feat(cos): [119848799] support SSE-KMS encryption (#2848)

* feat(cos): [119848799] support SSE-KMS encryption

* add doc

* add changelog

* update desc of cdc sse-kms

* update doc

Author: lyu571

.changelog/2848.txt

@@ -0,0 +1,4 @@
+```release-note:enhancement
+resource/tencentcloud_cos_bucket: support SSE-KMS encryption
+```
+

tencentcloud/services/cos/resource_tc_cos_bucket.go

@@ -188,7 +188,12 @@ func ResourceTencentCloudCosBucket() *schema.Resource {
 			"encryption_algorithm": {
 				Type:        schema.TypeString,
 				Optional:    true,
-				Description: "The server-side encryption algorithm to use. Valid value is `AES256`.",
+				Description: "The server-side encryption algorithm to use. Valid values are `AES256`, `KMS` and `cos/kms`, `cos/kms` is for cdc cos scenario.",
+			},
+			"kms_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The KMS Master Key ID. This value is valid only when `encryption_algorithm` is set to KMS or cos/kms. Set kms id to the specified value. If not specified, the default kms id is used.",
 			},
 			"versioning_enable": {
 				Type:        schema.TypeBool,
@@ -718,13 +723,16 @@ func resourceTencentCloudCosBucketRead(d *schema.ResourceData, meta interface{})
 	}
 
 	// read the encryption algorithm
-	encryption, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
+	encryption, kmsId, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
 	if err != nil {
 		return err
 	}
 	if err = d.Set("encryption_algorithm", encryption); err != nil {
 		return fmt.Errorf("setting encryption error: %v", err)
 	}
+	if err = d.Set("kms_id", kmsId); err != nil {
+		return fmt.Errorf("setting kms_id error: %v", err)
+	}
 
 	// read the versioning
 	versioning, err := cosService.GetBucketVersioning(ctx, bucket, cdcId)
@@ -894,12 +902,11 @@ func resourceTencentCloudCosBucketUpdate(d *schema.ResourceData, meta interface{
 
 	}
 
-	if d.HasChange("encryption_algorithm") {
+	if d.HasChange("encryption_algorithm") || d.HasChange("kms_id") {
 		err := resourceTencentCloudCosBucketEncryptionUpdate(ctx, meta, d)
 		if err != nil {
 			return err
 		}
-
 	}
 
 	if d.HasChange("versioning_enable") {
@@ -1005,6 +1012,7 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
 
 	bucket := d.Get("bucket").(string)
 	encryption := d.Get("encryption_algorithm").(string)
+	kmsId := d.Get("kms_id").(string)
 	cdcId := d.Get("cdc_id").(string)
 	if encryption == "" {
 		request := s3.DeleteBucketEncryptionInput{
@@ -1029,7 +1037,8 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
 	request.ServerSideEncryptionConfiguration = &s3.ServerSideEncryptionConfiguration{}
 	rules := make([]*s3.ServerSideEncryptionRule, 0)
 	defaultRule := &s3.ServerSideEncryptionByDefault{
-		SSEAlgorithm: aws.String(encryption),
+		SSEAlgorithm:   aws.String(encryption),
+		KMSMasterKeyID: aws.String(kmsId),
 	}
 	rule := &s3.ServerSideEncryptionRule{
 		ApplyServerSideEncryptionByDefault: defaultRule,

tencentcloud/services/cos/resource_tc_cos_bucket.md

@@ -35,6 +35,37 @@ resource "tencentcloud_cos_bucket" "private_bucket" {
 }
 ```
 
+Enable SSE-KMS encryption 
+
+```hcl
+data "tencentcloud_user_info" "info" {}
+
+locals {
+  app_id = data.tencentcloud_user_info.info.app_id
+}
+
+resource "tencentcloud_kms_key" "example" {
+  alias                = "tf-example-kms-key"
+  description          = "example of kms key"
+  key_rotation_enabled = false
+  is_enabled           = true
+
+  tags = {
+    "createdBy" = "terraform"
+  }
+}
+
+resource "tencentcloud_cos_bucket" "bucket_basic" {
+  bucket               = "tf-bucket-cdc-${local.app_id}"
+  acl                  = "private"
+  encryption_algorithm = "KMS" #cos/kms for cdc cos
+  kms_id               = tencentcloud_kms_key.example.id
+  versioning_enable    = true
+  acceleration_enable  = true
+  force_clean          = true
+}
+```
+
 Creation of multiple available zone bucket
 
 ```hcl

tencentcloud/services/cos/service_tencentcloud_cos.go

@@ -732,7 +732,7 @@ func (me *CosService) GetBucketWebsite(ctx context.Context, bucket string, cdcId
 	return
 }
 
-func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, errRet error) {
+func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, kmsId string, errRet error) {
 	logId := tccommon.GetLogId(ctx)
 
 	request := s3.GetBucketEncryptionInput{
@@ -757,6 +757,10 @@ func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cd
 
 	if len(response.ServerSideEncryptionConfiguration.Rules) > 0 {
 		encryption = *response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm
+		kMSMasterKeyID := response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+		if kMSMasterKeyID != nil {
+			kmsId = *kMSMasterKeyID
+		}
 	}
 	return
 }

website/docs/r/cos_bucket.html.markdown

@@ -46,6 +46,37 @@ resource "tencentcloud_cos_bucket" "private_bucket" {
 }
 ```
 
+### Enable SSE-KMS encryption
+
+```hcl
+data "tencentcloud_user_info" "info" {}
+
+locals {
+  app_id = data.tencentcloud_user_info.info.app_id
+}
+
+resource "tencentcloud_kms_key" "example" {
+  alias                = "tf-example-kms-key"
+  description          = "example of kms key"
+  key_rotation_enabled = false
+  is_enabled           = true
+
+  tags = {
+    "createdBy" = "terraform"
+  }
+}
+
+resource "tencentcloud_cos_bucket" "bucket_basic" {
+  bucket               = "tf-bucket-cdc-${local.app_id}"
+  acl                  = "private"
+  encryption_algorithm = "KMS" #cos/kms for cdc cos
+  kms_id               = tencentcloud_kms_key.example.id
+  versioning_enable    = true
+  acceleration_enable  = true
+  force_clean          = true
+}
+```
+
 ### Creation of multiple available zone bucket
 
 ```hcl
@@ -305,10 +336,11 @@ The following arguments are supported:
 * `cdc_id` - (Optional, String, ForceNew) CDC cluster ID.
 * `cors_rules` - (Optional, List) A rule of Cross-Origin Resource Sharing (documented below).
 * `enable_intelligent_tiering` - (Optional, Bool) Enable intelligent tiering. NOTE: When intelligent tiering configuration is enabled, it cannot be turned off or modified.
-* `encryption_algorithm` - (Optional, String) The server-side encryption algorithm to use. Valid value is `AES256`.
+* `encryption_algorithm` - (Optional, String) The server-side encryption algorithm to use. Valid values are `AES256`, `KMS` and `cos/kms`, `cos/kms` is for cdc cos scenario.
 * `force_clean` - (Optional, Bool) Force cleanup all objects before delete bucket.
 * `intelligent_tiering_days` - (Optional, Int) Specifies the limit of days for standard-tier data to low-frequency data in an intelligent tiered storage configuration, with optional days of 30, 60, 90. Default value is 30.
 * `intelligent_tiering_request_frequent` - (Optional, Int) Specify the access limit for converting standard layer data into low-frequency layer data in the configuration. The default value is once, which can be used in combination with the number of days to achieve the conversion effect. For example, if the parameter is set to 1 and the number of access days is 30, it means that objects with less than one visit in 30 consecutive days will be reduced from the standard layer to the low frequency layer.
+* `kms_id` - (Optional, String) The KMS Master Key ID. This value is valid only when `encryption_algorithm` is set to KMS or cos/kms. Set kms id to the specified value. If not specified, the default kms id is used.
 * `lifecycle_rules` - (Optional, List) A configuration of object lifecycle management (documented below).
 * `log_enable` - (Optional, Bool) Indicate the access log of this bucket to be saved or not. Default is `false`. If set `true`, the access log will be saved with `log_target_bucket`. To enable log, the full access of log service must be granted. [Full Access Role Policy](https://intl.cloud.tencent.com/document/product/436/16920).
 * `log_prefix` - (Optional, String) The prefix log name which saves the access log of this bucket per 5 minutes. Eg. `MyLogPrefix/`. The log access file format is `log_target_bucket`/`log_prefix`{YYYY}/{MM}/{DD}/{time}_{random}_{index}.gz. Only valid when `log_enable` is `true`.