feat(object): add support encryption sse-c (#2845)

* feat(object): support sse-c encryption

* feat(object): encryption create is working issue with read

* fix(object): copyObject with encryption

* update cassette

* fix golangci-lint

* remove unused data

* feat(object): update documentation

* add ValidateFunc

Author: Laure-di

docs/resources/object.md

@@ -51,6 +51,8 @@ The following arguments are supported:
 
 * `tags` - (Optional) Map of tags.
 
+* `sse_customer_key` - (Optional) Customer's encryption keys to encrypt data (SSE-C)
+
 * `project_id` - (Defaults to [provider](../index.md#arguments-reference) `project_id`) The ID of the project the bucket is associated with.
 
 ~> **Important:** The `project_id` attribute has a particular behavior with s3 products because the s3 API is scoped by project.

internal/services/instance/testdata/snapshot-from-object.cassette.yaml

@@ -3,11 +3,13 @@ package object
 import (
 	"bytes"
 	"context"
+	"crypto/md5" //nolint:gosec
 	"encoding/base64"
 	"fmt"
 	"os"
 	"strings"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	s3Types "github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/hashicorp/go-cty/cty"
@@ -105,6 +107,13 @@ func ResourceObject() *schema.Resource {
 					string(s3Types.ObjectCannedACLPublicRead),
 				}, false),
 			},
+			"sse_customer_key": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Sensitive:    true,
+				Description:  "Customer's encryption keys to encrypt data (SSE-C)",
+				ValidateFunc: validation.StringLenBetween(32, 32),
+			},
 			"region":     regional.Schema(),
 			"project_id": account.ProjectIDSchema(),
 		},
@@ -148,6 +157,16 @@ func resourceObjectCreate(ctx context.Context, d *schema.ResourceData, m interfa
 		req.ACL = s3Types.ObjectCannedACL(*visibilityStr)
 	}
 
+	if encryptionKeyStr, ok := d.GetOk("sse_customer_key"); ok {
+		digestMD5, encryption, err := EncryptCustomerKey(encryptionKeyStr.(string))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		req.SSECustomerAlgorithm = scw.StringPtr("AES256")
+		req.SSECustomerKeyMD5 = &digestMD5
+		req.SSECustomerKey = encryption
+	}
+
 	if filePath, hasFile := d.GetOk("file"); hasFile {
 		file, err := os.Open(filePath.(string))
 		if err != nil {
@@ -192,6 +211,19 @@ func resourceObjectCreate(ctx context.Context, d *schema.ResourceData, m interfa
 	return resourceObjectRead(ctx, d, m)
 }
 
+func EncryptCustomerKey(encryptionKeyStr string) (string, *string, error) {
+	encryptionKey := []byte(encryptionKeyStr)
+	h := md5.New() //nolint:gosec
+	_, err := h.Write(encryptionKey)
+	if err != nil {
+		return "", nil, err
+	}
+	digest := h.Sum(nil)
+	digestMD5 := base64.StdEncoding.EncodeToString(digest)
+	encryption := aws.String(base64.StdEncoding.EncodeToString(encryptionKey))
+	return digestMD5, encryption, nil
+}
+
 func resourceObjectUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	s3Client, region, key, bucket, err := s3ClientWithRegionAndNestedName(ctx, d, m, d.Id())
 	if err != nil {
@@ -212,7 +244,15 @@ func resourceObjectUpdate(ctx context.Context, d *schema.ResourceData, m interfa
 			Metadata:     types.ExpandMapStringString(d.Get("metadata")),
 			ACL:          s3Types.ObjectCannedACL(d.Get("visibility").(string)),
 		}
-
+		if encryptionKey, ok := d.GetOk("sse_customer_key"); ok {
+			digestMD5, encryption, err := EncryptCustomerKey(encryptionKey.(string))
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			req.SSECustomerAlgorithm = scw.StringPtr("AES256")
+			req.SSECustomerKeyMD5 = &digestMD5
+			req.SSECustomerKey = encryption
+		}
 		if filePath, hasFile := d.GetOk("file"); hasFile {
 			file, err := os.Open(filePath.(string))
 			if err != nil {
@@ -224,14 +264,24 @@ func resourceObjectUpdate(ctx context.Context, d *schema.ResourceData, m interfa
 		}
 		_, err = s3Client.PutObject(ctx, req)
 	} else {
-		_, err = s3Client.CopyObject(ctx, &s3.CopyObjectInput{
+		req := &s3.CopyObjectInput{
 			Bucket:       types.ExpandStringPtr(bucketUpdated),
 			Key:          types.ExpandStringPtr(keyUpdated),
 			StorageClass: s3Types.StorageClass(d.Get("storage_class").(string)),
 			CopySource:   scw.StringPtr(fmt.Sprintf("%s/%s", bucket, key)),
 			Metadata:     types.ExpandMapStringString(d.Get("metadata")),
 			ACL:          s3Types.ObjectCannedACL(d.Get("visibility").(string)),
-		})
+		}
+		if encryptionKey, ok := d.GetOk("sse_customer_key"); ok {
+			digestMD5, encryption, err := EncryptCustomerKey(encryptionKey.(string))
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			req.CopySourceSSECustomerAlgorithm = scw.StringPtr("AES256")
+			req.CopySourceSSECustomerKeyMD5 = &digestMD5
+			req.CopySourceSSECustomerKey = encryption
+		}
+		_, err = s3Client.CopyObject(ctx, req)
 	}
 	if err != nil {
 		return diag.FromErr(err)
@@ -274,10 +324,17 @@ func resourceObjectRead(ctx context.Context, d *schema.ResourceData, m interface
 	ctx, cancel := context.WithTimeout(ctx, d.Timeout(schema.TimeoutRead))
 	defer cancel()
 
-	obj, err := s3Client.HeadObject(ctx, &s3.HeadObjectInput{
+	req := &s3.HeadObjectInput{
 		Bucket: types.ExpandStringPtr(bucket),
 		Key:    types.ExpandStringPtr(key),
-	})
+	}
+
+	if encryption, ok := d.GetOk("sse_customer_key"); ok {
+		req.SSECustomerKey = aws.String(base64.StdEncoding.EncodeToString([]byte(encryption.(string))))
+		req.SSECustomerAlgorithm = scw.StringPtr("AES256")
+	}
+
+	obj, err := s3Client.HeadObject(ctx, req)
 	if err != nil {
 		return diag.FromErr(err)
 	}

internal/services/object/object.go

@@ -21,8 +21,10 @@ import (
 
 // // Service information constants
 const (
-	ServiceName = "scw"       // Name of service.
-	EndpointsID = ServiceName // ID to look up a service endpoint with.
+	ServiceName     = "scw"       // Name of service.
+	EndpointsID     = ServiceName // ID to look up a service endpoint with.
+	encryptionStr   = "1234567890abcdef1234567890abcdef"
+	contentToEncypt = "Hello World"
 )
 
 func TestAccObject_Basic(t *testing.T) {
@@ -734,6 +736,66 @@ func TestAccObject_WithBucketName(t *testing.T) {
 	})
 }
 
+func TestAccObject_Encryption(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+	bucketName := sdkacctest.RandomWithPrefix("test-acc-scaleway-object-encryption")
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy: resource.ComposeTestCheckFunc(
+			objectchecks.IsObjectDestroyed(tt),
+			objectchecks.IsBucketDestroyed(tt),
+		),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base-01" {
+						name = "%s"
+						region= "%s"
+						tags = {
+							foo = "bar"
+						}
+					}
+
+					resource scaleway_object "by-content" {
+						bucket = scaleway_object_bucket.base-01.id
+						key = "myfile/foo"
+						content = "Hello World"
+						sse_customer_key = "%s"
+					}
+				`, bucketName, objectTestsMainRegion, encryptionStr),
+				Check: resource.ComposeTestCheckFunc(
+					objectchecks.CheckBucketExists(tt, "scaleway_object_bucket.base-01", true),
+					resource.TestCheckResourceAttr("scaleway_object.by-content", "content", "Hello World"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "scaleway_object_bucket" "base-01" {
+						name = "%s"
+						region= "%s"
+						tags = {
+							foo = "bar"
+						}
+					}
+
+					resource scaleway_object "by-content" {
+						bucket = scaleway_object_bucket.base-01.id
+						key = "myfile/foo/bar"
+						content = "Hello World"
+						sse_customer_key = "%s"
+					}
+				`, bucketName, objectTestsMainRegion, encryptionStr),
+				Check: resource.ComposeTestCheckFunc(
+					objectchecks.CheckBucketExists(tt, "scaleway_object_bucket.base-01", true),
+					resource.TestCheckResourceAttr("scaleway_object.by-content", "content", "Hello World"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckObjectExists(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		ctx := context.Background()