Add possibility to define custo kms key for server side encryption (#68)

* Add possibility to define custo kms key for server side encryption * update readme * Executed 'terraform fmt' * add fix Co-authored-by: actions-bot <[email protected]>
cloudposse · Nov 2, 2020 · 61fe5cf · 61fe5cf
1 parent 622ce1e
commit 61fe5cf
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 10 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -12,3 +12,6 @@
 
 # Cloud Posse must review any changes to GitHub actions
 .github/*     @cloudposse/engineering
+
+# Cloud Posse must review any changes to standard context definition
+**/context.tf   @cloudposse/engineering
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -3,17 +3,17 @@ name: auto-release
 on:
   push:
     branches:
-      - master
+    - master
 
 jobs:
   semver:
     runs-on: ubuntu-latest
     steps:
-      # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v5
-        with:
-          publish: true
-          prerelease: false
-          config-name: auto-release.yml
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    # Drafts your next Release notes as Pull Requests are merged into "master"
+    - uses: release-drafter/release-drafter@v5
+      with:
+        publish: true
+        prerelease: false
+        config-name: auto-release.yml
+      env:
+        GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/README.md b/README.md
@@ -244,6 +244,7 @@ Available targets:
 | range\_key | DynamoDB table Range Key | `string` | `""` | no |
 | range\_key\_type | Range Key type, which must be a scalar type: `S`, `N`, or `B` for (S)tring, (N)umber or (B)inary data | `string` | `"S"` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. By default only hyphens, letters and digits are allowed, all other chars are removed | `string` | `"/[^a-zA-Z0-9-]/"` | no |
+| server\_side\_encryption\_kms\_key\_arn | The ARN of the CMK that should be used for the AWS KMS encryption. This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb. | `string` | `null` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `""` | no |
 | stream\_view\_type | When an item in the table is modified, what information is written to the stream | `string` | `""` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -45,6 +45,7 @@
 | range\_key | DynamoDB table Range Key | `string` | `""` | no |
 | range\_key\_type | Range Key type, which must be a scalar type: `S`, `N`, or `B` for (S)tring, (N)umber or (B)inary data | `string` | `"S"` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. By default only hyphens, letters and digits are allowed, all other chars are removed | `string` | `"/[^a-zA-Z0-9-]/"` | no |
+| server\_side\_encryption\_kms\_key\_arn | The ARN of the CMK that should be used for the AWS KMS encryption. This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb. | `string` | `null` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `""` | no |
 | stream\_view\_type | When an item in the table is modified, what information is written to the stream | `string` | `""` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |

diff --git a/main.tf b/main.tf
@@ -66,7 +66,8 @@ resource "aws_dynamodb_table" "default" {
   stream_view_type = var.enable_streams ? var.stream_view_type : ""
 
   server_side_encryption {
-    enabled = var.enable_encryption
+    enabled     = var.enable_encryption
+    kms_key_arn = var.server_side_encryption_kms_key_arn
   }
 
   point_in_time_recovery {

diff --git a/variables.tf b/variables.tf
@@ -106,6 +106,12 @@ variable "enable_encryption" {
   description = "Enable DynamoDB server-side encryption"
 }
 
+variable "server_side_encryption_kms_key_arn" {
+  type        = string
+  default     = null
+  description = "The ARN of the CMK that should be used for the AWS KMS encryption. This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb."
+}
+
 variable "enable_point_in_time_recovery" {
   type        = bool
   default     = true