Allow specifying a KMS Key ID for server-side encryption (#58)

README.md

@@ -69,6 +69,7 @@ The AWS S3 build cache implementation has a few configuration options:
 | `showStatisticsWhenSavingsExceeds`  | Specifies minimum duration to trigger printing the stats, milliseconds                                                                            | Yes       | `100`                                    |
 | `showStatisticsWhenWasteExceeds`    | Specifies minimum duration to trigger printing the stats, milliseconds                                                                            | Yes       | `100`                                    |
 | `showStatisticsWhenTransferExceeds` | Specifies minimum transfer size to trigger printing the stats, bytes                                                                              | Yes       | 10*1024*1024                             |
+| `kmsKeyId`                          | The ID of the KMS key to encrypt cache objects in S3. ([Using KMS Encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html)) | no |                                     |
 
 Note: if both `awsAccessKeyId` and `awsSecretKey` are `nullOrBlank` (`null` or whitespace only), then anonymous credentials are used.
 

src/main/kotlin/com/github/burrunan/s3cache/AwsS3BuildCache.kt

@@ -22,6 +22,7 @@ open class AwsS3BuildCache : AbstractBuildCache() {
     var region: String? = null
     var bucket: String? = null
     var prefix: String? = "cache/"
+    var kmsKeyId: String? = null
     var maximumCachedObjectLength: Long = 50 * 1024 * 1024
     var isReducedRedundancy = true
     var endpoint: String? = null

src/main/kotlin/com/github/burrunan/s3cache/internal/AwsS3BuildCacheService.kt

@@ -40,6 +40,7 @@ class AwsS3BuildCacheService internal constructor(
     s3Factory: () -> S3Client,
     private val bucketName: String,
     private val prefix: String?,
+    private val kmsKeyId: String?,
     private val reducedRedundancy: Boolean,
     private val maximumCachedObjectLength: Long,
     private val showStatistics: Boolean,
@@ -245,6 +246,10 @@ class AwsS3BuildCacheService internal constructor(
                 {
                     it.bucket(bucketName)
                     it.key(bucketPath)
+                    if (kmsKeyId != null) {
+                        it.serverSideEncryption("aws:kms")
+                        it.ssekmsKeyId(kmsKeyId)
+                    }
                     it.contentLength(writer.size)
                     it.contentType(BUILD_CACHE_CONTENT_TYPE)
                     if (userMetadata != null) {

src/main/kotlin/com/github/burrunan/s3cache/internal/AwsS3BuildCacheServiceFactory.kt

@@ -44,6 +44,7 @@ class AwsS3BuildCacheServiceFactory : BuildCacheServiceFactory<AwsS3BuildCache>
             describe("Bucket", config.bucket)
             describe("Reduced Redundancy", config.isReducedRedundancy)
             describe("Prefix", config.prefix)
+            describe("KMS Key ID", config.kmsKeyId)
             describe("Endpoint", config.endpoint)
             describe("Transfer Acceleration", config.transferAcceleration)
         }
@@ -52,6 +53,7 @@ class AwsS3BuildCacheServiceFactory : BuildCacheServiceFactory<AwsS3BuildCache>
             { createS3Client(config) },
             config.bucket!!,
             config.prefix,
+            config.kmsKeyId,
             config.isReducedRedundancy,
             config.maximumCachedObjectLength,
             config.showStatistics,

src/test/kotlin/com/github/burrunan/s3cache/RemoteCacheTest.kt

@@ -57,6 +57,7 @@ class RemoteCacheTest : BaseGradleTest() {
             .withParameter("server.ssl.key-alias", "selfsigned")
             .withParameter("server.ssl.key-password", "password")
             .withParameter("server.ssl.key-store-password", "password")
+            .withParameter("com.adobe.testing.s3mock.domain.validKmsKeys", "arn:aws:kms:us-east-1:47110815:key/972393be-674f-4bdc-87ff-ea1b2588a1c6")
             .withInitialBuckets(BUCKET_NAME)
             .build()
 
@@ -130,6 +131,7 @@ class RemoteCacheTest : BaseGradleTest() {
                     region = 'eu-west-1'
                     bucket = '$BUCKET_NAME'
                     prefix = 'build-cache/'
+                    kmsKeyId = '972393be-674f-4bdc-87ff-ea1b2588a1c6'
                     endpoint = 'localhost:${mockApp.port}'
                     // See https://github.com/adobe/S3Mock/issues/880
                     forcePathStyle = true

src/test/kotlin/com/github/burrunan/s3cache/internal/AwsS3BuildCacheServiceFactoryTest.kt

@@ -148,4 +148,15 @@ class AwsS3BuildCacheServiceFactoryTest {
         val service = subject.createBuildCacheService(conf, buildCacheDescriber)
         Assertions.assertNotNull(service)
     }
+
+    @Test
+    fun kmsKeyId() {
+        val conf = buildCache {
+            region = "us-west-1"
+            bucket = "my-bucket"
+            kmsKeyId = "972393be-674f-4bdc-87ff-ea1b2588a1c6"
+        }
+        val service = subject.createBuildCacheService(conf, buildCacheDescriber)
+        Assertions.assertNotNull(service)
+    }
 }