Merge pull request #2903 from kjmkznr/remote-s3-sse-kms

state/remote/s3: Allows KMS Key Encryption setting when using S3 backend with encrypt
2016-01-19 18:54:03 -06:00 · 2016-01-19 18:54:03 -06:00 · ba21769083
parent 902096034c 9186c29dd8
commit ba21769083
1 changed files with 9 additions and 1 deletions
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@ -58,6 +58,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 	if raw, ok := conf["acl"]; ok {
 		acl = raw
 	}
+	kmsKeyID := conf["kms_key_id"]

 	accessKeyId := conf["access_key"]
 	secretAccessKey := conf["secret_key"]
@ -95,6 +96,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 		keyName:              keyName,
 		serverSideEncryption: serverSideEncryption,
 		acl:                  acl,
+		kmsKeyID:             kmsKeyID,
 	}, nil
 }

@ -104,6 +106,7 @@ type S3Client struct {
 	keyName              string
 	serverSideEncryption bool
 	acl                  string
+	kmsKeyID             string
 }

 func (c *S3Client) Get() (*Payload, error) {
@ -156,7 +159,12 @@ func (c *S3Client) Put(data []byte) error {
 	}

 	if c.serverSideEncryption {
-		i.ServerSideEncryption = aws.String("AES256")
+		if c.kmsKeyID != "" {
+			i.SSEKMSKeyId = &c.kmsKeyID
+			i.ServerSideEncryption = aws.String("aws:kms")
+		} else {
+			i.ServerSideEncryption = aws.String("AES256")
+		}
 	}

 	if c.acl != "" {