fix: improve prevent_unencrypted_uploads documentation

.github/settings.yml

@@ -2,6 +2,6 @@
 _extends: .github
 repository:
   name: terraform-aws-tfstate-backend
-  description: Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
+  description: Terraform module that provisions an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-module, aws, tfstate, dynamodb, locking, aws-dynamodb, terraform-modules, dynamodb-table, s3-bucket, backend, terraform-state, remote-state, hcl2

README.md

@@ -292,7 +292,7 @@ Available targets:
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.<br>The name of this variable is a little misleading.  Since a default encryption key is created<br>for the bucket by this module, contents are always encrypted at rest.<br>Setting this variable to `true` (the default) will require that uploads to the bucket will need<br>to be initiated with a specific encryption key.<br>If this variable is set to `true` and an upload is attempted without specifying an encryption key<br>(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |

docs/terraform.md

@@ -86,7 +86,7 @@
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.<br>The name of this variable is a little misleading.  Since a default encryption key is created<br>for the bucket by this module, contents are always encrypted at rest.<br>Setting this variable to `true` (the default) will require that uploads to the bucket will need<br>to be initiated with a specific encryption key.<br>If this variable is set to `true` and an upload is attempted without specifying an encryption key<br>(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |

variables.tf

@@ -92,7 +92,15 @@ variable "restrict_public_buckets" {
 variable "prevent_unencrypted_uploads" {
   type        = bool
   default     = true
-  description = "Prevent uploads of unencrypted objects to S3"
+  description = <<-EOT
+    Enforce requirement to specify encryption key when uploading content to the S3 bucket.
+    The name of this variable is a little misleading.  Since a default encryption key is created
+    for the bucket by this module, contents are always encrypted at rest.
+    Setting this variable to `true` (the default) will require that uploads to the bucket will need
+    to be initiated with a specific encryption key.
+    If this variable is set to `true` and an upload is attempted without specifying an encryption key
+    (including using the S3 Console), an "Access Denied" error will be thrown by AWS.
+    EOT
 }
 
 variable "profile" {