Allow conditionally using KMS for tfvars bucket (#27)

* This allows using AES256 encryption for the tfvars bucket, rather than creating and using a KMS key. Defaults to using the KMS key.
dxw · Oct 18, 2023 · 273d629 · 273d629
1 parent 3a23110
commit 273d629
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 6 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -78,6 +78,7 @@ locals {
 | <a name="input_logging_bucket_retention"></a> [logging\_bucket\_retention](#input\_logging\_bucket\_retention) | Logging bucket retention in days. Set to 0 to keep all logs. | `number` | `30` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name to be used as a prefix for all resources | `string` | n/a | yes |
 | <a name="input_tfvars_files"></a> [tfvars\_files](#input\_tfvars\_files) | Map of objects containing tfvar file paths | <pre>map(<br>    object({<br>      path = string<br>      key  = optional(string, "")<br>      }<br>  ))</pre> | `{}` | no |
+| <a name="input_tfvars_kms_encryption"></a> [tfvars\_kms\_encryption](#input\_tfvars\_kms\_encryption) | Use KMS rather than AES256 encryption for the tfvars bucket | `bool` | `true` | no |
 | <a name="input_tfvars_restrict_access_user_ids"></a> [tfvars\_restrict\_access\_user\_ids](#input\_tfvars\_restrict\_access\_user\_ids) | List of AWS User IDs that require access to the tfvars S3 bucket. If left empty, all users within the AWS account will have access | `list(string)` | `[]` | no |
 
 ## Outputs

diff --git a/locals.tf b/locals.tf
@@ -4,5 +4,6 @@ locals {
   enable_logs_bucket              = var.enable_s3_bucket_logging
   logging_bucket_retention        = var.logging_bucket_retention
   tfvars_files                    = var.tfvars_files
+  tfvars_kms_encryption           = var.tfvars_kms_encryption
   tfvars_restrict_access_user_ids = var.tfvars_restrict_access_user_ids
 }
diff --git a/s3-tfvars-files.tf b/s3-tfvars-files.tf
@@ -4,5 +4,5 @@ resource "aws_s3_object" "tfvar_file" {
   bucket     = aws_s3_bucket.tfvars.id
   key        = each.value["key"] == "" ? each.value["path"] : each.value["key"]
   source     = each.value["path"]
-  kms_key_id = aws_kms_key.tfvars.arn
+  kms_key_id = local.tfvars_kms_encryption ? aws_kms_key.tfvars[0].arn : null
 }
diff --git a/s3-tfvars.tf b/s3-tfvars.tf
@@ -46,23 +46,41 @@ resource "aws_s3_bucket_logging" "tfvars" {
 }
 
 resource "aws_kms_key" "tfvars" {
+  count = local.tfvars_kms_encryption ? 1 : 0
+
   description             = "This key is used to encrypt bucket objects in ${aws_s3_bucket.tfvars.id}"
   deletion_window_in_days = 10
   enable_key_rotation     = true
 }
 
 resource "aws_kms_alias" "tfvars" {
+  count = local.tfvars_kms_encryption ? 1 : 0
+
   name          = "alias/${local.project_name}-tfvars"
-  target_key_id = aws_kms_key.tfvars.key_id
+  target_key_id = aws_kms_key.tfvars[0].key_id
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "tfvars" {
+  count = local.tfvars_kms_encryption ? 1 : 0
+
   bucket = aws_s3_bucket.tfvars.id
 
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.tfvars.arn
-      sse_algorithm     = "aws:kms"
+  dynamic "rule" {
+    for_each = local.tfvars_kms_encryption ? [1] : []
+    content {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.tfvars.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  dynamic "rule" {
+    for_each = local.tfvars_kms_encryption ? [] : [1]
+    content {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
     }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -31,3 +31,9 @@ variable "tfvars_restrict_access_user_ids" {
   type        = list(string)
   default     = []
 }
+
+variable "tfvars_kms_encryption" {
+  description = "Use KMS rather than AES256 encryption for the tfvars bucket"
+  type        = bool
+  default     = true
+}