Merge pull request #1 from Infrastrukturait/kms-support

Kms support for v0.2.0

README.md

@@ -57,20 +57,24 @@ No modules.
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
-| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |
-| <a name="input_bucket_acl"></a> [bucket\_acl](#input\_bucket\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.<br>We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read` | `string` | `null` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket. | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket. | `bool` | `true` | no |
+| <a name="input_bucket_acl"></a> [bucket\_acl](#input\_bucket\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.<br>We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read`. | `string` | `null` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | n/a | yes |
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | A bucket policy in JSON format | `string` | `""` | no |
+| <a name="input_encryption_enabled"></a> [encryption\_enabled](#input\_encryption\_enabled) | Boolean to enable server-side encryption for S3 bucket. | `bool` | `false` | no |
+| <a name="input_encryption_master_kms_key"></a> [encryption\_master\_kms\_key](#input\_encryption\_master\_kms\_key) | AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `encryption_sse_algorithm` as `aws:kms`<br>When empty in use is default aws/s3 AWS KMS master key provided by AWS. | `string` | `""` | no |
+| <a name="input_encryption_sse_algorithm"></a> [encryption\_sse\_algorithm](#input\_encryption\_sse\_algorithm) | server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"aws:kms"` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. | `bool` | `false` | no |
-| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket | `bool` | `true` | no |
-| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket. | `bool` | `true` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public. | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to assign to bucket. | `map(string)` | `{}` | no |
 | <a name="input_website_enabled"></a> [website\_enabled](#input\_website\_enabled) | Enable static website hosting on bucket. | `bool` | `false` | no |
 | <a name="input_website_error_document"></a> [website\_error\_document](#input\_website\_error\_document) | The name of the index document for the website. | `string` | `null` | no |

docs/terraform.md

@@ -28,20 +28,24 @@ No modules.
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
-| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |
-| <a name="input_bucket_acl"></a> [bucket\_acl](#input\_bucket\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.<br>We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read` | `string` | `null` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket. | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket. | `bool` | `true` | no |
+| <a name="input_bucket_acl"></a> [bucket\_acl](#input\_bucket\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.<br>We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read`. | `string` | `null` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | n/a | yes |
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | A bucket policy in JSON format | `string` | `""` | no |
+| <a name="input_encryption_enabled"></a> [encryption\_enabled](#input\_encryption\_enabled) | Boolean to enable server-side encryption for S3 bucket. | `bool` | `false` | no |
+| <a name="input_encryption_master_kms_key"></a> [encryption\_master\_kms\_key](#input\_encryption\_master\_kms\_key) | AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `encryption_sse_algorithm` as `aws:kms`<br>When empty in use is default aws/s3 AWS KMS master key provided by AWS. | `string` | `""` | no |
+| <a name="input_encryption_sse_algorithm"></a> [encryption\_sse\_algorithm](#input\_encryption\_sse\_algorithm) | server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"aws:kms"` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. | `bool` | `false` | no |
-| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket | `bool` | `true` | no |
-| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket. | `bool` | `true` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public. | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to assign to bucket. | `map(string)` | `{}` | no |
 | <a name="input_website_enabled"></a> [website\_enabled](#input\_website\_enabled) | Enable static website hosting on bucket. | `bool` | `false` | no |
 | <a name="input_website_error_document"></a> [website\_error\_document](#input\_website\_error\_document) | The name of the index document for the website. | `string` | `null` | no |

examples/s3-encrypted-bucket/main.tf

@@ -0,0 +1,28 @@
+module "app_prod_bastion_label" {
+  source   = "cloudposse/label/null"
+  version = "v0.25.0"
+
+  namespace  = "app"
+  stage      = "prod"
+  name       = "logs"
+  attributes = ["private"]
+  delimiter  = "-"
+
+  tags = {
+    "BusinessUnit" = "XYZ",
+  }
+}
+
+resource "aws_kms_key" "app_prod_bastion_bucket_key" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+}
+
+module "app_prod_bucket" {
+    source                      = "../../"
+    bucket_name                 = join(module.app_prod_bastion_label.delimiter, [module.app_prod_bastion_label.stage, module.app_prod_bastion_label.name, var.name])
+    bucket_acl                  = var.bucket_acl
+    encryption_enabled          = true
+    encryption_master_kms_key   = aws_kms_key.app_prod_bastion_bucket_key.arn
+    tags                        = module.app_prod_bastion_label.tags
+}

examples/s3-encrypted-bucket/outputs.tf

@@ -0,0 +1,19 @@
+output "id" {
+  description = "The name of the bucket."
+  value       = module.app_prod_bucket.id
+}
+
+output "arn" {
+  description = "The ARN of the bucket."
+  value       = module.app_prod_bucket.arn
+}
+
+output "bucket_domain_name" {
+  description = "The domain name of the bucket."
+  value       = module.app_prod_bucket.bucket_domain_name
+}
+
+output "bucket_regional_domain_name" {
+  description = "The region-specific domain name of the bucket."
+  value       = module.app_prod_bucket.bucket_regional_domain_name
+}

examples/s3-encrypted-bucket/provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = var.region
+}

examples/s3-encrypted-bucket/variables.tf

@@ -0,0 +1,15 @@
+variable "region" {
+    type    = string
+}
+
+variable "name" {
+    type    = string
+}
+
+variable "bucket_acl" {
+    type    = string
+    default = "private"
+}
+
+
+

examples/s3-encrypted-bucket/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.0"
+    }
+  }
+}

main.tf

@@ -13,6 +13,18 @@ resource "aws_s3_bucket" "this" {
   tags          = var.tags
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  count  = var.encryption_enabled ? 1 : 0
+  bucket = var.bucket_name
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.encryption_master_kms_key
+      sse_algorithm     = var.encryption_sse_algorithm
+    }
+  }
+}
+
 resource "aws_s3_bucket_policy" "this" {
   count  = tobool(local.bucket_policy_enabled) ? 1 : 0
   bucket = var.bucket_name

variables.tf

@@ -8,16 +8,42 @@ variable "bucket_acl" {
   default     = null
   description = <<-EOT
     The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
-    We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read`
+    We recommend `private` to avoid exposing sensitive information. When `website_enabled` override by `public-read`.
   EOT
 }
 
 variable "bucket_policy" {
+  type        = string
+  default     = ""
   description = "A bucket policy in JSON format"
+}
+
+variable "encryption_enabled" {
+  type        = bool
+  default     = false
+  description = "Boolean to enable server-side encryption for S3 bucket."
+}
+
+variable "encryption_master_kms_key" {
   type        = string
   default     = ""
+  description = <<-EOT
+    AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `encryption_sse_algorithm` as `aws:kms`
+    When empty in use is default aws/s3 AWS KMS master key provided by AWS.
+  EOT
 }
 
+variable "encryption_sse_algorithm" {
+  type        = string
+  default     = "aws:kms"
+  description = "server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`"
+  validation {
+    condition     = contains(["AES256", "aws:kms"], var.encryption_sse_algorithm)
+    error_message = "Valid values for encryption_sse_algorithm: `AES256` and `aws:kms`."
+  } 
+}
+
+
 variable "force_destroy" {
   type        = bool
   default     = false
@@ -27,25 +53,25 @@ variable "force_destroy" {
 variable "block_public_acls" {
   type        = bool
   default     = true
-  description = "Set to `false` to disable the blocking of new public access lists on the bucket"
+  description = "Set to `false` to disable the blocking of new public access lists on the bucket."
 }
 
 variable "block_public_policy" {
   type        = bool
   default     = true
-  description = "Set to `false` to disable the blocking of new public policies on the bucket"
+  description = "Set to `false` to disable the blocking of new public policies on the bucket."
 }
 
 variable "ignore_public_acls" {
   type        = bool
   default     = true
-  description = "Set to `false` to disable the ignoring of public access lists on the bucket"
+  description = "Set to `false` to disable the ignoring of public access lists on the bucket."
 }
 
 variable "restrict_public_buckets" {
   type        = bool
   default     = true
-  description = "Set to `false` to disable the restricting of making the bucket public"
+  description = "Set to `false` to disable the restricting of making the bucket public."
 }
 
 variable "website_enabled" {