurerm_monitor_scheduled_query_rules_alert_v2" "kv_certificate_expired" {
-  count = var.enable_alerting == true ? 1 : 0
+  count = var.enable_alerting == true && var.certificate_expired_alert != null ? 1 : 0
 
   name                = "${azurerm_key_vault.keyvault.name}-certificate-expired"
   resource_group_name = var.resource_group_name_monitoring != null ? var.resource_group_name_monitoring : var.resource_group_name

diff --git a/infrastructure/modules/key-vault/tfdocs.md b/infrastructure/modules/key-vault/tfdocs.md
@@ -170,6 +170,8 @@ object({
 })
 ```
 
+Default: `null`
+
 ### <a name="input_secret_expired_alert"></a> [secret\_expired\_alert](#input\_secret\_expired\_alert)
 
 Description: Configuration for the Key Vault secret expired alert.
@@ -184,6 +186,8 @@ object({
 })
 ```
 
+Default: `null`
+
 ### <a name="input_certificate_near_expiry_alert"></a> [certificate\_near\_expiry\_alert](#input\_certificate\_near\_expiry\_alert)
 
 Description: Configuration for the Key Vault certificate near expiry alert.
@@ -198,6 +202,8 @@ object({
 })
 ```
 
+Default: `null`
+
 ### <a name="input_certificate_expired_alert"></a> [secret\_certificate\_alert](#input\_certificate\_expired\_alert)
 
 Description: Configuration for the Key Vault certificate expired alert.
@@ -212,6 +218,8 @@ object({
 })
 ```
 
+Default: `null`
+
 ## Modules
 
 The following Modules are called:

diff --git a/infrastructure/modules/key-vault/variables.tf b/infrastructure/modules/key-vault/variables.tf
@@ -67,24 +67,20 @@ variable "secret_near_expiry_alert" {
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.secret_near_expiry_alert.evaluation_frequency
+      try(var.secret_near_expiry_alert.evaluation_frequency, "P1D")
     )
     error_message = "secret_near_expiry_alert.evaluation_frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.secret_near_expiry_alert.window_duration
+      try(var.secret_near_expiry_alert.window_duration, "P1D")
     )
     error_message = "secret_near_expiry_alert.window_duration must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
-  default = {
-    evaluation_frequency = "P1D" # every 24 hours
-    window_duration      = "P1D" # last 24 hours
-    threshold            = 1
-  }
+  default = null
 }
 
 variable "secret_expired_alert" {
@@ -97,24 +93,20 @@ variable "secret_expired_alert" {
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.secret_expired_alert.evaluation_frequency
+      try(var.secret_expired_alert.evaluation_frequency, "PT15M")
     )
     error_message = "secret_expired_alert.evaluation_frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.secret_expired_alert.window_duration
+      try(var.secret_expired_alert.window_duration, "PT1H")
     )
     error_message = "secret_expired_alert.window_duration must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
-  default = {
-    evaluation_frequency = "PT15M" # every 15 mins
-    window_duration      = "PT1H"  # last 1 hour
-    threshold            = 1
-  }
+  default = null
 }
 
 variable "certificate_near_expiry_alert" {
@@ -127,24 +119,20 @@ variable "certificate_near_expiry_alert" {
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.certificate_near_expiry_alert.evaluation_frequency
+      try(var.certificate_near_expiry_alert.evaluation_frequency, "P1D")
     )
     error_message = "certificate_near_expiry_alert.evaluation_frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.certificate_near_expiry_alert.window_duration
+      try(var.certificate_near_expiry_alert.window_duration, "P1D")
     )
     error_message = "certificate_near_expiry_alert.window_duration must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
-  default = {
-    evaluation_frequency = "P1D" # every 24 hours
-    window_duration      = "P1D" # last 24 hours
-    threshold            = 1
-  }
+  default = null
 }
 
 variable "certificate_expired_alert" {
@@ -157,24 +145,20 @@ variable "certificate_expired_alert" {
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.certificate_expired_alert.evaluation_frequency
+      try(var.certificate_expired_alert.evaluation_frequency, "PT15M")
     )
     error_message = "certificate_expired_alert.evaluation_frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
   validation {
     condition = contains(
       ["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "P1D"],
-      var.certificate_expired_alert.window_duration
+      try(var.certificate_expired_alert.window_duration, "PT1H")
     )
     error_message = "certificate_expired_alert.window_duration must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D"
   }
 
-  default = {
-    evaluation_frequency = "PT15M" # every 15 mins
-    window_duration      = "PT1H"  # last 1 hour
-    threshold            = 1
-  }
+  default = null
 }
 
 variable "name" {