From e9dcc211445f9e315d894e61cd147cf5acf151d9 Mon Sep 17 00:00:00 2001 From: bkmnaidu Date: Sun, 16 Jan 2022 19:49:30 +0000 Subject: [PATCH] Enable bucket key for reducing the cost of SSE-KMS with Amazon S3 (#115) Co-authored-by: Krishna Mohan Bandi Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Co-authored-by: Yonatan Koren --- README.md | 1 + docs/terraform.md | 1 + examples/complete/fixtures.us-east-2.tfvars | 2 ++ examples/complete/main.tf | 1 + examples/complete/variables.tf | 10 ++++++++++ main.tf | 2 ++ variables.tf | 10 ++++++++++ 7 files changed, 27 insertions(+) diff --git a/README.md b/README.md index 4f8ea857..d5d403bc 100644 --- a/README.md +++ b/README.md @@ -260,6 +260,7 @@ Available targets: | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no | | [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which reduce the cost of AWS KMS requests.

For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html | `bool` | `false` | no | | [bucket\_name](#input\_bucket\_name) | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | `string` | `null` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [cors\_rule\_inputs](#input\_cors\_rule\_inputs) | Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket | 
list(object({
    allowed_headers = list(string)
    allowed_methods = list(string)
    allowed_origins = list(string)
    expose_headers  = list(string)
    max_age_seconds = number
  }))
| `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 0682c6f0..ab422b2d 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -51,6 +51,7 @@ | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no | | [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which reduce the cost of AWS KMS requests.

For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html | `bool` | `false` | no | | [bucket\_name](#input\_bucket\_name) | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | `string` | `null` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [cors\_rule\_inputs](#input\_cors\_rule\_inputs) | Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket | 
list(object({
    allowed_headers = list(string)
    allowed_methods = list(string)
    allowed_origins = list(string)
    expose_headers  = list(string)
    max_age_seconds = number
  }))
| `null` | no | diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 39768da2..8232d0f5 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -28,3 +28,5 @@ allowed_bucket_actions = [ "s3:GetBucketLocation", "s3:AbortMultipartUpload" ] + +bucket_key_enabled = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c9109f31..fa70977f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -21,6 +21,7 @@ module "s3_bucket" { privileged_principal_actions = var.privileged_principal_actions privileged_principal_arns = local.privileged_principal_arns transfer_acceleration_enabled = true + bucket_key_enabled = var.bucket_key_enabled context = module.this.context } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 101c3bc0..0f27f4e9 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -246,3 +246,13 @@ variable "privileged_principal_actions" { default = [] description = "List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`)" } + +variable "bucket_key_enabled" { + type = bool + default = false + description = <<-EOT + Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which reduce the cost of AWS KMS requests. + + For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html + EOT +} \ No newline at end of file diff --git a/main.tf b/main.tf index f06e79bb..c45700c7 100644 --- a/main.tf +++ b/main.tf @@ -116,6 +116,8 @@ resource "aws_s3_bucket" "default" { # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption server_side_encryption_configuration { rule { + bucket_key_enabled = var.bucket_key_enabled + apply_server_side_encryption_by_default { sse_algorithm = var.sse_algorithm kms_master_key_id = var.kms_master_key_arn diff --git a/variables.tf b/variables.tf index e3ccb303..e8ebfea2 100644 --- a/variables.tf +++ b/variables.tf @@ -281,3 +281,13 @@ variable "s3_object_ownership" { default = "ObjectWriter" description = "Specifies the S3 object ownership control. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'." } + +variable "bucket_key_enabled" { + type = bool + default = false + description = <<-EOT + Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which reduce the cost of AWS KMS requests. + + For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html + EOT +}