#2217: updated r/aws_s3_bucket to support default server side encrypt…

…ion configuration
hashicorp · Dec 17, 2017 · f999f27 · f999f27
1 parent 6bd9216
commit f999f27
Showing 1 changed file with 139 additions and 0 deletions.
diff --git a/aws/resource_aws_s3_bucket.go b/aws/resource_aws_s3_bucket.go
@@ -392,6 +392,42 @@ func resourceAwsS3Bucket() *schema.Resource {
 				},
 			},
 
+			"server_side_encryption_configuration": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"rule": {
+							Type:     schema.TypeList,
+							MaxItems: 1,
+							Required: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"apply_server_side_encryption_by_default": {
+										Type:     schema.TypeList,
+										MaxItems: 1,
+										Required: true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"kms_master_key_id": {
+													Type:     schema.TypeString,
+													Optional: true,
+												},
+												"sse_algorithm": {
+													Type:     schema.TypeString,
+													Required: true,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -531,6 +567,12 @@ func resourceAwsS3BucketUpdate(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	if d.HasChange("server_side_encryption_configuration") {
+		if err := resourceAwsS3BucketServerSideEncryptionConfigurationUpdate(s3conn, d); err != nil {
+			return err
+		}
+	}
+
 	return resourceAwsS3BucketRead(d, meta)
 }
 
@@ -941,6 +983,29 @@ func resourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	// Read the bucket server side encryption configuration
+
+	encryptionResponse, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
+		return s3conn.GetBucketEncryption(&s3.GetBucketEncryptionInput{
+			Bucket: aws.String(d.Id()),
+		})
+	})
+	if err != nil {
+		if isAWSErr(err, "ServerSideEncryptionConfigurationNotFoundError", "encryption configuration was not found") {
+			log.Printf("[DEBUG] Default encryption is not enabled for %s", d.Id())
+		} else {
+			return err
+		}
+	} else {
+		encryption := encryptionResponse.(*s3.GetBucketEncryptionOutput)
+		if c := encryption.ServerSideEncryptionConfiguration; c != nil {
+			if err := d.Set("server_side_encryption_configuration", flatternAwsS3ServerSideEncryptionConfiguration(c)); err != nil {
+				log.Printf("[DEBUG] Error setting server side encryption configuration: %s", err)
+				return err
+			}
+		}
+	}
+
 	// Add the region as an attribute
 
 	locationResponse, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
@@ -1493,6 +1558,64 @@ func resourceAwsS3BucketRequestPayerUpdate(s3conn *s3.S3, d *schema.ResourceData
 	return nil
 }
 
+func resourceAwsS3BucketServerSideEncryptionConfigurationUpdate(s3conn *s3.S3, d *schema.ResourceData) error {
+	bucket := d.Get("bucket").(string)
+	serverSideEncryptionConfiguration := d.Get("server_side_encryption_configuration").([]interface{})
+
+	if len(serverSideEncryptionConfiguration) == 0 {
+		i := &s3.DeleteBucketEncryptionInput{
+			Bucket: aws.String(bucket),
+		}
+
+		err := resource.Retry(1*time.Minute, func() *resource.RetryError {
+			if _, err := s3conn.DeleteBucketEncryption(i); err != nil {
+				return resource.NonRetryableError(err)
+			}
+			return nil
+		})
+		if err != nil {
+			return fmt.Errorf("error removing S3 bucket server side encryption: %s", err)
+		}
+		return nil
+	}
+
+	c := serverSideEncryptionConfiguration[0].(map[string]interface{})
+
+	rc := &s3.ServerSideEncryptionConfiguration{}
+
+	rcRules := c["rule"].([]interface{})
+	rules := []*s3.ServerSideEncryptionRule{}
+	for _, v := range rcRules {
+		rr := v.(map[string]interface{})
+		rrDefault := rr["apply_server_side_encryption_by_default"].(map[string]interface{})
+		rcDefaultRule := &s3.ServerSideEncryptionByDefault{
+			SSEAlgorithm: aws.String(rrDefault["sse_algorithm"].(string)),
+			KMSMasterKeyID: aws.String(rrDefault["kms_master_key_id"].(string)),
+		}
+		rcRule := &s3.ServerSideEncryptionRule{
+			ApplyServerSideEncryptionByDefault: rcDefaultRule,
+		}
+
+		rules = append(rules, rcRule)
+	}
+
+	rc.Rules = rules
+	i := &s3.PutBucketEncryptionInput{
+		Bucket: aws.String(bucket),
+		ServerSideEncryptionConfiguration: rc,
+	}
+	log.Printf("[DEBUG] S3 put bucket replication configuration: %#v", i)
+
+	_, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
+		return s3conn.PutBucketEncryption(i)
+	})
+	if err != nil {
+		return fmt.Errorf("error putting S3 server side encryption configuration: %s", err)
+	}
+
+	return nil
+}
+
 func resourceAwsS3BucketReplicationConfigurationUpdate(s3conn *s3.S3, d *schema.ResourceData) error {
 	bucket := d.Get("bucket").(string)
 	replicationConfiguration := d.Get("replication_configuration").([]interface{})
@@ -1739,6 +1862,22 @@ func resourceAwsS3BucketLifecycleUpdate(s3conn *s3.S3, d *schema.ResourceData) e
 	return nil
 }
 
+func flatternAwsS3ServerSideEncryptionConfiguration(c *s3.ServerSideEncryptionConfiguration) []map[string]interface{} {
+	encryptionConfiguration := make([]map[string]interface{}, 0, 1)
+	rules := make([]interface{}, 0, len(c.Rules))
+	for _, v := range c.Rules {
+		if v.ApplyServerSideEncryptionByDefault != nil {
+			r := make(map[string]interface{})
+			d := make(map[string]interface{})
+			d["kms_master_key_id"] = *v.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+			d["sse_algorithm"] = *v.ApplyServerSideEncryptionByDefault.SSEAlgorithm
+			r["apply_server_side_encryption_by_default"] = d
+			rules = append(rules, r)
+		}
+	}
+	return encryptionConfiguration
+}
+
 func flattenAwsS3BucketReplicationConfiguration(r *s3.ReplicationConfiguration) []map[string]interface{} {
 	replication_configuration := make([]map[string]interface{}, 0, 1)
 	m := make(map[string]interface{})