Enhancement: additional x-amz-server-side-encryption parameters for S3 object storage

[peteher]

When using AWS S3 as artifact/plan file(object) store with aws:kms, following best practices such as here it may be there are restrictive bucket policies requiring client (Digger) to provide x-amz-server-side-encryption* headers in the PutObject request - which if not existing then an explicit deny is applied to the request and so plan file upload fails.

For eg:

  statement {
    sid    = "DenyNoEncryptionHeader"
    effect = "Deny"

    resources = [
      "${aws_s3_bucket.plan.arn}/*",
    ]

    actions = [
      "s3:PutObject",
    ]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"

      values = [
        "aws:kms",
      ]
    }
  }

Suggestion is to include these headers in the request