From 8b2359430ed5ab2dc7967939997a4204e3c7022d Mon Sep 17 00:00:00 2001 From: kumashun8 Date: Tue, 13 Apr 2021 13:07:13 +0900 Subject: [PATCH 1/6] feat: support bucket_key_enabled for server_side_encryption_configuration.rule --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 09097344..18d880c7 100644 --- a/main.tf +++ b/main.tf @@ -196,6 +196,7 @@ resource "aws_s3_bucket" "this" { for_each = length(keys(lookup(server_side_encryption_configuration.value, "rule", {}))) == 0 ? [] : [lookup(server_side_encryption_configuration.value, "rule", {})] content { + bucket_key_enabled = lookup(rule.value, "bucket_key_enabled", false) dynamic "apply_server_side_encryption_by_default" { for_each = length(keys(lookup(rule.value, "apply_server_side_encryption_by_default", {}))) == 0 ? [] : [ From 9a0db618cc59b2098853789e6e088c628d5a11e6 Mon Sep 17 00:00:00 2001 From: kumashun8 Date: Tue, 13 Apr 2021 20:28:51 +0900 Subject: [PATCH 2/6] fix: set null as a default value --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 18d880c7..77a4c94a 100644 --- a/main.tf +++ b/main.tf @@ -196,7 +196,7 @@ resource "aws_s3_bucket" "this" { for_each = length(keys(lookup(server_side_encryption_configuration.value, "rule", {}))) == 0 ? [] : [lookup(server_side_encryption_configuration.value, "rule", {})] content { - bucket_key_enabled = lookup(rule.value, "bucket_key_enabled", false) + bucket_key_enabled = lookup(rule.value, "bucket_key_enabled", null) dynamic "apply_server_side_encryption_by_default" { for_each = length(keys(lookup(rule.value, "apply_server_side_encryption_by_default", {}))) == 0 ? [] : [ From 90d99f99c139edc37a9dd64e8a6394c8b030ad9c Mon Sep 17 00:00:00 2001 From: kumashun8 Date: Tue, 13 Apr 2021 20:29:32 +0900 Subject: [PATCH 3/6] chore: use aws provider v3.36 --- examples/complete/versions.tf | 2 +- examples/notification/versions.tf | 2 +- examples/object/versions.tf | 2 +- examples/s3-replication/versions.tf | 2 +- modules/object/versions.tf | 2 +- versions.tf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index f0be0a5d..633a9b29 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 0.12.26" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" random = ">= 2.0" } } diff --git a/examples/notification/versions.tf b/examples/notification/versions.tf index 7d0b31de..e3c4ff79 100644 --- a/examples/notification/versions.tf +++ b/examples/notification/versions.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 0.12.26" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" random = ">= 2.0" null = ">= 2.0" } diff --git a/examples/object/versions.tf b/examples/object/versions.tf index 9e72906f..d051dac7 100644 --- a/examples/object/versions.tf +++ b/examples/object/versions.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 0.13" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" random = ">= 2.0" } } diff --git a/examples/s3-replication/versions.tf b/examples/s3-replication/versions.tf index f0be0a5d..633a9b29 100644 --- a/examples/s3-replication/versions.tf +++ b/examples/s3-replication/versions.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 0.12.26" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" random = ">= 2.0" } } diff --git a/modules/object/versions.tf b/modules/object/versions.tf index 7148ca44..6a1ba86a 100644 --- a/modules/object/versions.tf +++ b/modules/object/versions.tf @@ -2,6 +2,6 @@ terraform { required_version = ">= 0.13" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" } } diff --git a/versions.tf b/versions.tf index 445a50c0..4a6afc07 100644 --- a/versions.tf +++ b/versions.tf @@ -2,6 +2,6 @@ terraform { required_version = ">= 0.12.26" required_providers { - aws = ">= 3.28" + aws = ">= 3.36" } } From 84146b922b9b8ff4f9054742a9c866756fd36908 Mon Sep 17 00:00:00 2001 From: kumashun8 Date: Fri, 16 Apr 2021 16:39:15 +0900 Subject: [PATCH 4/6] feat: also support bucket_key_enabled to bucket_object --- modules/object/main.tf | 1 + modules/object/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/modules/object/main.tf b/modules/object/main.tf index e091fd9b..a6f9501b 100644 --- a/modules/object/main.tf +++ b/modules/object/main.tf @@ -23,6 +23,7 @@ resource "aws_s3_bucket_object" "this" { server_side_encryption = var.server_side_encryption kms_key_id = var.kms_key_id + bucket_key_enabled = var.bucket_key_enabled object_lock_legal_hold_status = try(tobool(var.object_lock_legal_hold_status) ? "ON" : upper(var.object_lock_legal_hold_status), var.object_lock_legal_hold_status) object_lock_mode = try(upper(var.object_lock_mode), var.object_lock_mode) diff --git a/modules/object/variables.tf b/modules/object/variables.tf index c9159c7d..2bbbcc91 100644 --- a/modules/object/variables.tf +++ b/modules/object/variables.tf @@ -100,6 +100,12 @@ variable "kms_key_id" { default = null } +variable "bucket_key_enabled" { + description = "Whether or not to use Amazon S3 Bucket Keys for SSE-KMS." + type = bool + default = null +} + variable "metadata" { description = "A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API)." type = map(string) From d128396feba2ddf891f80a50a710782d6d13d701 Mon Sep 17 00:00:00 2001 From: kumashun8 Date: Wed, 28 Apr 2021 12:56:53 +0900 Subject: [PATCH 5/6] chore: add info about bucket_key_enabled to README --- modules/object/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/object/README.md b/modules/object/README.md index 79a72a0d..5e6043f1 100644 --- a/modules/object/README.md +++ b/modules/object/README.md @@ -45,6 +45,7 @@ No modules. | [force\_destroy](#input\_force\_destroy) | Allow the object to be deleted by removing any legal hold on any object version. Default is false. This value should be set to true only if the bucket has S3 object lock enabled. | `bool` | `false` | no | | [key](#input\_key) | The name of the object once it is in the bucket. | `string` | `""` | no | | [kms\_key\_id](#input\_kms\_key\_id) | Amazon Resource Name (ARN) of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the aws\_kms\_key resource, use the arn attribute. If referencing the aws\_kms\_alias data source or resource, use the target\_key\_arn attribute. Terraform will only perform drift detection if a configuration value is provided. | `string` | `null` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `null` | no | | [metadata](#input\_metadata) | A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API). | `map(string)` | `{}` | no | | [object\_lock\_legal\_hold\_status](#input\_object\_lock\_legal\_hold\_status) | The legal hold status that you want to apply to the specified object. Valid values are ON and OFF. | `string` | `null` | no | | [object\_lock\_mode](#input\_object\_lock\_mode) | The object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE. | `string` | `null` | no | From 4a753f761f582ccb175196ddccf29487b5c067d7 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 28 Apr 2021 20:26:44 +0200 Subject: [PATCH 6/6] Fixed docs --- README.md | 4 ++-- examples/complete/README.md | 4 ++-- examples/notification/README.md | 4 ++-- examples/object/README.md | 4 ++-- examples/s3-replication/README.md | 6 +++--- examples/s3-replication/main.tf | 4 ++-- modules/object/README.md | 6 +++--- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 7afc3f04..f9191c87 100644 --- a/README.md +++ b/README.md @@ -99,13 +99,13 @@ inputs = { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | ## Modules diff --git a/examples/complete/README.md b/examples/complete/README.md index 5f390f9e..4742d4fb 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -30,14 +30,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/notification/README.md b/examples/notification/README.md index b3d19398..9bad715c 100644 --- a/examples/notification/README.md +++ b/examples/notification/README.md @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | | [null](#requirement\_null) | >= 2.0 | | [random](#requirement\_random) | >= 2.0 | @@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | | [null](#provider\_null) | >= 2.0 | | [random](#provider\_random) | >= 2.0 | diff --git a/examples/object/README.md b/examples/object/README.md index fe4192c0..d3fec7a8 100644 --- a/examples/object/README.md +++ b/examples/object/README.md @@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/s3-replication/README.md b/examples/s3-replication/README.md index 2a0365fe..3f220489 100644 --- a/examples/s3-replication/README.md +++ b/examples/s3-replication/README.md @@ -22,15 +22,15 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | -| [aws.replica](#provider\_aws.replica) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | +| [aws.replica](#provider\_aws.replica) | >= 3.36 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/s3-replication/main.tf b/examples/s3-replication/main.tf index c9a68f70..a2b7105d 100644 --- a/examples/s3-replication/main.tf +++ b/examples/s3-replication/main.tf @@ -22,7 +22,7 @@ resource "random_pet" "this" { } resource "aws_kms_key" "replica" { - provider = "aws.replica" + provider = aws.replica description = "S3 bucket replication KMS key" deletion_window_in_days = 7 @@ -32,7 +32,7 @@ module "replica_bucket" { source = "../../" providers = { - aws = "aws.replica" + aws = aws.replica } bucket = local.destination_bucket_name diff --git a/modules/object/README.md b/modules/object/README.md index 5e6043f1..665f2b94 100644 --- a/modules/object/README.md +++ b/modules/object/README.md @@ -8,13 +8,13 @@ Creates S3 bucket objects with different configurations. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 3.28 | +| [aws](#requirement\_aws) | >= 3.36 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 3.36 | ## Modules @@ -32,6 +32,7 @@ No modules. |------|-------------|------|---------|:--------:| | [acl](#input\_acl) | The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private. | `string` | `null` | no | | [bucket](#input\_bucket) | The name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified. | `string` | `""` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `null` | no | | [cache\_control](#input\_cache\_control) | Specifies caching behavior along the request/reply chain. | `string` | `null` | no | | [content](#input\_content) | Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. | `string` | `null` | no | | [content\_base64](#input\_content\_base64) | Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the gzipbase64 function with small text strings. For larger objects, use source to stream the content from a disk file. | `string` | `null` | no | @@ -45,7 +46,6 @@ No modules. | [force\_destroy](#input\_force\_destroy) | Allow the object to be deleted by removing any legal hold on any object version. Default is false. This value should be set to true only if the bucket has S3 object lock enabled. | `bool` | `false` | no | | [key](#input\_key) | The name of the object once it is in the bucket. | `string` | `""` | no | | [kms\_key\_id](#input\_kms\_key\_id) | Amazon Resource Name (ARN) of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the aws\_kms\_key resource, use the arn attribute. If referencing the aws\_kms\_alias data source or resource, use the target\_key\_arn attribute. Terraform will only perform drift detection if a configuration value is provided. | `string` | `null` | no | -| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `null` | no | | [metadata](#input\_metadata) | A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API). | `map(string)` | `{}` | no | | [object\_lock\_legal\_hold\_status](#input\_object\_lock\_legal\_hold\_status) | The legal hold status that you want to apply to the specified object. Valid values are ON and OFF. | `string` | `null` | no | | [object\_lock\_mode](#input\_object\_lock\_mode) | The object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE. | `string` | `null` | no |