feat: support bucket_key_enabled for SSE (#82)

a41d75f5 · Hayato Okuma · GitHub · 5832e7cc · a41d75f5 · a41d75f5
Commit a41d75f5 authored Apr 28, 2021 by Hayato Okuma Committed by GitHub Apr 28, 2021
16 changed files
--- a/README.md
+++ b/README.md
@@ -99,13 +99,13 @@ inputs = {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |

 ## Modules


--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -30,14 +30,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules

--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -2,7 +2,7 @@ terraform {
  required_version = ">= 0.12.26"

  required_providers {
-    aws    = ">= 3.28"
+    aws    = ">= 3.36"
    random = ">= 2.0"
  }
 }
--- a/examples/notification/README.md
+++ b/examples/notification/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

@@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |


--- a/examples/notification/versions.tf
+++ b/examples/notification/versions.tf
@@ -2,7 +2,7 @@ terraform {
  required_version = ">= 0.12.26"

  required_providers {
-    aws    = ">= 3.28"
+    aws    = ">= 3.36"
    random = ">= 2.0"
    null   = ">= 2.0"
  }

--- a/examples/object/README.md
+++ b/examples/object/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules

--- a/examples/object/versions.tf
+++ b/examples/object/versions.tf
@@ -2,7 +2,7 @@ terraform {
  required_version = ">= 0.13"

  required_providers {
-    aws    = ">= 3.28"
+    aws    = ">= 3.36"
    random = ">= 2.0"
  }
 }
--- a/examples/s3-replication/README.md
+++ b/examples/s3-replication/README.md
@@ -22,15 +22,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
-| <a name="provider_aws.replica"></a> [aws.replica](#provider\_aws.replica) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |
+| <a name="provider_aws.replica"></a> [aws.replica](#provider\_aws.replica) | >= 3.36 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules

--- a/examples/s3-replication/main.tf
+++ b/examples/s3-replication/main.tf
@@ -22,7 +22,7 @@ resource "random_pet" "this" {
 }

 resource "aws_kms_key" "replica" {
-  provider = "aws.replica"
+  provider = aws.replica

  description             = "S3 bucket replication KMS key"
  deletion_window_in_days = 7
@@ -32,7 +32,7 @@ module "replica_bucket" {
  source = "../../"

  providers = {
-    aws = "aws.replica"
+    aws = aws.replica
  }

  bucket = local.destination_bucket_name

--- a/examples/s3-replication/versions.tf
+++ b/examples/s3-replication/versions.tf
@@ -2,7 +2,7 @@ terraform {
  required_version = ">= 0.12.26"

  required_providers {
-    aws    = ">= 3.28"
+    aws    = ">= 3.36"
    random = ">= 2.0"
  }
 }
--- a/main.tf
+++ b/main.tf
@@ -196,6 +196,7 @@ resource "aws_s3_bucket" "this" {
        for_each = length(keys(lookup(server_side_encryption_configuration.value, "rule", {}))) == 0 ? [] : [lookup(server_side_encryption_configuration.value, "rule", {})]

        content {
+          bucket_key_enabled = lookup(rule.value, "bucket_key_enabled", null)

          dynamic "apply_server_side_encryption_by_default" {
            for_each = length(keys(lookup(rule.value, "apply_server_side_encryption_by_default", {}))) == 0 ? [] : [

--- a/modules/object/README.md
+++ b/modules/object/README.md
@@ -8,13 +8,13 @@ Creates S3 bucket objects with different configurations.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.36 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.36 |

 ## Modules

@@ -32,6 +32,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_acl"></a> [acl](#input\_acl) | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `null` | no |
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | The name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no |
+| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `null` | no |
 | <a name="input_cache_control"></a> [cache\_control](#input\_cache\_control) | Specifies caching behavior along the request/reply chain. | `string` | `null` | no |
 | <a name="input_content"></a> [content](#input\_content) | Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. | `string` | `null` | no |
 | <a name="input_content_base64"></a> [content\_base64](#input\_content\_base64) | Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the gzipbase64 function with small text strings. For larger objects, use source to stream the content from a disk file. | `string` | `null` | no |

--- a/modules/object/main.tf
+++ b/modules/object/main.tf
@@ -23,6 +23,7 @@ resource "aws_s3_bucket_object" "this" {

  server_side_encryption = var.server_side_encryption
  kms_key_id             = var.kms_key_id
+  bucket_key_enabled     = var.bucket_key_enabled

  object_lock_legal_hold_status = try(tobool(var.object_lock_legal_hold_status) ? "ON" : upper(var.object_lock_legal_hold_status), var.object_lock_legal_hold_status)
  object_lock_mode              = try(upper(var.object_lock_mode), var.object_lock_mode)

--- a/modules/object/variables.tf
+++ b/modules/object/variables.tf
@@ -100,6 +100,12 @@ variable "kms_key_id" {
  default     = null
 }

+variable "bucket_key_enabled" {
+  description = "Whether or not to use Amazon S3 Bucket Keys for SSE-KMS."
+  type        = bool
+  default     = null
+}
+
 variable "metadata" {
  description = "A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API)."
  type        = map(string)

--- a/modules/object/versions.tf
+++ b/modules/object/versions.tf
@@ -2,6 +2,6 @@ terraform {
  required_version = ">= 0.13"

  required_providers {
-    aws = ">= 3.28"
+    aws = ">= 3.36"
  }
 }
--- a/versions.tf
+++ b/versions.tf
@@ -2,6 +2,6 @@ terraform {
  required_version = ">= 0.12.26"

  required_providers {
-    aws = ">= 3.28"
+    aws = ">= 3.36"
  }
 }