diff --git a/dev/s3/terragrunt.hcl b/dev/s3/terragrunt.hcl index 5be35f2..aafcbb7 100644 --- a/dev/s3/terragrunt.hcl +++ b/dev/s3/terragrunt.hcl @@ -15,6 +15,9 @@ inputs = { enable_versioning = false # Disable versioning for dev enable_lifecycle_rules = false # Disable lifecycle rules for dev + # KMS encryption + kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321" + # CORS configuration allowed_origins = ["http://localhost:3000", "https://dev.example.com"] } diff --git a/modules/s3/main.tf b/modules/s3/main.tf index ae14860..0108266 100644 --- a/modules/s3/main.tf +++ b/modules/s3/main.tf @@ -21,7 +21,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "static_content" { rule { apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + sse_algorithm = "aws:kms" + kms_master_key_id = var.kms_key_arn } } } @@ -71,7 +72,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "user_content" { rule { apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + sse_algorithm = "aws:kms" + kms_master_key_id = var.kms_key_arn } } } diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf index 83f1d3b..fae2e5f 100644 --- a/modules/s3/variables.tf +++ b/modules/s3/variables.tf @@ -25,3 +25,8 @@ variable "allowed_origins" { type = list(string) default = ["*"] } + +variable "kms_key_arn" { + description = "ARN of the KMS key for S3 encryption" + type = string +} diff --git a/prod/s3/terragrunt.hcl b/prod/s3/terragrunt.hcl index dc661a4..e8c8547 100644 --- a/prod/s3/terragrunt.hcl +++ b/prod/s3/terragrunt.hcl @@ -15,6 +15,9 @@ inputs = { enable_versioning = true # Enable versioning for production enable_lifecycle_rules = true # Enable lifecycle rules for production + # KMS encryption + kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" + # CORS configuration allowed_origins = ["https://example.com", "https://www.example.com"] }