Skip to content

Commit

Permalink
hashicorp#2217: updated r/aws_s3_bucket to support default server sid…
Browse files Browse the repository at this point in the history
…e encryption configuration
  • Loading branch information
trung committed Nov 29, 2017
1 parent 12ac5c6 commit 897ac16
Showing 1 changed file with 139 additions and 0 deletions.
139 changes: 139 additions & 0 deletions aws/resource_aws_s3_bucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,42 @@ func resourceAwsS3Bucket() *schema.Resource {
},
},

"server_side_encryption_configuration": {
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"rule": {
Type: schema.TypeList,
MaxItems: 1,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"apply_server_side_encryption_by_default": {
Type: schema.TypeList,
MaxItems: 1,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"kms_master_key_id": {
Type: schema.TypeString,
Optional: true,
},
"sse_algorithm": {
Type: schema.TypeString,
Required: true,
},
},
},
},
},
},
},
},
},
},

"tags": tagsSchema(),
},
}
Expand Down Expand Up @@ -531,6 +567,12 @@ func resourceAwsS3BucketUpdate(d *schema.ResourceData, meta interface{}) error {
}
}

if d.HasChange("server_side_encryption_configuration") {
if err := resourceAwsS3BucketServerSideEncryptionConfigurationUpdate(s3conn, d); err != nil {
return err
}
}

return resourceAwsS3BucketRead(d, meta)
}

Expand Down Expand Up @@ -941,6 +983,29 @@ func resourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
}
}

// Read the bucket server side encryption configuration

encryptionResponse, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
return s3conn.GetBucketEncryption(&s3.GetBucketEncryptionInput{
Bucket: aws.String(d.Id()),
})
})
if err != nil {
if isAWSErr(err, "ServerSideEncryptionConfigurationNotFoundError", "encryption configuration was not found") {
log.Printf("[DEBUG] Default encryption is not enabled for %s", d.Id())
} else {
return err
}
} else {
encryption := encryptionResponse.(*s3.GetBucketEncryptionOutput)
if c := encryption.ServerSideEncryptionConfiguration; c != nil {
if err := d.Set("server_side_encryption_configuration", flatternAwsS3ServerSideEncryptionConfiguration(c)); err != nil {
log.Printf("[DEBUG] Error setting server side encryption configuration: %s", err)
return err
}
}
}

// Add the region as an attribute

locationResponse, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
Expand Down Expand Up @@ -1493,6 +1558,64 @@ func resourceAwsS3BucketRequestPayerUpdate(s3conn *s3.S3, d *schema.ResourceData
return nil
}

func resourceAwsS3BucketServerSideEncryptionConfigurationUpdate(s3conn *s3.S3, d *schema.ResourceData) error {
bucket := d.Get("bucket").(string)
serverSideEncryptionConfiguration := d.Get("server_side_encryption_configuration").([]interface{})

if len(serverSideEncryptionConfiguration) == 0 {
i := &s3.DeleteBucketEncryptionInput{
Bucket: aws.String(bucket),
}

err := resource.Retry(1*time.Minute, func() *resource.RetryError {
if _, err := s3conn.DeleteBucketEncryption(i); err != nil {
return resource.NonRetryableError(err)
}
return nil
})
if err != nil {
return fmt.Errorf("error removing S3 bucket server side encryption: %s", err)
}
return nil
}

c := serverSideEncryptionConfiguration[0].(map[string]interface{})

rc := &s3.ServerSideEncryptionConfiguration{}

rcRules := c["rule"].([]interface{})
rules := []*s3.ServerSideEncryptionRule{}
for _, v := range rcRules {
rr := v.(map[string]interface{})
rrDefault := rr["apply_server_side_encryption_by_default"].(map[string]interface{})
rcDefaultRule := &s3.ServerSideEncryptionByDefault{
SSEAlgorithm: aws.String(rrDefault["sse_algorithm"].(string)),
KMSMasterKeyID: aws.String(rrDefault["kms_master_key_id"].(string)),
}
rcRule := &s3.ServerSideEncryptionRule{
ApplyServerSideEncryptionByDefault: rcDefaultRule,
}

rules = append(rules, rcRule)
}

rc.Rules = rules
i := &s3.PutBucketEncryptionInput{
Bucket: aws.String(bucket),
ServerSideEncryptionConfiguration: rc,
}
log.Printf("[DEBUG] S3 put bucket replication configuration: %#v", i)

_, err := retryOnAwsCode("NoSuchBucket", func() (interface{}, error) {
return s3conn.PutBucketEncryption(i)
})
if err != nil {
return fmt.Errorf("error putting S3 server side encryption configuration: %s", err)
}

return nil
}

func resourceAwsS3BucketReplicationConfigurationUpdate(s3conn *s3.S3, d *schema.ResourceData) error {
bucket := d.Get("bucket").(string)
replicationConfiguration := d.Get("replication_configuration").([]interface{})
Expand Down Expand Up @@ -1739,6 +1862,22 @@ func resourceAwsS3BucketLifecycleUpdate(s3conn *s3.S3, d *schema.ResourceData) e
return nil
}

func flatternAwsS3ServerSideEncryptionConfiguration(c *s3.ServerSideEncryptionConfiguration) []map[string]interface{} {
encryptionConfiguration := make([]map[string]interface{}, 0, 1)
rules := make([]interface{}, 0, len(c.Rules))
for _, v := range c.Rules {
if v.ApplyServerSideEncryptionByDefault != nil {
r := make(map[string]interface{})
d := make(map[string]interface{})
d["kms_master_key_id"] = *v.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
d["sse_algorithm"] = *v.ApplyServerSideEncryptionByDefault.SSEAlgorithm
r["apply_server_side_encryption_by_default"] = d
rules = append(rules, r)
}
}
return encryptionConfiguration
}

func flattenAwsS3BucketReplicationConfiguration(r *s3.ReplicationConfiguration) []map[string]interface{} {
replication_configuration := make([]map[string]interface{}, 0, 1)
m := make(map[string]interface{})
Expand Down

0 comments on commit 897ac16

Please sign in to comment.