From 79c6886429a73803bd74588603c968416d143fd3 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Thu, 21 Sep 2023 10:51:26 -0400
Subject: [PATCH] - s3-access-logs   - bucket_key_enabled: default true   -
 use_kms_encryptioon: default true     may need to make default false as some
 services like NLB do not support the use of a CMK (use AES256 instead)

---
 CHANGELOG.md                |  6 ++++++
 common/version.tf           |  2 +-
 s3-access-logs/README.md    |  3 +++
 s3-access-logs/main.tf      |  3 ++-
 s3-access-logs/variables.tf | 12 ++++++++++++
 5 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7445364..a33288d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -288,3 +288,9 @@
     - add enable_cloudwatch_logs with a default of true
   - cloudtrail-key
     - add s3.amazonaws.com 
+
+* 2.4.7 -- 2023-09-21
+  - s3-access-logs
+    - bucket_key_enabled: default true
+    - use_kms_encryptioon: default true
+      may need to make default false as some services like NLB do not support the use of a CMK (use AES256 instead)
diff --git a/common/version.tf b/common/version.tf
index eb12e0f..994520b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.6"
+  _module_version = "2.4.7"
 }
diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md
index 3821e4c..4f2e2b8 100644
--- a/s3-access-logs/README.md
+++ b/s3-access-logs/README.md
@@ -70,6 +70,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -77,11 +78,13 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Logging S3 bucket name | `string` | `""` | no |
 | <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-logs"` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
 | <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
 
 ## Outputs
diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
index 09e1aa3..b098bea 100644
--- a/s3-access-logs/main.tf
+++ b/s3-access-logs/main.tf
@@ -119,8 +119,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
   bucket = aws_s3_bucket.logs.id
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm = var.use_kms_encryption ? "aws:kms" : "AES256"
     }
+    bucket_key_enabled = var.bucket_key_enabled
   }
 }
 
diff --git a/s3-access-logs/variables.tf b/s3-access-logs/variables.tf
index 79f37f4..a8148dc 100644
--- a/s3-access-logs/variables.tf
+++ b/s3-access-logs/variables.tf
@@ -22,3 +22,15 @@ variable "versioning_configuration" {
   type        = string
   default     = "Disabled"
 }
+
+variable "bucket_key_enabled" {
+  description = "Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)."
+  type        = bool
+  default     = true
+}
+
+variable "use_kms_encryption" {
+  description = "Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access"
+  type        = bool
+  default     = true
+}