Skip to content

Default KMS encryption is not applied

Issue

When building a S3 bucket with this module, without specifying a KMS encryption, a malformed ARN key is attached. Then, it is not possible to publish some file on this bucket, through the AWS Console.

To reproduce, deploy the following :

module "s3_bucket_test" {
   source        = "git::https://git.cloud.safran/safrangrp/publiccloud/landingzone/shared-modules/terraform-aws-s3.git?ref=2.1.0"
   security      = var.security
   environment   = var.environment
   company       = var.company
   service_id    = var.service_id
   name          = "test"

Upload > Select any file > Upload ==> Upload failed : KMS.NotFoundException

Details

As suggested by the module source code: kms_master_key_id = var.encryption_type == "kms" ? (var.kms_key_arn != null ? var.kms_key_arn : "aws/s3") : null

An S3 bucket is created, with "aws/s3" as an AWS managed KMS key ARN. However this ARN is malformed. AWS documentation says the ARN format, even when using alias :

Format (using key id): arn:aws:kms:<region>:<account-ID>:key/<key-id>
(using alias): arn:aws:kms:<region>:<account-ID>:alias/<alias-name>