fix(aws): only validate KMS when eks_kms_arn is provided

[0rlych1kk4]

Reference Issues or PRs

Fixes #3059

What does this implement/fix?

This PR fixes AWS KMS validation in the infrastructure stage.

Previously, amazon_web_services.kms_key_arns() was called even when eks_kms_arn was not set, which could:

• Trigger unnecessary AWS API calls
• Cause failures for configurations that do not use EKS encryption

This change ensures KMS validation is performed only when eks_kms_arn is explicitly provided.
Existing behavior remains unchanged when the value is set.

• Bug fix (non-breaking change which fixes an issue)
• New feature
• Breaking change
• Documentation Update
• Code style update
• Refactoring
• Build related changes
• Other

Documentation

Not applicable.

Testing

• Did you test the pull request locally?
• Did you add new tests?

How to test this PR?

1. Configure AWS provider without eks_kms_arn
   • Validation should complete without calling KMS.
2. Configure AWS provider with a valid eks_kms_arn
   • Existing validation behavior should work as before.

Any other comments?

This change avoids unnecessary AWS calls and improves reliability for deployments that do not use EKS encryption.

[0rlych1kk4]

Hi Nebari team,
This is my first contribution, happy to make any changes if needed. The change is intentionally minimal to avoid altering existing behavior.

Thanks for the review!

[0rlych1kk4]

Hi @dcmcand @marcelovilla Nebari team,

Just a quick follow-up on this PR. The change ensures that KMS validation only runs when eks_kms_arn is explicitly provided, preventing unnecessary AWS API calls for deployments that do not use EKS encryption.

All checks have passed locally and in CI. Please let me know if any adjustments are needed — happy to update the PR.

Thanks for the review!