Merge pull request #2405 from hobbeswalsh/master

remote: allowing at-rest encryption when using S3
2015-06-25 09:20:13 -07:00 · 2015-06-25 09:20:13 -07:00 · a5af429457
parent 25fa84974b ad17cf55a0
commit a5af429457
2 changed files with 33 additions and 8 deletions
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@ -32,6 +32,12 @@ func s3Factory(conf map[string]string) (Client, error) {
 		}
 	}

+	serverSideEncryption := false
+	_, ok = conf["encrypt"]
+	if ok {
+		serverSideEncryption = true
+	}
+
 	accessKeyId := conf["access_key"]
 	secretAccessKey := conf["secret_key"]

@ -63,6 +69,7 @@ func s3Factory(conf map[string]string) (Client, error) {
 		nativeClient:         nativeClient,
 		bucketName:           bucketName,
 		keyName:              keyName,
+		serverSideEncryption: serverSideEncryption,
 	}, nil
 }

@ -70,6 +77,7 @@ type S3Client struct {
 	nativeClient         *s3.S3
 	bucketName           string
 	keyName              string
+	serverSideEncryption bool
 }

 func (c *S3Client) Get() (*Payload, error) {
@ -113,13 +121,20 @@ func (c *S3Client) Put(data []byte) error {
 	contentType := "application/octet-stream"
 	contentLength := int64(len(data))

-	_, err := c.nativeClient.PutObject(&s3.PutObjectInput{
+	i := &s3.PutObjectInput{
 		ContentType:   &contentType,
 		ContentLength: &contentLength,
 		Body:          bytes.NewReader(data),
 		Bucket:        &c.bucketName,
 		Key:           &c.keyName,
-	})
+	}
+
+	if c.serverSideEncryption {
+		e := "AES256"
+		i.ServerSideEncryption = &e
+	}
+
+	_, err := c.nativeClient.PutObject(i)

 	if err == nil {
 		return nil
--- a/state/remote/s3_test.go
+++ b/state/remote/s3_test.go
@ -28,6 +28,7 @@ func TestS3Factory(t *testing.T) {
 	config["region"] = "us-west-1"
 	config["bucket"] = "foo"
 	config["key"] = "bar"
+	config["encrypt"] = "1"
 	// For this test we'll provide the credentials as config. The
 	// acceptance tests implicitly test passing credentials as
 	// environment variables.
@ -80,11 +81,13 @@ func TestS3Client(t *testing.T) {

 	bucketName := fmt.Sprintf("terraform-remote-s3-test-%x", time.Now().Unix())
 	keyName := "testState"
+	testData := []byte(`testing data`)

 	config := make(map[string]string)
 	config["region"] = regionName
 	config["bucket"] = bucketName
 	config["key"] = keyName
+	config["encrypt"] = "1"

 	client, err := s3Factory(config)
 	if err != nil {
@ -105,6 +108,13 @@ func TestS3Client(t *testing.T) {
 	if err != nil {
 		t.Skipf("Failed to create test S3 bucket, so skipping")
 	}
+
+	// Ensure we can perform a PUT request with the encryption header
+	err = s3Client.Put(testData)
+	if err != nil {
+		t.Logf("WARNING: Failed to send test data to S3 bucket. (error was %s)", err)
+	}
+
 	defer func() {
 		deleteBucketReq := &s3.DeleteBucketInput{
 			Bucket: &bucketName,