Set logs encryptions to SSE-S3

cn-terraform · Jun 29, 2022 · 0ab27b3 · 0ab27b3
1 parent 59e8d2e
commit 0ab27b3
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -59,8 +59,8 @@ No modules.
 | <a name="input_block_s3_bucket_public_access"></a> [block\_s3\_bucket\_public\_access](#input\_block\_s3\_bucket\_public\_access) | (Optional) If true, public access to the S3 bucket will be blocked. | `bool` | `true` | no |
 | <a name="input_enable_s3_bucket_server_side_encryption"></a> [enable\_s3\_bucket\_server\_side\_encryption](#input\_enable\_s3\_bucket\_server\_side\_encryption) | (Optional) If true, server side encryption will be applied. | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `string` | n/a | yes |
-| <a name="input_s3_bucket_server_side_encryption_key"></a> [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `"aws/s3"` | no |
-| <a name="input_s3_bucket_server_side_encryption_sse_algorithm"></a> [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"aws:kms"` | no |
+| <a name="input_s3_bucket_server_side_encryption_key"></a> [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `null` | no |
+| <a name="input_s3_bucket_server_side_encryption_sse_algorithm"></a> [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"AES256"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/examples/test/main.tf b/examples/test/main.tf
@@ -5,6 +5,5 @@ module "logs_bucket" {
   aws_principals_identifiers                     = ["test-user-arn"]
   block_s3_bucket_public_access                  = true
   enable_s3_bucket_server_side_encryption        = true
-  s3_bucket_server_side_encryption_sse_algorithm = "aws:kms"
-  s3_bucket_server_side_encryption_key           = "aws/s3"
+  s3_bucket_server_side_encryption_sse_algorithm = "AES256"
 }
diff --git a/variables.tf b/variables.tf
@@ -38,11 +38,11 @@ variable "enable_s3_bucket_server_side_encryption" {
 variable "s3_bucket_server_side_encryption_sse_algorithm" {
   description = "(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
   type        = string
-  default     = "aws:kms"
+  default     = "AES256"
 }
 
 variable "s3_bucket_server_side_encryption_key" {
   description = "(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms."
   type        = string
-  default     = "aws/s3"
+  default     = null
 }