feat(resolves #32): Allow AES256

flagscript · Sep 9, 2024 · 76c9540 · 76c9540
1 parent 10c98b0
commit 76c9540
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 2 deletions.
diff --git a/bucket_policies.tf b/bucket_policies.tf
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "bucket_policy_document" {
       condition {
         test     = "StringNotEquals"
         variable = "s3:x-amz-server-side-encryption"
-        values   = ["AES256", "aws:kms"]
+        values   = [local.kms_key_type]
       }
       principals {
         type        = "*"

diff --git a/locals.tf b/locals.tf
@@ -10,6 +10,7 @@ locals {
   current_account_id   = data.aws_caller_identity.current.account_id
   current_region       = data.aws_region.current.id
   do_cloudfront_policy = length(var.cloudfront_distribution_arns) > 0
+  kms_key_type         = local.use_owned_kms || !var.use_aws_owned_kms ? "aws:kme" : "AES256"
   use_owned_kms        = var.kms_key_arn != ""
   common_tags = {
     "github:module:repository" = "flagscript/terraform-aws-flagscript-s3-bucket"

diff --git a/main.tf b/main.tf
@@ -49,7 +49,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_encryption
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = local.use_owned_kms ? var.kms_key_arn : null
-      sse_algorithm     = "aws:kms"
+      sse_algorithm     = local.kms_key_type
     }
     bucket_key_enabled = var.enable_bucket_key
   }

diff --git a/variables.tf b/variables.tf
@@ -53,3 +53,9 @@ variable "object_ownership" {
     error_message = "Variable object_ownership must be a valid value."
   }
 }
+
+variable "use_aws_owned_kms" {
+  default     = false
+  description = "If kms_key_arn is not provided, use AES256 over aws/s3 aws managed key."
+  type        = bool
+}