F d 2217

aws/data_source_aws_s3_bucket.go

@@ -18,6 +18,45 @@ func dataSourceAwsS3Bucket() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"server_side_encryption_configuration": {
+				Type:     schema.TypeList,
+				MaxItems: 1,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"rule": {
+							Type:     schema.TypeList,
+							MaxItems: 1,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"apply_server_side_encryption_by_default": {
+										Type:     schema.TypeList,
+										MaxItems: 1,
+										Computed: true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"kms_master_key_id": {
+													Type:     schema.TypeString,
+													Computed: true,
+												},
+												"sse_algorithm": {
+													Type:     schema.TypeString,
+													Computed: true,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			"arn": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -70,6 +109,45 @@ func dataSourceAwsS3BucketRead(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
+	if err := bucketEncryption(d, bucket, conn); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func bucketEncryption(data *schema.ResourceData, bucket string, conn *s3.S3) error {
+	input := &s3.GetBucketEncryptionInput{
+		Bucket: aws.String(bucket),
+	}
+	output, err := conn.GetBucketEncryption(input)
+	if err != nil {
+		if isAWSErr(err, "ServerSideEncryptionConfigurationNotFoundError", "encryption configuration was not found") {
+			log.Printf("[DEBUG] Default encryption is not enabled for %s", bucket)
+			data.Set("server_side_encryption_configuration", []map[string]interface{}{
+				{
+					"enabled": false,
+				},
+			})
+			return nil
+		} else {
+			return err
+		}
+	}
+	if ruleCount := len(output.ServerSideEncryptionConfiguration.Rules); ruleCount != 1 {
+		return fmt.Errorf("expect one rule returned but there are %d rules. Changes required in the data source to support this", ruleCount)
+	}
+	defaultRuleConfiguration := output.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault
+	defaultRule := make([]map[string]interface{}, 1)
+	defaultRule[0]["kms_master_key_id"] = aws.StringValue(defaultRuleConfiguration.KMSMasterKeyID)
+	defaultRule[0]["sse_algorithm"] = aws.StringValue(defaultRuleConfiguration.SSEAlgorithm)
+
+	encryptionConfiguration := make([]map[string]interface{}, 1)
+	encryptionConfiguration[0]["enabled"] = true
+	encryptionConfiguration[0]["rule"] = make([]map[string]interface{}, 1)
+	encryptionConfiguration[0]["rule"].(map[string]interface{})["apply_server_side_encryption_by_default"] = defaultRule
+
+	data.Set("server_side_encryption_configuration", encryptionConfiguration)
 	return nil
 }
 

aws/data_source_aws_s3_bucket_test.go

@@ -56,6 +56,27 @@ func TestAccDataSourceS3Bucket_website(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceS3Bucket_whenDefaultEncryptionNotEnabled(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSDataSourceS3BucketConfig_basic(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSS3BucketExists("data.aws_s3_bucket.bucket"),
+					resource.TestCheckResourceAttr(
+						"data.aws_s3_bucket.bucket", "server_side_encryption_configuration.0.enabled", "false"),
+					resource.TestCheckResourceAttr(
+						"data.aws_s3_bucket.bucket", "server_side_encryption_configuration.0.rule.#", "0"),
+				),
+			},
+		},
+	})
+}
+
 func testAccAWSDataSourceS3BucketConfig_basic(randInt int) string {
 	return fmt.Sprintf(`
 resource "aws_s3_bucket" "bucket" {

website/docs/d/s3_bucket.html.markdown

@@ -69,4 +69,10 @@ The following attributes are exported:
 * `hosted_zone_id` - The [Route 53 Hosted Zone ID](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_website_region_endpoints) for this bucket's region.
 * `region` - The AWS region this bucket resides in.
 * `website_endpoint` - The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
-* `website_domain` - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
+* `website_domain` - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
+* `server_side_encryption_configuration` - The encryption configuration for the bucket
+  * `enabled` - True if default encryption is enabled, false otherwise
+  * `rule` - Only available if `enabled` is true
+     * `apply_server_side_encryption_by_default` - Details about the default encryption
+        * `kms_master_key_id` - AWS KMS Key Id that is used to encrypt in server side
+        * `sse_algorithm` - Encryption algorithm used. Possible values are `AES256` and `aws:kms`