Merge pull request #2 from mhlias/add_s3_state_encrypt_option

Add option in project config to enable s3 remote state encryption.

README.md

@@ -35,6 +35,7 @@ project: name_of_your_project
 region: eu-west-1
 roam-role: roam-role
 use-sts: true
+encrypt-s3-state: true
 accounts-mapping:
     project-dev: 100000000001
     project-prd: 100000000002
@@ -44,6 +45,7 @@ accounts-mapping:
 - `region` is the AWS region your project will be deployed into
 - `roam-role` is the AWS IAM role that you can assume in the project's AWS accounts *1
 - `use-sts` is a boolean value that enables or disables STS authentication. If not enabled a profile name matching project-dev/prd is expected to be found in your AWS shared credentials file with access and secret keys.
+- `encrypt-s3-state` is a boolean value that enables or disables S3 remote state server side encryption.
 - `accounts-mapping` is a hash mapping your account-dev/prd used in the project to their AWS account IDS which is needed to assume roles and get STS tokens
 
 

main.go

@@ -24,6 +24,7 @@ type conf struct {
 	Roam_role        string            `yaml:"roam-role"`
 	Accounts_mapping map[string]string `yaml:"accounts-mapping"`
 	Use_sts          bool              `yaml:"use-sts"`
+	Encrypt_s3_state bool              `yaml:"encrypt-s3-state"`
 	environment      string
 	account          string
 }
@@ -101,8 +102,9 @@ func main() {
 	}
 
 	state_config := &tf_helper.Config{Bucket_name: fmt.Sprintf("%s-%s-%s-tfstate", project_config.Project, project_config.account, project_config.environment),
-		State_filename: fmt.Sprintf("%s-%s-%s.tfstate", project_config.Project, project_config.account, project_config.environment),
-		Versioning:     true,
+		State_filename:   fmt.Sprintf("%s-%s-%s.tfstate", project_config.Project, project_config.account, project_config.environment),
+		Versioning:       true,
+		Encrypt_s3_state: project_config.Encrypt_s3_state,
 	}
 
 	modules := &tf_helper.Modules{}

main_test.go

@@ -11,7 +11,7 @@ func TestProjectConfig(t *testing.T) {
 
 	project_config := load_config(fmt.Sprintf("%s/project.yaml", fixtures_dir))
 
-	if project_config.Project != "test" || project_config.Region != "eu-west-1" || !project_config.Use_sts || project_config.Roam_role != "roam-role" || len(project_config.Accounts_mapping[fmt.Sprintf("%s-dev", project_config.Project)]) <= 0 || len(project_config.Accounts_mapping[fmt.Sprintf("%s-prd", project_config.Project)]) <= 0 {
+	if project_config.Project != "test" || project_config.Region != "eu-west-1" || !project_config.Use_sts || !project_config.Encrypt_s3_state || project_config.Roam_role != "roam-role" || len(project_config.Accounts_mapping[fmt.Sprintf("%s-dev", project_config.Project)]) <= 0 || len(project_config.Accounts_mapping[fmt.Sprintf("%s-prd", project_config.Project)]) <= 0 {
 		t.Fatal("Project configuration parameters in fixtures don't match expected values when parsed.")
 	}
 

test-fixtures/project.yaml

@@ -4,6 +4,7 @@ project: test
 region: eu-west-1
 roam-role: roam-role
 use-sts: true
+encrypt-s3-state: true
 accounts-mapping:
     test-dev: 1001
     test-prd: 1002

tf_helper/state.go

@@ -10,9 +10,10 @@ import (
 )
 
 type Config struct {
-	Bucket_name    string
-	State_filename string
-	Versioning     bool
+	Bucket_name      string
+	State_filename   string
+	Encrypt_s3_state bool
+	Versioning       bool
 }
 
 func (c *Config) Create_bucket(client interface{}) bool {
@@ -107,6 +108,7 @@ func (c *Config) Setup_remote_state() {
 		"-backend=S3",
 		fmt.Sprintf("-backend-config=bucket=%s", c.Bucket_name),
 		fmt.Sprintf("-backend-config=key=%s", c.State_filename),
+		fmt.Sprintf("-backend-config=encrypt=%t", c.Encrypt_s3_state),
 	}
 
 	if ExecCmd(cmdName, args) {