From 76c9540c5482987a8b9b9053df4fbba9af71d5ea Mon Sep 17 00:00:00 2001 From: Greg Kaestle Date: Mon, 9 Sep 2024 05:46:13 -0700 Subject: [PATCH] feat(resolves #32): Allow AES256 --- bucket_policies.tf | 2 +- locals.tf | 1 + main.tf | 2 +- variables.tf | 6 ++++++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/bucket_policies.tf b/bucket_policies.tf index 5dabfd4..cbf21e9 100644 --- a/bucket_policies.tf +++ b/bucket_policies.tf @@ -36,7 +36,7 @@ data "aws_iam_policy_document" "bucket_policy_document" { condition { test = "StringNotEquals" variable = "s3:x-amz-server-side-encryption" - values = ["AES256", "aws:kms"] + values = [local.kms_key_type] } principals { type = "*" diff --git a/locals.tf b/locals.tf index a97d341..c99471c 100644 --- a/locals.tf +++ b/locals.tf @@ -10,6 +10,7 @@ locals { current_account_id = data.aws_caller_identity.current.account_id current_region = data.aws_region.current.id do_cloudfront_policy = length(var.cloudfront_distribution_arns) > 0 + kms_key_type = local.use_owned_kms || !var.use_aws_owned_kms ? "aws:kme" : "AES256" use_owned_kms = var.kms_key_arn != "" common_tags = { "github:module:repository" = "flagscript/terraform-aws-flagscript-s3-bucket" diff --git a/main.tf b/main.tf index 137a185..acb35eb 100644 --- a/main.tf +++ b/main.tf @@ -49,7 +49,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_encryption rule { apply_server_side_encryption_by_default { kms_master_key_id = local.use_owned_kms ? var.kms_key_arn : null - sse_algorithm = "aws:kms" + sse_algorithm = local.kms_key_type } bucket_key_enabled = var.enable_bucket_key } diff --git a/variables.tf b/variables.tf index 7713354..45d5867 100644 --- a/variables.tf +++ b/variables.tf @@ -53,3 +53,9 @@ variable "object_ownership" { error_message = "Variable object_ownership must be a valid value." } } + +variable "use_aws_owned_kms" { + default = false + description = "If kms_key_arn is not provided, use AES256 over aws/s3 aws managed key." + type = bool +}