r/aws_s3_bucket: support default server side encryption configuration #2472
Conversation
…e encryption configuration
radeksimko
added
the
enhancement
|
Hey @trung Do you need any help finishing this one off? |
radeksimko
added
the
waiting-response
|
yes @radeksimko, i made some changes but when the acceptance tests are failing... it takes nearly 15 min to rerun the whole suite ... |
|
Full test suite |
|
I reran those failing tests and they all passed |
|
@radeksimko once you are ok, i'll do the documentation |
This is a bug in acceptance tests which makes some replication tests fail randomly. I have (hopefully) fixed it in bc018da (PR #2625) |
|
@trung Unfortunately there are some S3 tests which are intermittently failing. Some of those failures are bugs we could fix (outside of the scope of this PR), some are just caused by eventually consistent nature of S3 and there isn't much we can realistically do. I have seen every one of the failures you posted above at least once - it's unrelated to your PR, so don't worry about these here. Feel free to carry on with documentation. |
|
@trung: as far as I can tell, there is no "refresh" support. I disabled default encryption via aws web console and tf did not detect it. |
trung
changed the title
|
@modax thanks for reporting. I've put a fix. |
|
@trung have you tried this with AES256? I note there is no unit test for it. The reason I ask is that I merged your PR into a custom branch I have. On using AES256 it told me that KMS key should not also be specified (obviously), yet none was specified. Don't have the exact error to hand at the moment. |
|
@psyvision good point, i will add that test case in. I think you are right, for AES256, i should not supply KMSKeyId along |
There was a problem hiding this comment.
This looks good to me, save for a couple of minor changes. I'll take this one over the line and get it committed. Thanks for all the work so far, @trung and @psyvision!
| }, | ||
| "sse_algorithm": { | ||
| Type: schema.TypeString, | ||
| Required: true, |
There was a problem hiding this comment.
I think we should consider adding a validation function here - the valid values are aws:kms or AES256. It's conceivable that this list will expand in the future, but additional values can easily be added. This will move a potential error from apply time to plan time, which is desirable.
| @@ -1739,6 +1868,25 @@ func resourceAwsS3BucketLifecycleUpdate(s3conn *s3.S3, d *schema.ResourceData) e | |||
| return nil | |||
| } | |||
|
|
|||
| func flatternAwsS3ServerSideEncryptionConfiguration(c *s3.ServerSideEncryptionConfiguration) []map[string]interface{} { | |||
|
@jen20 thanks for the review. I'll make some modifications per your comments |
|
@trung No need, I'll make them as I merge. Thanks! |
|
Thanks, but where I could make SSE toggle-able in a policy, I cannot with this implementation :( |
|
great work guys. is there a label to define what version of aws provider you need to run this? i was on 1.5 and it complained that it could not interpret this resource. i nuked my dotfiles, reinstalled (with aws 1.6) and worked. |
|
@shavo007 It's been added to the change log under 1.6.0 improvements. |
|
No worries. Is it possible to add a milestone label in future? |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
breathingdust
removed
the
waiting-response
Fix #2217 and #2196
API: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html
resource_aws_s3_bucketRelated to #2300