Add option to enable server side encryption for the website bucket (#41)

* Support optional server side encryption configuration via variables * Fix resource name
cn-terraform · Oct 20, 2022 · d77eadd · d77eadd
1 parent 184530d
commit d77eadd
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ Run this command right after cloning the repository.
 For that you may need to install the following tools:
 * [Pre-commit](https://pre-commit.com/) 
 * [Terraform Docs](https://terraform-docs.io/)
+* [tfsec](https://aquasecurity.github.io/tfsec)
 
 In order to run all checks at any point run the following command:
 
@@ -48,7 +49,7 @@ In order to run all checks at any point run the following command:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_s3_logs_bucket"></a> [s3\_logs\_bucket](#module\_s3\_logs\_bucket) | cn-terraform/logs-s3-bucket/aws | 1.0.2 |
+| <a name="module_s3_logs_bucket"></a> [s3\_logs\_bucket](#module\_s3\_logs\_bucket) | cn-terraform/logs-s3-bucket/aws | 1.0.4 |
 
 ## Resources
 
@@ -68,6 +69,7 @@ In order to run all checks at any point run the following command:
 | [aws_s3_bucket_logging.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_policy.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.website_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.website_bucket_website_server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 
@@ -109,6 +111,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_website_domain_name"></a> [website\_domain\_name](#input\_website\_domain\_name) | The domain name to use for the website | `string` | n/a | yes |
 | <a name="input_website_error_document"></a> [website\_error\_document](#input\_website\_error\_document) | (Optional) An absolute path to the document to return in case of a 4XX error. Defaults to 404.html | `string` | `"404.html"` | no |
 | <a name="input_website_index_document"></a> [website\_index\_document](#input\_website\_index\_document) | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders.  Defaults to index.html | `string` | `"index.html"` | no |
+| <a name="input_website_server_side_encryption_configuration"></a> [website\_server\_side\_encryption\_configuration](#input\_website\_server\_side\_encryption\_configuration) | (Optional) Map containing server-side encryption configuration for the website bucket. Defaults to no encryption. See examples/complete/main.tf for configuration example. | `any` | `{}` | no |
 | <a name="input_website_versioning_mfa_delete"></a> [website\_versioning\_mfa\_delete](#input\_website\_versioning\_mfa\_delete) | (Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. Defaults to Disabled | `string` | `"Disabled"` | no |
 | <a name="input_website_versioning_status"></a> [website\_versioning\_status](#input\_website\_versioning\_status) | (Optional) The versioning state of the bucket. Valid values: Enabled or Suspended. Defaults to Enabled | `string` | `"Enabled"` | no |
 | <a name="input_www_website_bucket_acl"></a> [www\_website\_bucket\_acl](#input\_www\_website\_bucket\_acl) | (Optional) The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. | `string` | `"private"` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -14,4 +14,12 @@ module "test_website" {
   create_route53_hosted_zone = true
 
   aws_accounts_with_read_view_log_bucket = ["mock_account"]
+
+  website_server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -106,6 +106,12 @@ variable "website_versioning_mfa_delete" {
   default     = "Disabled"
 }
 
+variable "website_server_side_encryption_configuration" {
+  description = "(Optional) Map containing server-side encryption configuration for the website bucket. Defaults to no encryption. See examples/complete/main.tf for configuration example."
+  type        = any
+  default     = {}
+}
+
 #------------------------------------------------------------------------------
 # WWW Website for redirection to Website
 #------------------------------------------------------------------------------

diff --git a/website.tf b/website.tf
@@ -10,7 +10,7 @@ resource "aws_cloudfront_origin_access_identity" "cf_oai" {
 #------------------------------------------------------------------------------
 # Website S3 Bucket
 #------------------------------------------------------------------------------
-#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging
+#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging
 resource "aws_s3_bucket" "website" { # tfsec:ignore:AWS017
   provider = aws.main
 
@@ -23,15 +23,6 @@ resource "aws_s3_bucket" "website" { # tfsec:ignore:AWS017
   # TODO - Add replication configuration parameters
   # replication_configuration - (Optional) A configuration of replication configuration.
 
-  # TODO - Review how to add server side encryption
-  # server_side_encryption_configuration {
-  #   rule {
-  #     apply_server_side_encryption_by_default {
-  #       sse_algorithm = "aws:kms"
-  #     }
-  #   }
-  # }
-
   # TODO - Add variables for S3 object locking
   # object_lock_configuration - (Optional) A configuration of S3 object locking
 
@@ -113,6 +104,30 @@ resource "aws_s3_bucket_public_access_block" "website_bucket_public_access_block
   block_public_policy     = true
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "website_bucket_website_server_side_encryption_configuration" {
+  provider = aws.main
+  count    = length(keys(var.website_server_side_encryption_configuration)) > 0 ? 1 : 0
+
+  bucket = aws_s3_bucket.website.id
+
+  dynamic "rule" {
+    for_each = try(flatten([var.website_server_side_encryption_configuration["rule"]]), [])
+
+    content {
+      bucket_key_enabled = try(rule.value.bucket_key_enabled, null)
+
+      dynamic "apply_server_side_encryption_by_default" {
+        for_each = try([rule.value.apply_server_side_encryption_by_default], [])
+
+        content {
+          sse_algorithm     = apply_server_side_encryption_by_default.value.sse_algorithm
+          kms_master_key_id = try(apply_server_side_encryption_by_default.value.kms_master_key_id, null)
+        }
+      }
+    }
+  }
+}
+
 #------------------------------------------------------------------------------
 # Cloudfront for S3 Bucket Website
 #------------------------------------------------------------------------------