* 3.4.1 -- 2026-03-12

  - kms_key
    - add key_description variable

CHANGELOG.md

@@ -188,3 +188,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
 * 3.4.0 -- 2023-09-12
   - public submodule
     - new module to allow the use of public buckets (block_public_policy=false)
+
+* 3.4.1 -- 2026-03-12
+  - kms_key
+    - add key_description variable

common/kms.tf

@@ -17,7 +17,7 @@ locals {
 #---
 resource "aws_kms_key" "key" {
   count               = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
-  description         = "KMS CMK for S3 bucket ${local.name}"
+  description         = var.key_description == null ? "KMS CMK for ${local.name}" : var.key_description
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.key_policy_combined.json
   multi_region        = var.multi_region

common/variables.kms.tf

@@ -33,3 +33,10 @@ variable "multi_region" {
   type        = bool
   default     = false
 }
+
+variable "key_description" {
+  description = "KMS Key Description"
+  type        = string
+  default     = null
+}
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "3.4.0"
+  _module_version = "3.4.1"
 }

kms_key/README.md

@@ -12,8 +12,9 @@ module "simple-key" {
   key_name = "my-simple-key"
 
   ## optional
-  # kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+  # kms_admin_roles     = [ aws_iam_role.cloud-admin.arn ]
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+  # key_description     = "My key description"
 }
 
 output "simple-key-info" {
@@ -27,10 +28,10 @@ output "simple-key-info" {
 ```
 
 ## Usage: Reference
-To use the new refactored module with the AWS provider v4.x, use `?ref=3`, otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade`, otherwise leave this part off.
 ```hcl
 module "my-bucket" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
 
   bucket_name       = "my-normalbucket"
   access_log_bucket = "my-logbucket"
@@ -80,6 +81,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
+| <a name="input_key_description"></a> [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | KMS Key Name (alias).  Standard prefix will be added. | `string` | n/a | yes |
 | <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |

kms_key/main.tf

@@ -13,8 +13,9 @@
 *   key_name = "my-simple-key"
 * 
 *   ## optional
-*   # kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+*   # kms_admin_roles     = [ aws_iam_role.cloud-admin.arn ]
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+*   # key_description     = "My key description"
 * }
 * 
 * output "simple-key-info" {
@@ -28,10 +29,10 @@
 * ```
 *
 * ## Usage: Reference
-* To use the new refactored module with the AWS provider v4.x, use `?ref=3`, otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade`, otherwise leave this part off.
 * ```hcl
 * module "my-bucket" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
 * 
 *   bucket_name       = "my-normalbucket"
 *   access_log_bucket = "my-logbucket"

public/README.md

@@ -5,13 +5,13 @@ rare condition that a public bucket is approved for use.  It sets `bucket_public
 SS3-S3 encryption.
 
 # Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 the [updating directions](updating-buckets.md).
 
 ```hcl
 module "my-bucket" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=tf-upgrade"
 
   bucket_name       = "my-public-bucket"
   access_log_bucket = "my-logbucket"

public/main.tf

@@ -6,13 +6,13 @@
 * SS3-S3 encryption.
 * 
 * # Usage 
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 * If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 * the [updating directions](updating-buckets.md).
 * 
 * ```hcl
 * module "my-bucket" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=tf-upgrade"
 * 
 *   bucket_name       = "my-public-bucket"
 *   access_log_bucket = "my-logbucket"

standard/README.md

@@ -7,7 +7,7 @@ non-FTI Data.  This includes
 Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional
 
 # Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 the [updating directions](updating-buckets.md).
 
@@ -19,7 +19,7 @@ coexist (easily).
 
 ```hcl
 module "my-bucket" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
 
   bucket_name       = "my-normalbucket"
   access_log_bucket = "my-logbucket"
@@ -228,6 +228,7 @@ No modules.
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| <a name="input_key_description"></a> [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
 | <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated). | `string` | `null` | no |

standard/main.tf

@@ -8,7 +8,7 @@
 * Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional
 * 
 * # Usage 
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 * If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 * the [updating directions](updating-buckets.md).
 * 
@@ -20,7 +20,7 @@
 * 
 * ```hcl
 * module "my-bucket" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
 * 
 *   bucket_name       = "my-normalbucket"
 *   access_log_bucket = "my-logbucket"

title26/README.md

@@ -7,7 +7,7 @@ FTI (Title26).  This includes
 - Server Access Logging
 
 # Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 the [updating directions](updating-buckets.md).
 
@@ -19,7 +19,7 @@ coexist (easily).
 
 ```hcl
 module "mybucket" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=3"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=tf-upgrade"
 
   bucket_name = "myt26bucket"
   access_log_bucket = "mylogbucket"
@@ -222,9 +222,10 @@ No modules.
 | <a name="input_bucket_policy_disabled"></a> [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy.  This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no |
 | <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
 | <a name="input_bucket_policy_document_template"></a> [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
-| <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br>  "title26"<br>]</pre> | no |
+| <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br/>  "title26"<br/>]</pre> | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| <a name="input_key_description"></a> [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
 | <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated). | `string` | `null` | no |

title26/main.tf

@@ -8,7 +8,7 @@
 * - Server Access Logging
 * 
 * # Usage 
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
 * If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
 * the [updating directions](updating-buckets.md).
 * 
@@ -20,7 +20,7 @@
 *
 * ```hcl
 * module "mybucket" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=3"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=tf-upgrade"
 *
 *   bucket_name = "myt26bucket"
 *   access_log_bucket = "mylogbucket"