provider/aws: Support KMS encryption of S3 objects #5453
Conversation
…that are put into a bucket.
bigkraig
changed the title
bigkraig
changed the title
| Type: schema.TypeString, | ||
| Optional: true, | ||
| }, | ||
|
|
||
| "etag": &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| // This will conflict with SSE-C and SSE-KMS encryption and multi-part upload |
There was a problem hiding this comment.
Since we cannot use ValidateFunc to guard against this (until #4348 is finished/merged), I think we'll have to add some conditionals into Create and Update.
Essentially we want to prevent the user from specifying etag when they specified kms_key_id, because there's no way they can calculate that (unless they know how AWS encrypts the data via KMS).
It would be great if we could also somehow prevent them from using the calculated value, as that's useless too, but I'm not quite sure how to approach that. It actually may be useful for at least knowing that object has changed.
There was a problem hiding this comment.
Is ConflictsWith sufficient to express this?
There was a problem hiding this comment.
Correct me if I'm wrong but AFAIK it cannot be used with Computed fields as it would always be conflicting.
There was a problem hiding this comment.
Oooooh you're right - I had forgotten!
Okay so we have to fall back to docs or checks within Create/Update like you said.
There was a problem hiding this comment.
I got that covered in the next few lines. Is this ready to roll?
Sent from my iPhone
On Mar 10, 2016, at 1:27 PM, Paul Hinze [email protected] wrote:
In builtin/providers/aws/resource_aws_s3_bucket_object.go:
@@ -74,6 +75,11 @@ func resourceAwsS3BucketObject() *schema.Resource {
ConflictsWith: []string{"source"},
},
"kms_key_id": &schema.Schema{Type: schema.TypeString,Optional: true,},Oooooh you're right - I had forgotten!
"etag": &schema.Schema{ Type: schema.TypeString, // This will conflict with SSE-C and SSE-KMS encryption and multi-part uploadOkay so we have to fall back to docs or checks within Create/Update like you said.
—
Reply to this email directly or view it on GitHub.
There was a problem hiding this comment.
Oh great! Sorry I missed that. Yep this looks good. Merging now!
radeksimko
added
the
waiting-response
…vided and now with ServerSideEncryption we can go back to the higher level PutObject.
| return fmt.Errorf("Unable to specify kms_key_id and etag on the same object") | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
@radeksimko Does this suffice for the parameter conflict?
There was a problem hiding this comment.
I'd try improving the message for the user, so they also understand why.
e.g. Unable to specify 'kms_key_id' and 'etag' together because 'etag' wouldn't equal MD5 digest of the raw object data
…and etag as well as using aws_kms_key to test aws_s3_bucket's kms_key_id.
|
@radeksimko @phinze I think this is good to go now, the test failed in some unrelated section and I don't think I can trigger a rebuild |
|
Hi @bigkraig one last Q about |
|
Great work @bigkraig! 👍 |
provider/aws: Support KMS encryption of S3 objects
radeksimko
removed
the
waiting-response
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
I've added a kms_key_id parameter to aws_s3_bucket_object that will allow you to encrypt objects placed into a bucket.