Add AWS_BACKUP_ENCRYPTION ENV to enable aws backup aes encryption backups

drubin · drubin · commit 5ea41eb3d6e4 · 2017-12-29T16:42:15.000+01:00
Also refactor the multi part config to match
diff --git a/README.md b/README.md
@@ -1027,6 +1027,7 @@ Below is the complete list of available options that can be used to customize yo
 | `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. |
 | `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. |
 | `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables mulitpart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) |
+| `AWS_BACKUP_ENCRYPTION`     | Turns on AWS Server-Side Encryption.  Defaults to `false`. See at [AWS s3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) |
 | `GCS_BACKUPS` | Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`.  |
 | `GCS_BACKUP_ACCESS_KEY_ID` | GCS access key id. No defaults |
 | `GCS_BACKUP_SECRET_ACCESS_KEY` | GCS secret access key. No defaults |
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -512,13 +512,15 @@ production: &base
         aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}'
       # The remote 'directory' to store your backups. For S3, this would be the bucket name.
       remote_directory: '{{AWS_BACKUP_BUCKET}}'
-      #start-multipart
+      #start-multipart-aws
       # Use multipart uploads when file size reaches 100MB, see
       # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
       multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}}
-      #end-multipart
-      #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
-      #   # encryption: 'AES256'
+      #end-multipart-aws
+      #start-encryption-aws
+      # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
+      encryption: 'AES256'
+      #end-encryption-aws
       # Fog storage connection settings, see http://fog.io/storage/ .
       #end-aws
       #start-gcs
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -158,6 +158,7 @@ AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID}
 AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY}
 AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET}
 AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE}
+AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION}
 
 ### GCS BACKUPS
 GCS_BACKUPS=${GCS_BACKUPS:-false}
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -791,7 +791,11 @@ gitlab_configure_backups_aws() {
     fi
 
     if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
-      exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG}
+      exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG}
+    fi
+
+    if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then
+      exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG}
     fi
 
     if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then
