Allow using AES256 S3 encryption

* Some buckets can't be encyrpted with an S3 KMS for for various reasons
  (eg. legacy CloudFront, logging etc)

README.md

@@ -477,7 +477,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region in which to launch resources | `string` | n/a | yes |
 | <a name="input_custom_cloudformation_stacks"></a> [custom\_cloudformation\_stacks](#input\_custom\_cloudformation\_stacks) | Map of CloudFormation stacks to deploy<br/>    {<br/>      stack-name = {<br/>        s3\_template\_store\_key: The filename of a CloudFormation template that is stored within the S3 bucket, created by the `enable_cloudformatian_s3_template_store`<br/>        template\_body: (Optional - use of s3\_template\_store\_key is preferred) The CloudFormation template body<br/>        parameters: The CloudFormation template parameters ({ parameter-name = parameter-value, ... })<br/>        on\_failure: What to do on failure, either 'DO\_NOTHING', 'ROLLBACK' or 'DELETE'<br/>        capabilities: A list of capabilities. Valid values: `CAPABILITY_NAMED_IAM`, `CAPABILITY_IAM`, `CAPABILITY_AUTO_EXPAND`<br/>      }<br/>    } | <pre>map(object({<br/>    s3_template_store_key = optional(string, null)<br/>    template_body         = optional(string, null)<br/>    parameters            = optional(map(string), null)<br/>    on_failure            = optional(string, null)<br/>    capabilities          = optional(list(string), null)<br/>  }))</pre> | n/a | yes |
 | <a name="input_custom_route53_hosted_zones"></a> [custom\_route53\_hosted\_zones](#input\_custom\_route53\_hosted\_zones) | Map of Route53 Hosted Zone configurations to create<br/>    {<br/>      example.com = {<br/>        ns\_records: Map of NS records to create ({ "domain.example.com"  = { values = ["ns1.example.com", "ns2.example.com"], ttl = 300 })<br/>        a\_records: Map of A records to create ({ "domain.example.com"  = { values = ["1.2.3.4", "5.6.7.8"], ttl = 300 })<br/>        alias\_records: Map of ALIAS records to create ({ "domain.example.com"  = { value = "example.cloudfront.com", zone\_id = "Z2FDTNDATAQYW2" })<br/>        cname\_records: Map of CNAME records to create ({ "domain.example.com"  = { values = ["external1.example.com", "external2.example.com"], ttl = 60 })<br/>        mx\_records: Map of MX records to create ({ "example.com"  = { values = ["1 mail.example.com", "5 mail2.example.com"], ttl = 60 })<br/>        txt\_records: Map of TXT records to create ({ "example.com"  = { values = ["v=spf1 include:spf.example.com -all"], ttl = 60 })<br/>      }<br/>    } | <pre>map(object({<br/>    ns_records = optional(map(object({<br/>      values = list(string)<br/>      ttl    = optional(number, 300)<br/>    })), null)<br/>    a_records = optional(map(object({<br/>      values = list(string)<br/>      ttl    = optional(number, 300)<br/>    })), null)<br/>    alias_records = optional(map(object({<br/>      value   = string<br/>      zone_id = string<br/>    })), null)<br/>    cname_records = optional(map(object({<br/>      values = list(string)<br/>      ttl    = optional(number, 300)<br/>    })), null)<br/>    mx_records = optional(map(object({<br/>      values = list(string)<br/>      ttl    = optional(number, 300)<br/>    })), null)<br/>    txt_records = optional(map(object({<br/>      values = list(string)<br/>      ttl    = optional(number, 300)<br/>    })), null)<br/>  }))</pre> | n/a | yes |
-| <a name="input_custom_s3_buckets"></a> [custom\_s3\_buckets](#input\_custom\_s3\_buckets) | Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction."<br/>    {<br/>      bucket-name = {<br/>        create\_dedicated\_kms\_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts.<br/>        custom\_kms\_key\_policy\_statements: Conditionally add a string of comma delimited user-defined bucket policy statements (eg. '{"Effect": ...},{"Effect": ...}')<br/>        transition\_to\_ia\_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days<br/>        transition\_to\_glacier\_days: Conditionally transition objects to 'Glacier' storage in N days<br/>        cloudfront\_dedicated\_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket.<br/>        cloudfront\_s3\_root: Sets the S3 document root when being served from CloudFront. By default this will be '/'. If `cloudfront_infrastructure_ecs_cluster_service_path` has been set, this helps by modifying the request from `/sub-directory-path` to `/` by use of a CloudFront function.<br/>        cloudfront\_infrastructure\_ecs\_cluster\_service: Conditionally create an Origin on a CloudFront distribution that is serving the given Infrastructure ECS Cluster Service name<br/>        cloudfront\_infrastructure\_ecs\_cluster\_service\_path: If `cloudfront_infrastructure_ecs_cluster_service`, set this to the path that objects will be served from.<br/>        custom\_bucket\_policy\_statements: Conditionally add a string of comma delimited user-defined key policy statements (eg. '{"Effect": ...},{"Effect": ...}'<br/>      }<br/>    } | <pre>map(object({<br/>    create_dedicated_kms_key                           = optional(bool, null)<br/>    custom_kms_key_policy_statements                   = optional(string, null)<br/>    transition_to_ia_days                              = optional(number, null)<br/>    transition_to_glacier_days                         = optional(number, null)<br/>    cloudfront_dedicated_distribution                  = optional(bool, null)<br/>    cloudfront_s3_root                                 = optional(string, null)<br/>    cloudfront_infrastructure_ecs_cluster_service      = optional(string, null)<br/>    cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null)<br/>    custom_bucket_policy_statements                    = optional(string, null)<br/>  }))</pre> | n/a | yes |
+| <a name="input_custom_s3_buckets"></a> [custom\_s3\_buckets](#input\_custom\_s3\_buckets) | Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction."<br/>    {<br/>      bucket-name = {<br/>        create\_dedicated\_kms\_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts.<br/>        custom\_kms\_key\_policy\_statements: Conditionally add a string of comma delimited user-defined bucket policy statements (eg. '{"Effect": ...},{"Effect": ...}')<br/>        use\_aes256\_encryption: Conditionally enforce using AES256 encryption, rather than the infrastructure KMS key. Also overrides `create_dedicated_kms_key`<br/>        transition\_to\_ia\_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days<br/>        transition\_to\_glacier\_days: Conditionally transition objects to 'Glacier' storage in N days<br/>        cloudfront\_dedicated\_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket.<br/>        cloudfront\_s3\_root: Sets the S3 document root when being served from CloudFront. By default this will be '/'. If `cloudfront_infrastructure_ecs_cluster_service_path` has been set, this helps by modifying the request from `/sub-directory-path` to `/` by use of a CloudFront function.<br/>        cloudfront\_infrastructure\_ecs\_cluster\_service: Conditionally create an Origin on a CloudFront distribution that is serving the given Infrastructure ECS Cluster Service name<br/>        cloudfront\_infrastructure\_ecs\_cluster\_service\_path: If `cloudfront_infrastructure_ecs_cluster_service`, set this to the path that objects will be served from.<br/>        custom\_bucket\_policy\_statements: Conditionally add a string of comma delimited user-defined key policy statements (eg. '{"Effect": ...},{"Effect": ...}'<br/>      }<br/>    } | <pre>map(object({<br/>    create_dedicated_kms_key                           = optional(bool, null)<br/>    custom_kms_key_policy_statements                   = optional(string, null)<br/>    use_aes256_encryption                              = optional(bool, null)<br/>    transition_to_ia_days                              = optional(number, null)<br/>    transition_to_glacier_days                         = optional(number, null)<br/>    cloudfront_dedicated_distribution                  = optional(bool, null)<br/>    cloudfront_s3_root                                 = optional(string, null)<br/>    cloudfront_infrastructure_ecs_cluster_service      = optional(string, null)<br/>    cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null)<br/>    custom_bucket_policy_statements                    = optional(string, null)<br/>  }))</pre> | n/a | yes |
 | <a name="input_ecs_cluster_efs_directories"></a> [ecs\_cluster\_efs\_directories](#input\_ecs\_cluster\_efs\_directories) | ECS cluster EFS directories to create | `list(string)` | n/a | yes |
 | <a name="input_ecs_cluster_efs_infrequent_access_transition"></a> [ecs\_cluster\_efs\_infrequent\_access\_transition](#input\_ecs\_cluster\_efs\_infrequent\_access\_transition) | ECS cluser EFS IA transiton in days. Set to 0 to disable IA transition. | `number` | n/a | yes |
 | <a name="input_ecs_cluster_efs_performance_mode"></a> [ecs\_cluster\_efs\_performance\_mode](#input\_ecs\_cluster\_efs\_performance\_mode) | ECS cluser EFS performance mode | `string` | n/a | yes |

s3-custom-buckets.tf

@@ -79,7 +79,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "custom" {
   bucket = aws_s3_bucket.custom[each.key].id
 
   dynamic "rule" {
-    for_each = local.infrastructure_kms_encryption || each.value["create_dedicated_kms_key"] == true ? [1] : []
+    for_each = (local.infrastructure_kms_encryption || each.value["create_dedicated_kms_key"] == true) && each.value["use_aes256_encryption"] != true ? [1] : []
 
     content {
       apply_server_side_encryption_by_default {
@@ -90,7 +90,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "custom" {
   }
 
   dynamic "rule" {
-    for_each = local.infrastructure_kms_encryption || each.value["create_dedicated_kms_key"] == true ? [] : [1]
+    for_each = (local.infrastructure_kms_encryption || each.value["create_dedicated_kms_key"] == true) && each.value["use_aes256_encryption"] != true ? [] : [1]
 
     content {
       apply_server_side_encryption_by_default {

variables.tf

@@ -869,6 +869,7 @@ variable "custom_s3_buckets" {
       bucket-name = {
         create_dedicated_kms_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts.
         custom_kms_key_policy_statements: Conditionally add a string of comma delimited user-defined bucket policy statements (eg. '{"Effect": ...},{"Effect": ...}')
+        use_aes256_encryption: Conditionally enforce using AES256 encryption, rather than the infrastructure KMS key. Also overrides `create_dedicated_kms_key`
         transition_to_ia_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days
         transition_to_glacier_days: Conditionally transition objects to 'Glacier' storage in N days
         cloudfront_dedicated_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket.
@@ -882,6 +883,7 @@ variable "custom_s3_buckets" {
   type = map(object({
     create_dedicated_kms_key                           = optional(bool, null)
     custom_kms_key_policy_statements                   = optional(string, null)
+    use_aes256_encryption                              = optional(bool, null)
     transition_to_ia_days                              = optional(number, null)
     transition_to_glacier_days                         = optional(number, null)
     cloudfront_dedicated_distribution                  = optional(bool, null)