[feature] Allow conditionally disable the encryption configuration

StratusGrid · Feb 22, 2024 · b4263c0 · b4263c0
1 parent 770f3b6
commit b4263c0
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 1 deletion.
diff --git a/.config/.terraform-docs.yml b/.config/.terraform-docs.yml
@@ -40,7 +40,7 @@ content: |-
   {{ include "examples/regional-deployment/example2.tfnot" }}
   ```
 
-   ---
+  ---
 
   {{ .Requirements }}
 

diff --git a/README.md b/README.md
@@ -146,6 +146,7 @@ module "iam_role_s3" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_days_to_object_expiration"></a> [days\_to\_object\_expiration](#input\_days\_to\_object\_expiration) | Number of days before expiring data completely | `string` | `"2557"` | no |
 | <a name="input_enable_centralized_logging"></a> [enable\_centralized\_logging](#input\_enable\_centralized\_logging) | Enable support for centralized logging to a centralized logging account | `bool` | `false` | no |
+| <a name="input_enable_encryption"></a> [enable\_encryption](#input\_enable\_encryption) | Allows disable the the bucket encryption configuration | `bool` | `true` | no |
 | <a name="input_enable_object_expiration"></a> [enable\_object\_expiration](#input\_enable\_object\_expiration) | Number of days before expiring data completely | `bool` | `false` | no |
 | <a name="input_iam_role_s3_replication_arn"></a> [iam\_role\_s3\_replication\_arn](#input\_iam\_role\_s3\_replication\_arn) | IAM Role that enable S3 Role Assumption for Centralized Logging | `string` | `""` | no |
 | <a name="input_input_tags"></a> [input\_tags](#input\_input\_tags) | Map of tags to apply to resources | `map(string)` | `{}` | no |

diff --git a/inputs.tf b/inputs.tf
@@ -79,4 +79,10 @@ variable "replication_dest_storage_class" {
   description = "The storage class to send replicated objects (https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass)"
   type        = string
   default     = "STANDARD_IA"
+}
+
+variable "enable_encryption" {
+  description = "Allows disable the the bucket encryption configuration"
+  type        = bool
+  default     = true
 }
diff --git a/main.tf b/main.tf
@@ -208,6 +208,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket" {
 
 #tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
+  count = var.enable_encryption == true ? 1 : 0
+
   bucket = aws_s3_bucket.bucket.bucket
 
   rule {