Merge pull request #1158 from haarchri/feature/s3-bucket-key-enabled

feat(s3): bucketKeyEnabled implemented
crossplane-contrib · Mar 8, 2022 · ecf5c1d · ecf5c1d
2 parents df4b03c + 97b8168
commit ecf5c1d
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 0 deletions.
diff --git a/apis/s3/v1beta1/serverSideEncryption_types.go b/apis/s3/v1beta1/serverSideEncryption_types.go
@@ -31,6 +31,15 @@ type ServerSideEncryptionRule struct {
 	// bucket. If a PUT Object request doesn't specify any server-side encryption,
 	// this default encryption will be applied.
 	ApplyServerSideEncryptionByDefault ServerSideEncryptionByDefault `json:"applyServerSideEncryptionByDefault"`
+
+	// Specifies whether Amazon S3 should use an S3 Bucket Key with server-side
+	// encryption using KMS (SSE-KMS) for new objects in the bucket. Existing objects
+	// are not affected. Setting the BucketKeyEnabled element to true causes Amazon S3
+	// to use an S3 Bucket Key. By default, S3 Bucket Key is not enabled. For more
+	// information, see Amazon S3 Bucket Keys
+	// (https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) in the Amazon
+	// S3 User Guide.
+	BucketKeyEnabled bool `json:"bucketKeyEnabled,omitempty"`
 }
 
 // ServerSideEncryptionByDefault describes the default server-side encryption to

diff --git a/package/crds/s3.aws.crossplane.io_buckets.yaml b/package/crds/s3.aws.crossplane.io_buckets.yaml
@@ -1368,6 +1368,16 @@ spec:
                               required:
                               - sseAlgorithm
                               type: object
+                            bucketKeyEnabled:
+                              description: Specifies whether Amazon S3 should use
+                                an S3 Bucket Key with server-side encryption using
+                                KMS (SSE-KMS) for new objects in the bucket. Existing
+                                objects are not affected. Setting the BucketKeyEnabled
+                                element to true causes Amazon S3 to use an S3 Bucket
+                                Key. By default, S3 Bucket Key is not enabled. For
+                                more information, see Amazon S3 Bucket Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html)
+                                in the Amazon S3 User Guide.
+                              type: boolean
                           required:
                           - applyServerSideEncryptionByDefault
                           type: object

diff --git a/pkg/controller/s3/bucket/sseConfig.go b/pkg/controller/s3/bucket/sseConfig.go
@@ -75,6 +75,9 @@ func (in *SSEConfigurationClient) Observe(ctx context.Context, bucket *v1beta1.B
 		if string(outputRule.SSEAlgorithm) != Rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm {
 			return NeedsUpdate, nil
 		}
+		if external.ServerSideEncryptionConfiguration.Rules[i].BucketKeyEnabled != Rule.BucketKeyEnabled {
+			return NeedsUpdate, nil
+		}
 	}
 
 	return Updated, nil
@@ -140,6 +143,7 @@ func GeneratePutBucketEncryptionInput(name string, config *v1beta1.ServerSideEnc
 	}
 	for i, rule := range config.Rules {
 		bei.ServerSideEncryptionConfiguration.Rules[i] = types.ServerSideEncryptionRule{
+			BucketKeyEnabled: rule.BucketKeyEnabled,
 			ApplyServerSideEncryptionByDefault: &types.ServerSideEncryptionByDefault{
 				KMSMasterKeyID: rule.ApplyServerSideEncryptionByDefault.KMSMasterKeyID,
 				SSEAlgorithm:   types.ServerSideEncryption(rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm),

diff --git a/pkg/controller/s3/bucket/sseConfig_test.go b/pkg/controller/s3/bucket/sseConfig_test.go
@@ -55,6 +55,20 @@ func generateSSEConfig() *v1beta1.ServerSideEncryptionConfiguration {
 	}
 }
 
+func generateSSEConfigWithBucketEncryption() *v1beta1.ServerSideEncryptionConfiguration {
+	return &v1beta1.ServerSideEncryptionConfiguration{
+		Rules: []v1beta1.ServerSideEncryptionRule{
+			{
+				BucketKeyEnabled: *awsclient.Bool(true),
+				ApplyServerSideEncryptionByDefault: v1beta1.ServerSideEncryptionByDefault{
+					KMSMasterKeyID: awsclient.String(keyID),
+					SSEAlgorithm:   sseAlgo,
+				},
+			},
+		},
+	}
+}
+
 func generateAWSSSE() *s3types.ServerSideEncryptionConfiguration {
 	return &s3types.ServerSideEncryptionConfiguration{
 		Rules: []s3types.ServerSideEncryptionRule{
@@ -167,6 +181,20 @@ func TestSSEObserve(t *testing.T) {
 				err:    nil,
 			},
 		},
+		"NeedsUpdateEnableBucketKey": {
+			args: args{
+				b: s3testing.Bucket(s3testing.WithSSEConfig(generateSSEConfigWithBucketEncryption())),
+				cl: NewSSEConfigurationClient(fake.MockBucketClient{
+					MockGetBucketEncryption: func(ctx context.Context, input *s3.GetBucketEncryptionInput, opts []func(*s3.Options)) (*s3.GetBucketEncryptionOutput, error) {
+						return &s3.GetBucketEncryptionOutput{ServerSideEncryptionConfiguration: generateAWSSSE()}, nil
+					},
+				}),
+			},
+			want: want{
+				status: NeedsUpdate,
+				err:    nil,
+			},
+		},
 	}
 
 	for name, tc := range cases {