add use_kms_encryption to toggle aws:kms and SSE-S3

terraform-modules · Apr 21, 2022 · 2779a81 · 2779a81
1 parent d7e6840
commit 2779a81
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -109,5 +109,8 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
 * 3.0.4 -- 2022-03-25
   - add links to versions.tf
 
-* 3.1.0. -- 2022-04-01
+* 3.1.0 -- 2022-04-01
   - add object_lock_enabled flag for bucket creation
+
+* 3.2.0 -- 2022-04-21
+  - add use_kms_encryption option to toggle between KMS and SSE-S3
diff --git a/common/kms.tf b/common/kms.tf
@@ -16,7 +16,7 @@ locals {
 # create a key and alias if not specified
 #---
 resource "aws_kms_key" "key" {
-  count               = var.kms_key_arn == null ? 1 : 0
+  count               = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
   description         = "KMS CMK for S3 bucket ${local.name}"
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.key_policy_combined.json
@@ -30,7 +30,7 @@ resource "aws_kms_key" "key" {
 }
 
 resource "aws_kms_alias" "key" {
-  count         = var.kms_key_arn == null ? 1 : 0
+  count         = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
   name          = "alias/${local.kms_key_name}"
   target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
 }
@@ -59,6 +59,6 @@ data "aws_iam_policy_document" "key_policy_combined" {
 data "aws_iam_policy_document" "empty" {}
 
 data "aws_kms_key" "incoming_key" {
-  count  = var.kms_key_arn == null ? 0 : 1
+  count  = var.use_kms_encryption && var.kms_key_arn == null ? 0 : 1
   key_id = var.kms_key_arn
 }
diff --git a/common/resources.tf b/common/resources.tf
@@ -122,7 +122,7 @@ data "aws_iam_policy_document" "this" {
       condition {
         test     = "StringNotEquals"
         variable = "s3:x-amz-server-side-encryption"
-        values   = ["aws:kms"]
+        values   = ["aws:kms", "AES256"]
       }
     }
   }
@@ -299,8 +299,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
   rule {
     apply_server_side_encryption_by_default {
       #        kms_master_key_id = aws_kms_key.key.arn
-      kms_master_key_id = local.kms_key_arn
-      sse_algorithm     = "aws:kms"
+      kms_master_key_id = var.use_kms_key ? local.kms_key_arn : null
+      sse_algorithm     = var.use_kms_key ? "aws:kms" : "AES256"
     }
     bucket_key_enabled = var.bucket_key_enabled
   }

diff --git a/common/variables.kms.tf b/common/variables.kms.tf
@@ -21,3 +21,9 @@ variable "kms_admin_roles" {
   type        = list(string)
   default     = []
 }
+
+variable "use_kms_encryption" {
+  description = "Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access"
+  type        = bool
+  default     = true
+}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "3.1.0"
+  _module_version = "3.2.0"
 }