Merge pull request #2405 from hobbeswalsh/master
remote: allowing at-rest encryption when using S3
This commit is contained in:
Mitchell Hashimoto
commit
a5af429457
|
|
@ -32,6 +32,12 @@ func s3Factory(conf map[string]string) (Client, error) {
|
|||
}
|
||||
}
|
||||
|
||||
serverSideEncryption := false
|
||||
_, ok = conf["encrypt"]
|
||||
if ok {
|
||||
serverSideEncryption = true
|
||||
}
|
||||
|
||||
accessKeyId := conf["access_key"]
|
||||
secretAccessKey := conf["secret_key"]
|
||||
|
||||
|
|
@ -60,16 +66,18 @@ func s3Factory(conf map[string]string) (Client, error) {
|
|||
nativeClient := s3.New(awsConfig)
|
||||
|
||||
return &S3Client{
|
||||
nativeClient: nativeClient,
|
||||
bucketName: bucketName,
|
||||
keyName: keyName,
|
||||
nativeClient: nativeClient,
|
||||
bucketName: bucketName,
|
||||
keyName: keyName,
|
||||
serverSideEncryption: serverSideEncryption,
|
||||
}, nil
|
||||
}
|
||||
|
||||
type S3Client struct {
|
||||
nativeClient *s3.S3
|
||||
bucketName string
|
||||
keyName string
|
||||
nativeClient *s3.S3
|
||||
bucketName string
|
||||
keyName string
|
||||
serverSideEncryption bool
|
||||
}
|
||||
|
||||
func (c *S3Client) Get() (*Payload, error) {
|
||||
|
|
@ -113,13 +121,20 @@ func (c *S3Client) Put(data []byte) error {
|
|||
contentType := "application/octet-stream"
|
||||
contentLength := int64(len(data))
|
||||
|
||||
_, err := c.nativeClient.PutObject(&s3.PutObjectInput{
|
||||
i := &s3.PutObjectInput{
|
||||
ContentType: &contentType,
|
||||
ContentLength: &contentLength,
|
||||
Body: bytes.NewReader(data),
|
||||
Bucket: &c.bucketName,
|
||||
Key: &c.keyName,
|
||||
})
|
||||
}
|
||||
|
||||
if c.serverSideEncryption {
|
||||
e := "AES256"
|
||||
i.ServerSideEncryption = &e
|
||||
}
|
||||
|
||||
_, err := c.nativeClient.PutObject(i)
|
||||
|
||||
if err == nil {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ func TestS3Factory(t *testing.T) {
|
|||
config["region"] = "us-west-1"
|
||||
config["bucket"] = "foo"
|
||||
config["key"] = "bar"
|
||||
config["encrypt"] = "1"
|
||||
// For this test we'll provide the credentials as config. The
|
||||
// acceptance tests implicitly test passing credentials as
|
||||
// environment variables.
|
||||
|
|
@ -80,11 +81,13 @@ func TestS3Client(t *testing.T) {
|
|||
|
||||
bucketName := fmt.Sprintf("terraform-remote-s3-test-%x", time.Now().Unix())
|
||||
keyName := "testState"
|
||||
testData := []byte(`testing data`)
|
||||
|
||||
config := make(map[string]string)
|
||||
config["region"] = regionName
|
||||
config["bucket"] = bucketName
|
||||
config["key"] = keyName
|
||||
config["encrypt"] = "1"
|
||||
|
||||
client, err := s3Factory(config)
|
||||
if err != nil {
|
||||
|
|
@ -105,6 +108,13 @@ func TestS3Client(t *testing.T) {
|
|||
if err != nil {
|
||||
t.Skipf("Failed to create test S3 bucket, so skipping")
|
||||
}
|
||||
|
||||
// Ensure we can perform a PUT request with the encryption header
|
||||
err = s3Client.Put(testData)
|
||||
if err != nil {
|
||||
t.Logf("WARNING: Failed to send test data to S3 bucket. (error was %s)", err)
|
||||
}
|
||||
|
||||
defer func() {
|
||||
deleteBucketReq := &s3.DeleteBucketInput{
|
||||
Bucket: &bucketName,
|
||||
|
|
|
|||
Loading…
Reference in New Issue