feat(s3): add KMS key resources and update SSE configuration

alismx · alismx · commit 19cbccce1b46 · 2025-05-21T13:34:35.000-07:00
Added KMS key resources for ecr_viewer and logging. Updated S3 bucket server-side encryption configuration to reference the new KMS keys.
diff --git a/s3.tf b/s3.tf
@@ -1,3 +1,11 @@
+resource "aws_kms_key" "ecr_viewer" {
+  enable_key_rotation = true
+}
+
+resource "aws_kms_key" "logging" {
+  enable_key_rotation = true
+}
+
 resource "aws_s3_bucket" "ecr_viewer" {
   bucket        = local.s3_viewer_bucket_name
   force_destroy = true
@@ -12,13 +20,12 @@ resource "aws_s3_bucket_public_access_block" "ecr_viewer" {
   restrict_public_buckets = true
 }
 
-# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
-# trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "ecr_viewer" {
   bucket = aws_s3_bucket.ecr_viewer.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      kms_master_key_id = aws_kms_key.ecr_viewer.arn
+      sse_algorithm     = "aws:kms"
     }
   }
 }
@@ -49,13 +56,12 @@ resource "aws_s3_bucket_public_access_block" "logging" {
   restrict_public_buckets = true
 }
 
-# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
-# trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {
   bucket = aws_s3_bucket.logging.bucket
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      kms_master_key_id = aws_kms_key.logging.arn
+      sse_algorithm     = "aws:kms"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,11 @@`
	`1`	`+resource "aws_kms_key" "ecr_viewer" {`
	`2`	`+ enable_key_rotation = true`
	`3`	`+}`
	`4`	`+`
	`5`	`+resource "aws_kms_key" "logging" {`
	`6`	`+ enable_key_rotation = true`
	`7`	`+}`
	`8`	`+`
`1`	`9`	`resource "aws_s3_bucket" "ecr_viewer" {`
`2`	`10`	`bucket = local.s3_viewer_bucket_name`
`3`	`11`	`force_destroy = true`
`@@ -12,13 +20,12 @@ resource "aws_s3_bucket_public_access_block" "ecr_viewer" {`
`12`	`20`	`restrict_public_buckets = true`
`13`	`21`	`}`
`14`	`22`
`15`		`-# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/`
`16`		`-# trivy:ignore:AVD-AWS-0132`
`17`	`23`	`resource "aws_s3_bucket_server_side_encryption_configuration" "ecr_viewer" {`
`18`	`24`	`bucket = aws_s3_bucket.ecr_viewer.bucket`
`19`	`25`	`rule {`
`20`	`26`	`apply_server_side_encryption_by_default {`
`21`		`- sse_algorithm = "aws:kms"`
	`27`	`+ kms_master_key_id = aws_kms_key.ecr_viewer.arn`
	`28`	`+ sse_algorithm = "aws:kms"`
`22`	`29`	`}`
`23`	`30`	`}`
`24`	`31`	`}`
`@@ -49,13 +56,12 @@ resource "aws_s3_bucket_public_access_block" "logging" {`
`49`	`56`	`restrict_public_buckets = true`
`50`	`57`	`}`
`51`	`58`
`52`		`-# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/`
`53`		`-# trivy:ignore:AVD-AWS-0132`
`54`	`59`	`resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {`
`55`	`60`	`bucket = aws_s3_bucket.logging.bucket`
`56`	`61`	`rule {`
`57`	`62`	`apply_server_side_encryption_by_default {`
`58`		`- sse_algorithm = "aws:kms"`
	`63`	`+ kms_master_key_id = aws_kms_key.logging.arn`
	`64`	`+ sse_algorithm = "aws:kms"`
`59`	`65`	`}`
`60`	`66`	`}`
`61`	`67`	`}`