- config, added

- bucket_key_enabled: default false - use_kms_encryptioon: default true
terraform-modules · Oct 11, 2023 · 0f7e9a9 · 0f7e9a9
1 parent c2f6c7b
commit 0f7e9a9
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -303,3 +303,7 @@
   - ldap-ou-create
     - update ldap.e to ldap2.e
 
+* 2.4.10 -- 2023-10-11
+  - config, added
+    - bucket_key_enabled: default false
+    - use_kms_encryptioon: default true
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.9"
+  _module_version = "2.4.10"
 }
diff --git a/config/README.md b/config/README.md
@@ -20,6 +20,7 @@ module "config" {
 
   ## optional
   # name = "myconfigbucket"
+  # use_kms_encryption = false
 
 }
 ```
@@ -90,12 +91,14 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_enable_config_rules_standard"></a> [enable\_config\_rules\_standard](#input\_enable\_config\_rules\_standard) | Flag to enable\|disable the standard set of config rules | `bool` | `true` | no |
 | <a name="input_enable_config_rules_stopped"></a> [enable\_config\_rules\_stopped](#input\_enable\_config\_rules\_stopped) | Flag to enable\|disable EC2 stopped config rules | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
 | <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
 
 ## Outputs

diff --git a/config/main.tf b/config/main.tf
@@ -21,6 +21,7 @@
 *
 *   ## optional
 *   # name = "myconfigbucket"
+*   # use_kms_encryption = false
 *
 * }
 * ```

diff --git a/config/s3.tf b/config/s3.tf
@@ -57,8 +57,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "config" {
   bucket = aws_s3_bucket.config.id
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm = var.use_kms_encryption ? "aws:kms" : "AES256"
     }
+    bucket_key_enabled = var.bucket_key_enabled
   }
 }
 

diff --git a/config/variables.tf b/config/variables.tf
@@ -32,3 +32,15 @@ variable "versioning_configuration" {
   type        = string
   default     = "Disabled"
 }
+
+variable "bucket_key_enabled" {
+  description = "Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)."
+  type        = bool
+  default     = false
+}
+
+variable "use_kms_encryption" {
+  description = "Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access"
+  type        = bool
+  default     = true
+}
diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md
@@ -27,6 +27,7 @@ module "logs_full" {
   # optional
   account_alias         = "do2-govcloud"
   bucket_name           = "inf-logs-123456789012"
+  # use_kms_encryption  = false
 
   # logs is generally not needed and not recommended
   component_tags        = {

diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
@@ -28,6 +28,7 @@
 *   # optional
 *   account_alias         = "do2-govcloud"
 *   bucket_name           = "inf-logs-123456789012"
+*   # use_kms_encryption  = false
 *
 *   # logs is generally not needed and not recommended
 *   component_tags        = {