From 69eb0ef3d970fafd4fff79ba588d8d82efb8ccfc Mon Sep 17 00:00:00 2001
From: Clayton Burlison <git@clburlison.com>
Date: Wed, 26 Jan 2022 10:57:05 -0600
Subject: [PATCH] feat: Fix the s3 encryption and make it optional

---
 README.md    |  5 +++--
 s3_bucket.tf | 12 ++++++++----
 variables.tf |  6 ++++++
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index d620a3f..e8e17fe 100644
--- a/README.md
+++ b/README.md
@@ -104,8 +104,8 @@ If this setup is destroyed and recreated the 'munki-s3-rw' policy will need to b
 
 | Name | Version |
 |------|---------|
-| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_archive"></a> [archive](#provider\_archive) | 2.1.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.37.0 |
 
 ## Modules
 
@@ -171,6 +171,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all resources as the identifier | `string` | `"munki"` | no |
 | <a name="input_s3_bucket_create"></a> [s3\_bucket\_create](#input\_s3\_bucket\_create) | Set to true to create a new s3 bucket. If false you can reuse a current bucket | `bool` | `true` | no |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | The s3 bucket name to use | `any` | n/a | yes |
+| <a name="input_s3_encryption_enabled"></a> [s3\_encryption\_enabled](#input\_s3\_encryption\_enabled) | When set to 'true' the resource will have aes256 encryption enabled by default | `bool` | `true` | no |
 | <a name="input_server_side_makecatalogs"></a> [server\_side\_makecatalogs](#input\_server\_side\_makecatalogs) | Set to true to enable server side makecatalogs when s3 bucket changes happen | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
diff --git a/s3_bucket.tf b/s3_bucket.tf
index a066964..6524be7 100644
--- a/s3_bucket.tf
+++ b/s3_bucket.tf
@@ -22,10 +22,14 @@ resource "aws_s3_bucket" "munki-bucket" {
     prevent_destroy = false
   }
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "aws:kms"
+  dynamic "server_side_encryption_configuration" {
+    for_each = var.s3_encryption_enabled ? ["true"] : []
+
+    content {
+      rule {
+        apply_server_side_encryption_by_default {
+          sse_algorithm = "AES256"
+        }
       }
     }
   }
diff --git a/variables.tf b/variables.tf
index d4bf59c..6604675 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,6 +27,12 @@ variable "s3_bucket_create" {
   default     = true
 }
 
+variable "s3_encryption_enabled" {
+  type        = bool
+  default     = true
+  description = "When set to 'true' the resource will have aes256 encryption enabled by default"
+}
+
 variable "server_side_makecatalogs" {
   description = "Set to true to enable server side makecatalogs when s3 bucket changes happen"
   default     = false