feat(aws-s3): add SSE-KMS support for MOVE action in S3 Trigger & Copy (#667)

* feat(aws-s3): add KMS support for moveTo action with SSE-KMS parameters

Adds support for `serverSideEncryption` and `kmsKeyId` in S3 MOVE actions
inside the Trigger and Copy operations. This enables workflows to move files
into buckets that enforce encryption policies requiring SSE-KMS. Includes
schema updates, parameter handling, and correct wiring inside S3Service
performAction().

* test(aws-s3): remove @PluginProperty usage and add SSE-KMS integration tests

- Removed deprecated @PluginProperty annotations from Copy.CopyObject fields
- Added runWithServerSideEncryption and runWithKmsKey tests to CopyTest

* Update src/main/java/io/kestra/plugin/aws/s3/Copy.java

* Update src/main/java/io/kestra/plugin/aws/s3/Copy.java

Co-authored-by: Malay Dewangan <66718045+Malaydewangan09@users.noreply.github.com>

* refactor(aws-s3): replace SDK SSE enum with plugin enum

* refactor(s3): replace switch-case with direct ServerSideEncryption.valueOf() mapping

* chore(s3): remove unused toHeaderValue() and clean up SSE enum

---------

Co-authored-by: Divanshu Prajapat <honex@Divanshus-MacBook-Air.local>
Co-authored-by: Malay Dewangan <66718045+Malaydewangan09@users.noreply.github.com>

Author: 3 people

src/main/java/io/kestra/plugin/aws/s3/Copy.java

@@ -1,5 +1,4 @@
 package io.kestra.plugin.aws.s3;
-
 import io.kestra.core.models.annotations.Example;
 import io.kestra.core.models.annotations.Plugin;
 import io.kestra.core.models.annotations.PluginProperty;
@@ -14,6 +13,7 @@
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.CopyObjectRequest;
 import software.amazon.awssdk.services.s3.model.CopyObjectResponse;
+import io.kestra.plugin.aws.s3.models.S3ServerSideEncryption;
 
 @SuperBuilder
 @ToString
@@ -79,6 +79,20 @@ public Output run(RunContext runContext) throws Exception {
                 builder.sourceVersionId(runContext.render(this.from.versionId).as(String.class).orElseThrow());
             }
 
+            if (this.to != null && this.to.serverSideEncryption != null) {
+                S3ServerSideEncryption rSse = runContext
+                    .render(this.to.serverSideEncryption)
+                    .as(S3ServerSideEncryption.class)
+                    .orElse(null);
+
+                if (rSse != null && rSse != S3ServerSideEncryption.NONE) {
+                    builder.serverSideEncryption(
+                        software.amazon.awssdk.services.s3.model.ServerSideEncryption.valueOf(rSse.name())
+                    );
+                }
+            }
+
+
             CopyObjectRequest request = builder.build();
             CopyObjectResponse response = client.copyObject(request);
 
@@ -126,6 +140,17 @@ public static class CopyObject {
         )
         @NotNull
         Property<String> key;
+
+        @Schema(
+            title = "Server side encryption to apply to the target object.",
+            description = "Example: AES256 or AWS_KMS"
+        )
+        private Property<S3ServerSideEncryption> serverSideEncryption;
+        
+        @Schema(
+            title = "KMS Key ARN or Key ID to use when server side encryption is AWS_KMS"
+        )
+        private Property<String> kmsKeyId;
     }
 
     @SuperBuilder(toBuilder = true)

src/main/java/io/kestra/plugin/aws/s3/models/S3ServerSideEncryption.java

@@ -0,0 +1,7 @@
+package io.kestra.plugin.aws.s3.models;
+
+public enum S3ServerSideEncryption {
+    NONE,
+    AES256,
+    AWS_KMS;
+}

src/test/java/io/kestra/plugin/aws/s3/CopyTest.java

@@ -60,4 +60,67 @@ void run() throws Exception {
     void delete() throws Exception {
         this.run(true);
     }
+
+    @Test
+    void runWithServerSideEncryption() throws Exception {
+        this.createBucket();
+
+        String upload = upload("/tasks/s3/" + IdUtils.create() + "/sub");
+        String move = upload("/tasks/s3/" + IdUtils.create() + "/sub");
+
+        Copy task = Copy.builder()
+            .id(CopyTest.class.getSimpleName())
+            .type(Copy.class.getName())
+            .endpointOverride(Property.ofValue(localstack.getEndpointOverride(LocalStackContainer.Service.S3).toString()))
+            .accessKeyId(Property.ofValue(localstack.getAccessKey()))
+            .secretKeyId(Property.ofValue(localstack.getSecretKey()))
+            .region(Property.ofValue(localstack.getRegion()))
+            .from(Copy.CopyObjectFrom.builder()
+                .bucket(Property.ofValue(this.BUCKET))
+                .key(Property.ofValue(upload))
+                .build()
+            )
+            .to(Copy.CopyObject.builder()
+                .key(Property.ofValue(move))
+                .serverSideEncryption(Property.ofValue(io.kestra.plugin.aws.s3.models.S3ServerSideEncryption.AES256))
+                .build()
+            )
+            .delete(Property.ofValue(false))
+            .build();
+
+        Copy.Output run = task.run(runContext(task));
+        assertThat(run.getKey(), is(move));
+    }
+
+    @Test
+    void runWithKmsKey() throws Exception {
+        this.createBucket();
+
+        String upload = upload("/tasks/s3/" + IdUtils.create() + "/sub");
+        String move = upload("/tasks/s3/" + IdUtils.create() + "/sub");
+
+        Copy task = Copy.builder()
+            .id(CopyTest.class.getSimpleName())
+            .type(Copy.class.getName())
+            .endpointOverride(Property.ofValue(localstack.getEndpointOverride(LocalStackContainer.Service.S3).toString()))
+            .accessKeyId(Property.ofValue(localstack.getAccessKey()))
+            .secretKeyId(Property.ofValue(localstack.getSecretKey()))
+            .region(Property.ofValue(localstack.getRegion()))
+            .from(Copy.CopyObjectFrom.builder()
+                .bucket(Property.ofValue(this.BUCKET))
+                .key(Property.ofValue(upload))
+                .build()
+            )
+            .to(Copy.CopyObject.builder()
+                .key(Property.ofValue(move))
+                .serverSideEncryption(Property.ofValue(io.kestra.plugin.aws.s3.models.S3ServerSideEncryption.AWS_KMS))
+                .kmsKeyId(Property.ofValue("arn:aws:kms:us-east-1:000000000000:key/test-kms")) 
+                .build()
+            )
+            .delete(Property.ofValue(false))
+            .build();
+
+        Copy.Output run = task.run(runContext(task));
+        assertThat(run.getKey(), is(move));
+    }
 }