-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provider/aws: Support KMS encryption of S3 objects #5453
Conversation
…that are put into a bucket.
Type: schema.TypeString, | ||
Optional: true, | ||
}, | ||
|
||
"etag": &schema.Schema{ | ||
Type: schema.TypeString, | ||
// This will conflict with SSE-C and SSE-KMS encryption and multi-part upload |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we cannot use ValidateFunc
to guard against this (until #4348 is finished/merged), I think we'll have to add some conditionals into Create
and Update
.
Essentially we want to prevent the user from specifying etag
when they specified kms_key_id
, because there's no way they can calculate that (unless they know how AWS encrypts the data via KMS).
It would be great if we could also somehow prevent them from using the calculated value, as that's useless too, but I'm not quite sure how to approach that. It actually may be useful for at least knowing that object has changed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is ConflictsWith
sufficient to express this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct me if I'm wrong but AFAIK it cannot be used with Computed
fields as it would always be conflicting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oooooh you're right - I had forgotten!
Okay so we have to fall back to docs or checks within Create/Update like you said.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got that covered in the next few lines. Is this ready to roll?
Sent from my iPhone
On Mar 10, 2016, at 1:27 PM, Paul Hinze notifications@github.com wrote:
In builtin/providers/aws/resource_aws_s3_bucket_object.go:
@@ -74,6 +75,11 @@ func resourceAwsS3BucketObject() *schema.Resource {
ConflictsWith: []string{"source"},
},
"kms_key_id": &schema.Schema{
Type: schema.TypeString,
Optional: true,
},
Oooooh you're right - I had forgotten!
"etag": &schema.Schema{ Type: schema.TypeString, // This will conflict with SSE-C and SSE-KMS encryption and multi-part upload
Okay so we have to fall back to docs or checks within Create/Update like you said.
—
Reply to this email directly or view it on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh great! Sorry I missed that. Yep this looks good. Merging now!
…vided and now with ServerSideEncryption we can go back to the higher level PutObject.
return fmt.Errorf("Unable to specify kms_key_id and etag on the same object") | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@radeksimko Does this suffice for the parameter conflict?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd try improving the message for the user, so they also understand why.
e.g. Unable to specify 'kms_key_id' and 'etag' together because 'etag' wouldn't equal MD5 digest of the raw object data
…and etag as well as using aws_kms_key to test aws_s3_bucket's kms_key_id.
@radeksimko @phinze I think this is good to go now, the test failed in some unrelated section and I don't think I can trigger a rebuild |
Hi @bigkraig one last Q about |
Great work @bigkraig! 👍 |
provider/aws: Support KMS encryption of S3 objects
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I've added a kms_key_id parameter to aws_s3_bucket_object that will allow you to encrypt objects placed into a bucket.