diff --git a/README.md b/README.md index c1f9d27..8a0c1ab 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,22 @@ Type: `bool` Default: `false` +### enable\_key\_rotation + +Description: Enable kms key rotation if required + +Type: `bool` + +Default: `false` + +### force\_destroy + +Description: Force removal of s3 bucket contents on bucket destruction. + +Type: `bool` + +Default: `false` + ### prevent\_unencrypted\_uploads Description: Attach a bucket policy that requires all uploaded files to be explicitly encrypted. Must set the encrypted flag on the backend config. diff --git a/kms.tf b/kms.tf index 38f923a..9404a61 100644 --- a/kms.tf +++ b/kms.tf @@ -1,8 +1,9 @@ resource "aws_kms_key" "backend" { - count = var.enable_customer_kms_key ? 1 : 0 - description = "Customer key used to encrypt the backend S3 bucket" - policy = data.aws_iam_policy_document.kms[0].json - tags = var.tags + count = var.enable_customer_kms_key ? 1 : 0 + description = "Customer key used to encrypt the backend S3 bucket" + enable_key_rotation = var.enable_key_rotation + policy = data.aws_iam_policy_document.kms[0].json + tags = var.tags } resource "aws_kms_alias" "backend" { diff --git a/s3.tf b/s3.tf index 7bed220..0d343ed 100644 --- a/s3.tf +++ b/s3.tf @@ -31,7 +31,8 @@ resource "aws_s3_bucket" "backend" { } } - tags = var.tags + force_destroy = var.force_destroy + tags = var.tags } resource "aws_s3_bucket_public_access_block" "backend" { diff --git a/variables.tf b/variables.tf index 73ff5f0..d9f7ca4 100644 --- a/variables.tf +++ b/variables.tf @@ -26,6 +26,18 @@ variable "enable_customer_kms_key" { default = false } +variable "enable_key_rotation" { + type = bool + description = "Enable kms key rotation if required" + default = false +} + +variable "force_destroy" { + type = boolean + descrption = "Force removal of non-empty backend s3 buckets" + default = false +} + variable "tags" { type = map(string) description = "Tags applied to all resources"