Skip to content

Commit

Permalink
Bring in S3 data default encryption (#6)
Browse files Browse the repository at this point in the history
* hashicorp#2217: get default encryption configuration for s3 bucket data source

* hashicorp#2217: added acceptance test for basic case

* hashicorp#2217: documentation
  • Loading branch information
psyvision authored Dec 11, 2017
1 parent dddba8e commit a6fd2a2
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 1 deletion.
78 changes: 78 additions & 0 deletions aws/data_source_aws_s3_bucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,45 @@ func dataSourceAwsS3Bucket() *schema.Resource {
Type: schema.TypeString,
Required: true,
},
"server_side_encryption_configuration": {
Type: schema.TypeList,
MaxItems: 1,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Computed: true,
},
"rule": {
Type: schema.TypeList,
MaxItems: 1,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"apply_server_side_encryption_by_default": {
Type: schema.TypeList,
MaxItems: 1,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"kms_master_key_id": {
Type: schema.TypeString,
Computed: true,
},
"sse_algorithm": {
Type: schema.TypeString,
Computed: true,
},
},
},
},
},
},
},
},
},
},
"arn": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -70,6 +109,45 @@ func dataSourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
return err
}

if err := bucketEncryption(d, bucket, conn); err != nil {
return err
}

return nil
}

func bucketEncryption(data *schema.ResourceData, bucket string, conn *s3.S3) error {
input := &s3.GetBucketEncryptionInput{
Bucket: aws.String(bucket),
}
output, err := conn.GetBucketEncryption(input)
if err != nil {
if isAWSErr(err, "ServerSideEncryptionConfigurationNotFoundError", "encryption configuration was not found") {
log.Printf("[DEBUG] Default encryption is not enabled for %s", bucket)
data.Set("server_side_encryption_configuration", []map[string]interface{}{
{
"enabled": false,
},
})
return nil
} else {
return err
}
}
if ruleCount := len(output.ServerSideEncryptionConfiguration.Rules); ruleCount != 1 {
return fmt.Errorf("expect one rule returned but there are %d rules. Changes required in the data source to support this", ruleCount)
}
defaultRuleConfiguration := output.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault
defaultRule := make([]map[string]interface{}, 1)
defaultRule[0]["kms_master_key_id"] = aws.StringValue(defaultRuleConfiguration.KMSMasterKeyID)
defaultRule[0]["sse_algorithm"] = aws.StringValue(defaultRuleConfiguration.SSEAlgorithm)

encryptionConfiguration := make([]map[string]interface{}, 1)
encryptionConfiguration[0]["enabled"] = true
encryptionConfiguration[0]["rule"] = make([]map[string]interface{}, 1)
encryptionConfiguration[0]["rule"].(map[string]interface{})["apply_server_side_encryption_by_default"] = defaultRule

data.Set("server_side_encryption_configuration", encryptionConfiguration)
return nil
}

Expand Down
21 changes: 21 additions & 0 deletions aws/data_source_aws_s3_bucket_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,27 @@ func TestAccDataSourceS3Bucket_website(t *testing.T) {
})
}

func TestAccDataSourceS3Bucket_whenDefaultEncryptionNotEnabled(t *testing.T) {
rInt := acctest.RandInt()

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccAWSDataSourceS3BucketConfig_basic(rInt),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSS3BucketExists("data.aws_s3_bucket.bucket"),
resource.TestCheckResourceAttr(
"data.aws_s3_bucket.bucket", "server_side_encryption_configuration.0.enabled", "false"),
resource.TestCheckResourceAttr(
"data.aws_s3_bucket.bucket", "server_side_encryption_configuration.0.rule.#", "0"),
),
},
},
})
}

func testAccAWSDataSourceS3BucketConfig_basic(randInt int) string {
return fmt.Sprintf(`
resource "aws_s3_bucket" "bucket" {
Expand Down
8 changes: 7 additions & 1 deletion website/docs/d/s3_bucket.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,10 @@ The following attributes are exported:
* `hosted_zone_id` - The [Route 53 Hosted Zone ID](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_website_region_endpoints) for this bucket's region.
* `region` - The AWS region this bucket resides in.
* `website_endpoint` - The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
* `website_domain` - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
* `website_domain` - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
* `server_side_encryption_configuration` - The encryption configuration for the bucket
* `enabled` - True if default encryption is enabled, false otherwise
* `rule` - Only available if `enabled` is true
* `apply_server_side_encryption_by_default` - Details about the default encryption
* `kms_master_key_id` - AWS KMS Key Id that is used to encrypt in server side
* `sse_algorithm` - Encryption algorithm used. Possible values are `AES256` and `aws:kms`

0 comments on commit a6fd2a2

Please sign in to comment.