Skip to content

Commit c199bb3

Browse files
authored
Add blocked_encryption_types variable to fix perpetual SSE config drift (#289)
Exposes blocked_encryption_types on the aws_s3_bucket_server_side_encryption_configuration rule block. Defaults to null (attribute omitted) to preserve compatibility with hashicorp/aws provider versions older than 6.22.0. On provider >= 6.22.0, GetBucketEncryption returns blocked_encryption_types = ["NONE"] by default, which does not round-trip with an omitted/empty list and causes perpetual in-place diffs. Callers on 6.22.0+ can set this to ["NONE"] to silence the drift. Fixes #287
1 parent 4352853 commit c199bb3

3 files changed

Lines changed: 19 additions & 1 deletion

File tree

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -267,6 +267,7 @@ module "s3_bucket" {
267267
| <a name="input_availability_zone_id"></a> [availability\_zone\_id](#input\_availability\_zone\_id) | The ID of the availability zone. | `string` | `""` | no |
268268
| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
269269
| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |
270+
| <a name="input_blocked_encryption_types"></a> [blocked\_encryption\_types](#input\_blocked\_encryption\_types) | List of encryption types to block on the bucket, passed to the `rule` block of `aws_s3_bucket_server_side_encryption_configuration`.<br/><br/>Defaults to `null` (attribute omitted) so the module remains compatible with `hashicorp/aws` provider versions older than 6.22.0, which do not know this field.<br/><br/>On provider >= 6.22.0, AWS's `GetBucketEncryption` returns `blocked_encryption_types = ["NONE"]` by default, which does not round-trip with an omitted/empty list and causes perpetual in-place diffs on `aws_s3_bucket_server_side_encryption_configuration`. To silence that drift, set this to `["NONE"]`. | `list(string)` | `null` | no |
270271
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which may or may not reduce the number of AWS KMS requests.<br/>For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html | `bool` | `false` | no |
271272
| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | `string` | `null` | no |
272273
| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br/>See description of individual variables for details.<br/>Leave string and numeric variables as `null` to use default value.<br/>Individual variable settings (non-null) override settings in context object,<br/>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br/> "additional_tag_map": {},<br/> "attributes": [],<br/> "delimiter": null,<br/> "descriptor_formats": {},<br/> "enabled": true,<br/> "environment": null,<br/> "id_length_limit": null,<br/> "label_key_case": null,<br/> "label_order": [],<br/> "label_value_case": null,<br/> "labels_as_tags": [<br/> "unset"<br/> ],<br/> "name": null,<br/> "namespace": null,<br/> "regex_replace_chars": null,<br/> "stage": null,<br/> "tags": {},<br/> "tenant": null<br/>}</pre> | no |

main.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
8484
expected_bucket_owner = var.expected_bucket_owner
8585

8686
rule {
87-
bucket_key_enabled = var.bucket_key_enabled
87+
bucket_key_enabled = var.bucket_key_enabled
88+
blocked_encryption_types = var.blocked_encryption_types
8889

8990
apply_server_side_encryption_by_default {
9091
sse_algorithm = var.sse_algorithm

variables.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -458,6 +458,22 @@ variable "bucket_key_enabled" {
458458
nullable = false
459459
}
460460

461+
variable "blocked_encryption_types" {
462+
type = list(string)
463+
default = null
464+
description = <<-EOT
465+
List of encryption types to block on the bucket, passed to the `rule` block of
466+
`aws_s3_bucket_server_side_encryption_configuration`.
467+
468+
Defaults to `null` (attribute omitted) so the module remains compatible with `hashicorp/aws` provider
469+
versions older than 6.22.0, which do not know this field.
470+
471+
On provider >= 6.22.0, AWS's `GetBucketEncryption` returns `blocked_encryption_types = ["NONE"]` by default,
472+
which does not round-trip with an omitted/empty list and causes perpetual in-place diffs on
473+
`aws_s3_bucket_server_side_encryption_configuration`. To silence that drift, set this to `["NONE"]`.
474+
EOT
475+
}
476+
461477
variable "expected_bucket_owner" {
462478
type = string
463479
default = null

0 commit comments

Comments
 (0)