feat(cos): [119848799] support SSE-KMS encryption

lyu571 · lyu571 · commit 568447db1e6b · 2024-09-26T12:13:45.000+08:00
diff --git a/tencentcloud/services/cos/resource_tc_cos_bucket.go b/tencentcloud/services/cos/resource_tc_cos_bucket.go
@@ -188,7 +188,12 @@ func ResourceTencentCloudCosBucket() *schema.Resource {
 			"encryption_algorithm": {
 				Type:        schema.TypeString,
 				Optional:    true,
-				Description: "The server-side encryption algorithm to use. Valid value is `AES256`.",
+				Description: "The server-side encryption algorithm to use. Valid value is `AES256` or `KMS`.",
+			},
+			"kms_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The KMS Master Key ID. When `encryption_algorithm` is set to `KMS`, please provide it.",
 			},
 			"versioning_enable": {
 				Type:        schema.TypeBool,
@@ -718,13 +723,16 @@ func resourceTencentCloudCosBucketRead(d *schema.ResourceData, meta interface{})
 	}
 
 	// read the encryption algorithm
-	encryption, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
+	encryption, kmsId, err := cosService.GetBucketEncryption(ctx, bucket, cdcId)
 	if err != nil {
 		return err
 	}
 	if err = d.Set("encryption_algorithm", encryption); err != nil {
 		return fmt.Errorf("setting encryption error: %v", err)
 	}
+	if err = d.Set("kms_id", kmsId); err != nil {
+		return fmt.Errorf("setting kms_id error: %v", err)
+	}
 
 	// read the versioning
 	versioning, err := cosService.GetBucketVersioning(ctx, bucket, cdcId)
@@ -894,12 +902,11 @@ func resourceTencentCloudCosBucketUpdate(d *schema.ResourceData, meta interface{
 
 	}
 
-	if d.HasChange("encryption_algorithm") {
+	if d.HasChange("encryption_algorithm") || d.HasChange("kms_id") {
 		err := resourceTencentCloudCosBucketEncryptionUpdate(ctx, meta, d)
 		if err != nil {
 			return err
 		}
-
 	}
 
 	if d.HasChange("versioning_enable") {
@@ -1005,6 +1012,7 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
 
 	bucket := d.Get("bucket").(string)
 	encryption := d.Get("encryption_algorithm").(string)
+	kmsId := d.Get("kms_id").(string)
 	cdcId := d.Get("cdc_id").(string)
 	if encryption == "" {
 		request := s3.DeleteBucketEncryptionInput{
@@ -1029,7 +1037,8 @@ func resourceTencentCloudCosBucketEncryptionUpdate(ctx context.Context, meta int
 	request.ServerSideEncryptionConfiguration = &s3.ServerSideEncryptionConfiguration{}
 	rules := make([]*s3.ServerSideEncryptionRule, 0)
 	defaultRule := &s3.ServerSideEncryptionByDefault{
-		SSEAlgorithm: aws.String(encryption),
+		SSEAlgorithm:   aws.String(encryption),
+		KMSMasterKeyID: aws.String(kmsId),
 	}
 	rule := &s3.ServerSideEncryptionRule{
 		ApplyServerSideEncryptionByDefault: defaultRule,
diff --git a/tencentcloud/services/cos/resource_tc_cos_bucket.md b/tencentcloud/services/cos/resource_tc_cos_bucket.md
@@ -35,6 +35,37 @@ resource "tencentcloud_cos_bucket" "private_bucket" {
 }
 ```
 
+Enable SSE-KMS encryption 
+
+```hcl
+data "tencentcloud_user_info" "info" {}
+
+locals {
+  app_id = data.tencentcloud_user_info.info.app_id
+}
+
+resource "tencentcloud_kms_key" "example" {
+  alias                = "tf-example-kms-key"
+  description          = "example of kms key"
+  key_rotation_enabled = false
+  is_enabled           = true
+
+  tags = {
+    "createdBy" = "terraform"
+  }
+}
+
+resource "tencentcloud_cos_bucket" "bucket_basic" {
+  bucket               = "tf-bucket-cdc-${local.app_id}"
+  acl                  = "private"
+  encryption_algorithm = "KMS"
+  kms_id               = tencentcloud_kms_key.example.id
+  versioning_enable    = true
+  acceleration_enable  = true
+  force_clean          = true
+}
+```
+
 Creation of multiple available zone bucket
 
 ```hcl
diff --git a/tencentcloud/services/cos/service_tencentcloud_cos.go b/tencentcloud/services/cos/service_tencentcloud_cos.go
@@ -732,7 +732,7 @@ func (me *CosService) GetBucketWebsite(ctx context.Context, bucket string, cdcId
 	return
 }
 
-func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, errRet error) {
+func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, kmsId string, errRet error) {
 	logId := tccommon.GetLogId(ctx)
 
 	request := s3.GetBucketEncryptionInput{
@@ -757,6 +757,10 @@ func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cd
 
 	if len(response.ServerSideEncryptionConfiguration.Rules) > 0 {
 		encryption = *response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm
+		kMSMasterKeyID := response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+		if kMSMasterKeyID != nil {
+			kmsId = *kMSMasterKeyID
+		}
 	}
 	return
 }

Original file line number	Diff line number	Diff line change
`@@ -732,7 +732,7 @@ func (me *CosService) GetBucketWebsite(ctx context.Context, bucket string, cdcId`
`732`	`732`	`return`
`733`	`733`	`}`
`734`	`734`
`735`		`-func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, errRet error) {`
	`735`	`+func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cdcId string) (encryption string, kmsId string, errRet error) {`
`736`	`736`	`logId := tccommon.GetLogId(ctx)`
`737`	`737`
`738`	`738`	`request := s3.GetBucketEncryptionInput{`
`@@ -757,6 +757,10 @@ func (me *CosService) GetBucketEncryption(ctx context.Context, bucket string, cd`
`757`	`757`
`758`	`758`	`if len(response.ServerSideEncryptionConfiguration.Rules) > 0 {`
`759`	`759`	`encryption = *response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm`
	`760`	`+ kMSMasterKeyID := response.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.KMSMasterKeyID`
	`761`	`+ if kMSMasterKeyID != nil {`
	`762`	`+ kmsId = *kMSMasterKeyID`
	`763`	`+ }`
`760`	`764`	`}`
`761`	`765`	`return`
`762`	`766`	`}`