Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provider/aws: Support KMS encryption of S3 objects #5453

Merged
merged 3 commits into from
Mar 10, 2016

Conversation

bigkraig
Copy link
Contributor

@bigkraig bigkraig commented Mar 4, 2016

I've added a kms_key_id parameter to aws_s3_bucket_object that will allow you to encrypt objects placed into a bucket.

@bigkraig bigkraig changed the title Support KMS encryption of S3 objects provider/AWS: Support KMS encryption of S3 objects Mar 4, 2016
@bigkraig bigkraig changed the title provider/AWS: Support KMS encryption of S3 objects provider/aws: Support KMS encryption of S3 objects Mar 4, 2016
Type: schema.TypeString,
Optional: true,
},

"etag": &schema.Schema{
Type: schema.TypeString,
// This will conflict with SSE-C and SSE-KMS encryption and multi-part upload
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we cannot use ValidateFunc to guard against this (until #4348 is finished/merged), I think we'll have to add some conditionals into Create and Update.

Essentially we want to prevent the user from specifying etag when they specified kms_key_id, because there's no way they can calculate that (unless they know how AWS encrypts the data via KMS).

It would be great if we could also somehow prevent them from using the calculated value, as that's useless too, but I'm not quite sure how to approach that. It actually may be useful for at least knowing that object has changed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is ConflictsWith sufficient to express this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct me if I'm wrong but AFAIK it cannot be used with Computed fields as it would always be conflicting.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oooooh you're right - I had forgotten!

Okay so we have to fall back to docs or checks within Create/Update like you said.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got that covered in the next few lines. Is this ready to roll?

Sent from my iPhone

On Mar 10, 2016, at 1:27 PM, Paul Hinze notifications@github.com wrote:

In builtin/providers/aws/resource_aws_s3_bucket_object.go:

@@ -74,6 +75,11 @@ func resourceAwsS3BucketObject() *schema.Resource {
ConflictsWith: []string{"source"},
},

  •       "kms_key_id": &schema.Schema{
    
  •           Type:     schema.TypeString,
    
  •           Optional: true,
    
  •       },
    
    •   "etag": &schema.Schema{
            Type: schema.TypeString,
            // This will conflict with SSE-C and SSE-KMS encryption and multi-part upload
      
    Oooooh you're right - I had forgotten!

Okay so we have to fall back to docs or checks within Create/Update like you said.


Reply to this email directly or view it on GitHub.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh great! Sorry I missed that. Yep this looks good. Merging now!

@radeksimko radeksimko added the waiting-response An issue/pull request is waiting for a response from the community label Mar 4, 2016
…vided and now with ServerSideEncryption we can go back to the higher level PutObject.
return fmt.Errorf("Unable to specify kms_key_id and etag on the same object")
}
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radeksimko Does this suffice for the parameter conflict?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd try improving the message for the user, so they also understand why.

e.g. Unable to specify 'kms_key_id' and 'etag' together because 'etag' wouldn't equal MD5 digest of the raw object data

…and etag as well as using aws_kms_key to test aws_s3_bucket's kms_key_id.
@bigkraig
Copy link
Contributor Author

@radeksimko @phinze I think this is good to go now, the test failed in some unrelated section and I don't think I can trigger a rebuild

@phinze
Copy link
Contributor

phinze commented Mar 10, 2016

Hi @bigkraig one last Q about ConflictsWith and then once that is resolved we are ready to go.

@phinze
Copy link
Contributor

phinze commented Mar 10, 2016

Great work @bigkraig! 👍

phinze added a commit that referenced this pull request Mar 10, 2016
provider/aws: Support KMS encryption of S3 objects
@phinze phinze merged commit 82765ea into hashicorp:master Mar 10, 2016
@radeksimko radeksimko removed the waiting-response An issue/pull request is waiting for a response from the community label Mar 10, 2016
@ghost
Copy link

ghost commented Apr 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 27, 2020
@bigkraig bigkraig deleted the aws-s3-kms-key branch April 27, 2020 15:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants