Extend OCI Object Storage Bucket with KMS Key and Additional Fields #6555
Description
Summary
Extend the existing oci.objectStorage.bucket resource with kmsKeyId field and additional configuration options to enable encryption auditing.
OCI API Reference
GetBucket- Get bucket details including kmsKeyId
Proposed MQL Resources
oci.objectStorage.bucket (Extend Existing)
Current fields: name, namespace, compartmentID, region, created, publicAccessType, storageTier, versioning, autoTiering, objectEventsEnabled, replicationEnabled
Add these fields:
| Field | Type | Description |
|---|---|---|
| kmsKeyId | string | Customer-managed encryption key OCID (null if Oracle-managed) |
| approximateCount | int | Approximate number of objects |
| approximateSize | int | Approximate total size in bytes |
| isReadOnly | bool | Whether bucket is read-only |
| objectLifecyclePolicyEtag | string | Object lifecycle policy etag |
| freeformTags | map[string]string | Free-form tags |
| definedTags | map[string]map[string]string | Defined tags |
Example MQL Queries
# Check all buckets use customer-managed keys
oci.objectStorage.buckets.all(
kmsKeyId != null && kmsKeyId != ""
)
# List buckets not using CMK encryption
oci.objectStorage.buckets.where(
kmsKeyId == null || kmsKeyId == ""
)
# Check buckets have versioning enabled and use CMK
oci.objectStorage.buckets.all(
versioning == "Enabled" &&
kmsKeyId != null
)
Use Cases
- Verify object storage buckets are encrypted with customer-managed keys
- Audit bucket encryption configuration compliance
- Identify buckets using default Oracle-managed encryption
- Monitor bucket configuration changes