feat: support bucket_key_enabled for server_side_encryption_configura…

[kumashun8]

…tion.rule

Description

Make server_side_encryption_configuration to be able to set to bucket_key_enabled .

Motivation and Context

Recently, bucket_key_enable was supported by terraform-provider-aws in the following PR.
so I'd like to reflect that here as well.

hashicorp/terraform-provider-aws#16581

Breaking Changes

bucket_key_enabled is a optional value, so compatibility won't be lost.

How Has This Been Tested?

• I have tested and validated these changes using one or more of the provided examples/* projects

current plan at example/complete result is below (extracted).

+ server_side_encryption_configuration {
          + rule {
              + bucket_key_enabled = false

              + apply_server_side_encryption_by_default {
                  + kms_master_key_id = (known after apply)
                  + sse_algorithm     = "aws:kms"
                }
            }
        }

and apply was done successfully (extracted).

...
Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

Outputs:

this_s3_bucket_arn = "arn:aws:s3:::s3-bucket-mighty-tetra"
this_s3_bucket_bucket_domain_name = "s3-bucket-mighty-tetra.s3.amazonaws.com"
this_s3_bucket_bucket_regional_domain_name = "s3-bucket-mighty-tetra.s3.ap-northeast-1.amazonaws.com"
this_s3_bucket_hosted_zone_id = "Z2M4EHUR26P7ZW"
this_s3_bucket_id = "s3-bucket-mighty-tetra"
this_s3_bucket_region = "ap-northeast-1"
this_s3_bucket_website_domain = "s3-website-ap-northeast-1.amazonaws.com"
this_s3_bucket_website_endpoint = "s3-bucket-mighty-tetra.s3-website-ap-northeast-1.amazonaws.com"

next, edit example/complete/main.tf line:191-199 to add variable bucket_key_enabled like this.

server_side_encryption_configuration = {
    rule = {
      bucket_key_enabled = true
      apply_server_side_encryption_by_default = {
        kms_master_key_id = aws_kms_key.objects.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

plan result is below (extracted).

# module.s3_bucket.aws_s3_bucket.this[0] will be updated in-place
  ~ resource "aws_s3_bucket" "this" {
        id                          = "s3-bucket-mighty-tetra"
        tags                        = {
            "Owner" = "Anton"
        }
        # (11 unchanged attributes hidden)





      ~ server_side_encryption_configuration {
          ~ rule {
              ~ bucket_key_enabled = false -> true

                # (1 unchanged block hidden)
            }
        }


        # (8 unchanged blocks hidden)
    }

  # module.s3_bucket.aws_s3_bucket_policy.this[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "this" {
        id     = "s3-bucket-mighty-tetra"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Condition = {
                          - Bool = {
                              - aws:SecureTransport = "false"
                            }
                        }
                      - Effect    = "Deny"
                      - Principal = "*"
                      - Resource  = [
                          - "arn:aws:s3:::s3-bucket-mighty-tetra/*",
                          - "arn:aws:s3:::s3-bucket-mighty-tetra",
                        ]
                      - Sid       = "denyInsecureTransport"
                    },
                  - {
                      - Action    = "s3:ListBucket"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::057575985710:role/terraform-20210413081143894800000001"
                        }
                      - Resource  = "arn:aws:s3:::s3-bucket-mighty-tetra"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

and apply complete successfully (extracted).

...
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

this_s3_bucket_arn = "arn:aws:s3:::s3-bucket-mighty-tetra"
this_s3_bucket_bucket_domain_name = "s3-bucket-mighty-tetra.s3.amazonaws.com"
this_s3_bucket_bucket_regional_domain_name = "s3-bucket-mighty-tetra.s3.ap-northeast-1.amazonaws.com"
this_s3_bucket_hosted_zone_id = "Z2M4EHUR26P7ZW"
this_s3_bucket_id = "s3-bucket-mighty-tetra"
this_s3_bucket_region = "ap-northeast-1"
this_s3_bucket_website_domain = "s3-website-ap-northeast-1.amazonaws.com"
this_s3_bucket_website_endpoint = "s3-bucket-mighty-tetra.s3-website-ap-northeast-1.amazonaws.com"

[antonbabenko]

Please update versions.tf with a minimum version of Terraform AWS provider 3.36.0 in the module and in the examples.

Also, could you please add the same change to modules/object?

Thank you!

[antonbabenko]

Leave the default value as null, please.

[antonbabenko]

Please do a similar update to the object submodule also.

[kumashun8]

Sorry, I misread the contents of the first review.
I'll do it.

[antonbabenko]

Thanks, @kumashun8 !

v2.1.0 has been just released.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.