diff --git a/CHANGELOG.md b/CHANGELOG.md
index a0213bd..51828ff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -188,3 +188,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
* 3.4.0 -- 2023-09-12
- public submodule
- new module to allow the use of public buckets (block_public_policy=false)
+
+* 3.4.1 -- 2026-03-12
+ - kms_key
+ - add key_description variable
diff --git a/common/kms.tf b/common/kms.tf
index aeafc40..22d2184 100644
--- a/common/kms.tf
+++ b/common/kms.tf
@@ -17,7 +17,7 @@ locals {
#---
resource "aws_kms_key" "key" {
count = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
- description = "KMS CMK for S3 bucket ${local.name}"
+ description = var.key_description == null ? "KMS CMK for ${local.name}" : var.key_description
enable_key_rotation = true
policy = data.aws_iam_policy_document.key_policy_combined.json
multi_region = var.multi_region
diff --git a/common/variables.kms.tf b/common/variables.kms.tf
index 713ae95..8864533 100644
--- a/common/variables.kms.tf
+++ b/common/variables.kms.tf
@@ -33,3 +33,10 @@ variable "multi_region" {
type = bool
default = false
}
+
+variable "key_description" {
+ description = "KMS Key Description"
+ type = string
+ default = null
+}
+
diff --git a/common/version.tf b/common/version.tf
index 174f530..ae36e19 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "3.4.0"
+ _module_version = "3.4.1"
}
diff --git a/kms_key/README.md b/kms_key/README.md
index d9ef42d..57132f8 100644
--- a/kms_key/README.md
+++ b/kms_key/README.md
@@ -12,8 +12,9 @@ module "simple-key" {
key_name = "my-simple-key"
## optional
- # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+ # key_description = "My key description"
}
output "simple-key-info" {
@@ -27,10 +28,10 @@ output "simple-key-info" {
```
## Usage: Reference
-To use the new refactored module with the AWS provider v4.x, use `?ref=3`, otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade`, otherwise leave this part off.
```hcl
module "my-bucket" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
bucket_name = "my-normalbucket"
access_log_bucket = "my-logbucket"
@@ -80,6 +81,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
+| [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
| [key\_name](#input\_key\_name) | KMS Key Name (alias). Standard prefix will be added. | `string` | n/a | yes |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
diff --git a/kms_key/main.tf b/kms_key/main.tf
index b32019e..bdaf203 100644
--- a/kms_key/main.tf
+++ b/kms_key/main.tf
@@ -13,8 +13,9 @@
* key_name = "my-simple-key"
*
* ## optional
-* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* # key_description = "My key description"
* }
*
* output "simple-key-info" {
@@ -28,10 +29,10 @@
* ```
*
* ## Usage: Reference
-* To use the new refactored module with the AWS provider v4.x, use `?ref=3`, otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade`, otherwise leave this part off.
* ```hcl
* module "my-bucket" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
*
* bucket_name = "my-normalbucket"
* access_log_bucket = "my-logbucket"
diff --git a/public/README.md b/public/README.md
index 73b26fb..61c30bf 100644
--- a/public/README.md
+++ b/public/README.md
@@ -5,13 +5,13 @@ rare condition that a public bucket is approved for use. It sets `bucket_public
SS3-S3 encryption.
# Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
the [updating directions](updating-buckets.md).
```hcl
module "my-bucket" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=tf-upgrade"
bucket_name = "my-public-bucket"
access_log_bucket = "my-logbucket"
diff --git a/public/main.tf b/public/main.tf
index e98d6c6..4db9e7d 100644
--- a/public/main.tf
+++ b/public/main.tf
@@ -6,13 +6,13 @@
* SS3-S3 encryption.
*
* # Usage
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
* If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
* the [updating directions](updating-buckets.md).
*
* ```hcl
* module "my-bucket" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=tf-upgrade"
*
* bucket_name = "my-public-bucket"
* access_log_bucket = "my-logbucket"
diff --git a/standard/README.md b/standard/README.md
index 76c0f43..5a0e43e 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -7,7 +7,7 @@ non-FTI Data. This includes
Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional
# Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
the [updating directions](updating-buckets.md).
@@ -19,7 +19,7 @@ coexist (easily).
```hcl
module "my-bucket" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
bucket_name = "my-normalbucket"
access_log_bucket = "my-logbucket"
@@ -228,6 +228,7 @@ No modules.
| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
diff --git a/standard/main.tf b/standard/main.tf
index e60e744..ccc787c 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -8,7 +8,7 @@
* Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional
*
* # Usage
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
* If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
* the [updating directions](updating-buckets.md).
*
@@ -20,7 +20,7 @@
*
* ```hcl
* module "my-bucket" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=3"
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
*
* bucket_name = "my-normalbucket"
* access_log_bucket = "my-logbucket"
diff --git a/title26/README.md b/title26/README.md
index 32446ee..368847d 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -7,7 +7,7 @@ FTI (Title26). This includes
- Server Access Logging
# Usage
-To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-3`), otherwise leave this part off.
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
the [updating directions](updating-buckets.md).
@@ -19,7 +19,7 @@ coexist (easily).
```hcl
module "mybucket" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=3"
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=tf-upgrade"
bucket_name = "myt26bucket"
access_log_bucket = "mylogbucket"
@@ -222,9 +222,10 @@ No modules.
| [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no |
| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
-| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | [
"title26"
]
| no |
+| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | [
"title26"
]
| no |
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [key\_description](#input\_key\_description) | KMS Key Description | `string` | `null` | no |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
diff --git a/title26/main.tf b/title26/main.tf
index 2426f47..7887801 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -8,7 +8,7 @@
* - Server Access Logging
*
* # Usage
-* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-3`), otherwise leave this part off.
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=tf-upgrade`), otherwise leave this part off.
* If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
* the [updating directions](updating-buckets.md).
*
@@ -20,7 +20,7 @@
*
* ```hcl
* module "mybucket" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=3"
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26?ref=tf-upgrade"
*
* bucket_name = "myt26bucket"
* access_log_bucket = "mylogbucket"