terraform-aws-s3-bucket icon indicating copy to clipboard operation
terraform-aws-s3-bucket copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

feat: add flag to en/disable sse

Open DesmondH0 opened this issue 2 years ago • 3 comments

what

  • Added a flag for control default server-side encryption, default would turn it on

why

  • There are some edge cases need to turn the SSE off, and there should be a flag to control it

DesmondH0 avatar Sep 22 '22 12:09 DesmondH0

Hmm...mergify seems complaining with:

⚠ The [subscription](https://dashboard.mergify.com/github/cloudposse/subscription) needs to be updated to enable this feature.

is that something code owner could solve 🤔 ?

DesmondH0 avatar Sep 22 '22 12:09 DesmondH0

/test all

joe-niland avatar Sep 22 '22 23:09 joe-niland

@nitrocode @Nuru would you mind reviewing this also? Seems reasonable to me.

joe-niland avatar Sep 23 '22 00:09 joe-niland

I am inclined to deny this PR on the grounds that there is never a reason to disable server-side encryption. Please explain why allow_encrypted_uploads_only = false is not sufficient for your use case.

Let me explain more about our use-case (i guess this is an edge one), we are having a bucket which writing some data into it by our application, then we are using Zapier to sync the content inside to Dropbox.

Problem happens on that Zapier shitty client and they are not supporting if the bucket enabled default encryption (allow_encrypted_uploads_only wouldn't help). That is a black box for us and we did contacted Zapier and raised a feature request on their side but wouldn't know if it's happened anytime soon.

Totally understand the reason for rejecting this PR, in our case, we would need to turn that off manually and config would not be in-sync for us (or we need to fork it 😢 )

DesmondH0 avatar Nov 14 '22 11:11 DesmondH0

@DesmondH0 are you sure that Zapier can not write to the bucket if allow_encrypted_uploads_only = false?

The encryption will be handled transparently by AWS in this case and should not impact anything.

kevcube avatar Apr 26 '23 17:04 kevcube

@DesmondH0 are you sure that Zapier can not write to the bucket if allow_encrypted_uploads_only = false?

The encryption will be handled transparently by AWS in this case and should not impact anything.

Hi, yes we did tested our use case specially, and gods know why Zapier client handled that way.

If you consider this is an anti pattern, I would totally understand. But since aws have this option for users, I think didnt hurt to have this flag in place. Thanks a lot.

DesmondH0 avatar Apr 26 '23 19:04 DesmondH0

AWS no longer allows server-side encryption to be turned off, so closing this issue as moot. The closest you can come is to set sse_algorithm = "AES256". If you still see a need for better control over server-side encryption, please open a new issue with fresh details.

Nuru avatar May 08 '23 22:05 Nuru