Skip to content

Commit 24a78af

Browse files
authored
feat(cos): [119848799] support SSE-KMS encryption (#2848)
* feat(cos): [119848799] support SSE-KMS encryption * add doc * add changelog * update desc of cdc sse-kms * update doc
1 parent e697d65 commit 24a78af

File tree

5 files changed

+87
-7
lines changed

5 files changed

+87
-7
lines changed

.changelog/2848.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
```release-note:enhancement
2+
resource/tencentcloud_cos_bucket: support SSE-KMS encryption
3+
```
4+

tencentcloud/services/cos/resource_tc_cos_bucket.go

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,12 @@ func ResourceTencentCloudCosBucket() *schema.Resource {
188188
"encryption_algorithm": {
189189
Type: schema.TypeString,
190190
Optional: true,
191-
Description: "The server-side encryption algorithm to use. Valid value is `AES256`.",
191+
Description: "The server-side encryption algorithm to use. Valid values are `AES256`, `KMS` and `cos/kms`, `cos/kms` is for cdc cos scenario.",
192+
},
193+
"kms_id": {
194+
Type: schema.TypeString,
195+
Optional: true,
196+
Description: "The KMS Master Key ID. This value is valid only when `encryption_algorithm` is set to KMS or cos/kms. Set kms id to the specified value. If not specified, the default kms id is used.",
192197
},
193198
"versioning_enable": {
194199
Type: schema.TypeBool,
@@ -718,13 +723,16 @@ func resourceTencentCloudCosBucketRead(d *schema.ResourceData, meta interface{})
718723
}
719724

720725
// read the encryption algorithm
721-
encryption, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
726+
encryption, kmsId, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
722727
if err != nil {
723728
return err
724729
}
725730
if err = d.Set("encryption_algorithm", encryption); err != nil {
726731
return fmt.Errorf("setting encryption error: %v", err)
727732
}
733+
if err = d.Set("kms_id", kmsId); err != nil {
734+
return fmt.Errorf("setting kms_id error: %v", err)
735+
}
728736

729737
// read the versioning
730738
versioning, err := cosService.GetBucketVersioning(ctx, bucket, cdcId)
@@ -894,12 +902,11 @@ func resourceTencentCloudCosBucketUpdate(d *schema.ResourceData, meta interface{
894902

895903
}
896904

897-
if d.HasChange("encryption_algorithm") {
905+
if d.HasChange("encryption_algorithm") || d.HasChange("kms_id") {
898906
err := resourceTencentCloudCosBucketEncryptionUpdate(ctx, meta, d)
899907
if err != nil {
900908
return err
901909
}
902-
903910
}
904911

905912
if d.HasChange("versioning_enable") {
@@ -1005,6 +1012,7 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
10051012

10061013
bucket := d.Get("bucket").(string)
10071014
encryption := d.Get("encryption_algorithm").(string)
1015+
kmsId := d.Get("kms_id").(string)
10081016
cdcId := d.Get("cdc_id").(string)
10091017
if encryption == "" {
10101018
request := s3.DeleteBucketEncryptionInput{
@@ -1029,7 +1037,8 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
10291037
request.ServerSideEncryptionConfiguration = &s3.ServerSideEncryptionConfiguration{}
10301038
rules := make([]*s3.ServerSideEncryptionRule, 0)
10311039
defaultRule := &s3.ServerSideEncryptionByDefault{
1032-
SSEAlgorithm: aws.String(encryption),
1040+
SSEAlgorithm: aws.String(encryption),
1041+
KMSMasterKeyID: aws.String(kmsId),
10331042
}
10341043
rule := &s3.ServerSideEncryptionRule{
10351044
ApplyServerSideEncryptionByDefault: defaultRule,

tencentcloud/services/cos/resource_tc_cos_bucket.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,37 @@ resource "tencentcloud_cos_bucket" "private_bucket" {
3535
}
3636
```
3737

38+
Enable SSE-KMS encryption
39+
40+
```hcl
41+
data "tencentcloud_user_info" "info" {}
42+
43+
locals {
44+
app_id = data.tencentcloud_user_info.info.app_id
45+
}
46+
47+
resource "tencentcloud_kms_key" "example" {
48+
alias = "tf-example-kms-key"
49+
description = "example of kms key"
50+
key_rotation_enabled = false
51+
is_enabled = true
52+
53+
tags = {
54+
"createdBy" = "terraform"
55+
}
56+
}
57+
58+
resource "tencentcloud_cos_bucket" "bucket_basic" {
59+
bucket = "tf-bucket-cdc-${local.app_id}"
60+
acl = "private"
61+
encryption_algorithm = "KMS" #cos/kms for cdc cos
62+
kms_id = tencentcloud_kms_key.example.id
63+
versioning_enable = true
64+
acceleration_enable = true
65+
force_clean = true
66+
}
67+
```
68+
3869
Creation of multiple available zone bucket
3970

4071
```hcl

tencentcloud/services/cos/service_tencentcloud_cos.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -732,7 +732,7 @@ func (me *CosService) GetBucketWebsite(ctx context.Context, bucket string, cdcId
732732
return
733733
}
734734

735-
func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, errRet error) {
735+
func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, kmsId string, errRet error) {
736736
logId := tccommon.GetLogId(ctx)
737737

738738
request := s3.GetBucketEncryptionInput{
@@ -757,6 +757,10 @@ func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cd
757757

758758
if len(response.ServerSideEncryptionConfiguration.Rules) > 0 {
759759
encryption = *response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm
760+
kMSMasterKeyID := response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.KMSMasterKeyID
761+
if kMSMasterKeyID != nil {
762+
kmsId = *kMSMasterKeyID
763+
}
760764
}
761765
return
762766
}

website/docs/r/cos_bucket.html.markdown

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,37 @@ resource "tencentcloud_cos_bucket" "private_bucket" {
4646
}
4747
```
4848

49+
### Enable SSE-KMS encryption
50+
51+
```hcl
52+
data "tencentcloud_user_info" "info" {}
53+
54+
locals {
55+
app_id = data.tencentcloud_user_info.info.app_id
56+
}
57+
58+
resource "tencentcloud_kms_key" "example" {
59+
alias = "tf-example-kms-key"
60+
description = "example of kms key"
61+
key_rotation_enabled = false
62+
is_enabled = true
63+
64+
tags = {
65+
"createdBy" = "terraform"
66+
}
67+
}
68+
69+
resource "tencentcloud_cos_bucket" "bucket_basic" {
70+
bucket = "tf-bucket-cdc-${local.app_id}"
71+
acl = "private"
72+
encryption_algorithm = "KMS" #cos/kms for cdc cos
73+
kms_id = tencentcloud_kms_key.example.id
74+
versioning_enable = true
75+
acceleration_enable = true
76+
force_clean = true
77+
}
78+
```
79+
4980
### Creation of multiple available zone bucket
5081

5182
```hcl
@@ -305,10 +336,11 @@ The following arguments are supported:
305336
* `cdc_id` - (Optional, String, ForceNew) CDC cluster ID.
306337
* `cors_rules` - (Optional, List) A rule of Cross-Origin Resource Sharing (documented below).
307338
* `enable_intelligent_tiering` - (Optional, Bool) Enable intelligent tiering. NOTE: When intelligent tiering configuration is enabled, it cannot be turned off or modified.
308-
* `encryption_algorithm` - (Optional, String) The server-side encryption algorithm to use. Valid value is `AES256`.
339+
* `encryption_algorithm` - (Optional, String) The server-side encryption algorithm to use. Valid values are `AES256`, `KMS` and `cos/kms`, `cos/kms` is for cdc cos scenario.
309340
* `force_clean` - (Optional, Bool) Force cleanup all objects before delete bucket.
310341
* `intelligent_tiering_days` - (Optional, Int) Specifies the limit of days for standard-tier data to low-frequency data in an intelligent tiered storage configuration, with optional days of 30, 60, 90. Default value is 30.
311342
* `intelligent_tiering_request_frequent` - (Optional, Int) Specify the access limit for converting standard layer data into low-frequency layer data in the configuration. The default value is once, which can be used in combination with the number of days to achieve the conversion effect. For example, if the parameter is set to 1 and the number of access days is 30, it means that objects with less than one visit in 30 consecutive days will be reduced from the standard layer to the low frequency layer.
343+
* `kms_id` - (Optional, String) The KMS Master Key ID. This value is valid only when `encryption_algorithm` is set to KMS or cos/kms. Set kms id to the specified value. If not specified, the default kms id is used.
312344
* `lifecycle_rules` - (Optional, List) A configuration of object lifecycle management (documented below).
313345
* `log_enable` - (Optional, Bool) Indicate the access log of this bucket to be saved or not. Default is `false`. If set `true`, the access log will be saved with `log_target_bucket`. To enable log, the full access of log service must be granted. [Full Access Role Policy](https://intl.cloud.tencent.com/document/product/436/16920).
314346
* `log_prefix` - (Optional, String) The prefix log name which saves the access log of this bucket per 5 minutes. Eg. `MyLogPrefix/`. The log access file format is `log_target_bucket`/`log_prefix`{YYYY}/{MM}/{DD}/{time}_{random}_{index}.gz. Only valid when `log_enable` is `true`.

0 commit comments

Comments
 (0)